Social Engineering on Father’s Day

Social engineering is a powerful tool. But, it is tough art to practice.  It’s fun and interesting to read about it.  But, what if you wanted to experience first-hand how it works?  You can’t just waltz into some establishment and run a con game.  Sending phishing or spearphishing emails to friends will not endear you them or law enforcement.  That leaves family.

They ordered a DNA test for Father’s Day.

It’d been a running punch-line in my family for me to deny my paternity.  A little background is needed here.  I’m married and have several boys.  Teens to twenties.  Very male. Very rowdy. It seems no week goes by without some gaffe, blunder or destruction of private property.  Those of you with kids know this too well. For years, my response to my wife about these incidents has been to say “They are not related to me. You don’t have DNA proof.” My wife would roll her eyes and the kids would tell me the line is getting old. Last year, they decided to make me eat my words.  They ordered a DNA test for Father’s Day.

Wifey and the kids went online and ordered a DNA test kit.  For about $80, you get a kit with cotton swabs and sterile packaging, plus a return envelope.  Swab the mouth of  a kid and the “alleged” dad. Then, just return it.  A week or so later the results arrive by courier.  But, they forgot that it’s my job to do the bill-paying and online banking.  I saw the purchase, looked it up and was both intrigued and prepared. I decided to hone some social engineering skills and have some fun at the same time.

Nicely played, I thought. But, jeesh. She is devious.

My spouse is a medical professional. So, a little later, she told me there had been an “infection alert” at her hospital.  According to my better half, the hospital administration had decided to do “routine precautionary tests” to ensure no spread had occurred. She swabbed my mouth and said there was nothing to worry about. She had her sample. Nicely played, I thought. But, jeesh. She is devious.

A few weeks later, it was Father’s Day.  The gang was buzzing with excitement. Everyone was giving me a look that said, “We love you, but you’re going down!” There was a nice dinner, the obligatory small gifts and then wifey gathered us all for the big gift.  It was a sealed courier envelope.  The card said something about how I’m a wonderful guy and the word Father was excessively underlined and highlighted. I opened it and read the DNA report out loud. It said I was definitely not related to any of the other samples.  My kids seized it and could barely believe it.  The wife knew better.  She was staring at me like a death laser, similar to the planet-killer in Star Wars.  Time to ‘fess up.  If you have iTunes, now would be a good time to load “The Entertainer.”  It’s the theme song to “The Sting” with Paul Newman and Robert Redford.

Forgery is Easy

Of course, I wrote the report. Forgery is very easy when the recipient doesn’t know what a valid document should look like. Simply google “DNA paternity reports” and poof! Numerous samples. Fire up MS Word and you’ve a really good looking report. The forgery included some really CSI-looking DNA charts.  Since this was my family’s first DNA report (that I know of), no one knew it was a fake.  But how do you get it into their hands?

An image of molecules and DNS-looking stuff

Round Game

For this to work, the actual report had to be intercepted and replaced.  It would have to be low-budget, replace the envelope silently and not be a felony. Options:

  • Ninjas could hijack the courier’s truck.  Hmm. Felony: FAIL
  • Seal Team 6, could do an extraction. They cost a lot and are busy: FAIL
  • Run the ’round game.

In old England, a con game was developed to rob banks without guns. When a delivery of money to a bank was to occur, a man dressed as a guard would stand in front of the bank.  The armored truck would arrive and the guard would wave the delivery “round the corner” to an alley.  It would appear to be the back door to the bank, but would actually be some more bad guys dressed up as bank officials more than ready to help unload the money.

For my round game, it was easy.  I knew which delivery service was to bring the report.  They tell you online.  My wife’s ploy to get my cheek swab told me the approximate date. The Web site promised 5-7 business day service.  On the appointed days, a note was left for the delivery guys, saying to drop any packages at the side door.  No one ever uses it. Presto: It was waiting for me the second day.  I then placed my own report in a properly addressed delivery envelope, beat it up a little and left it at the front door.  It even had the company logo on the label.  My kids came home, found it and immediately hid it from me.  Meanwhile, the real report was on on my desk face down the whole time.

Fast-forward back to Father’s Day. The real report was revealed. The wife demanded I admit paternity (I did) and all was forgiven.  But, now it’s my kids that won’t admit they are related to me.

Lessons for All

Think about your own circumstances.  Do you assign more credibility to stuff that simply appears “official”? Consider the possibilities for social engineering attacks using just an envelope.

If this topic was of interest to you, the Learning Tree courses System and Network Security and Preparing for the CompTIA Security+ Certification Exam cover social engineering.

Randy W. Williams

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.