She Can Hack Your Bank Account With the Power of Her Voice🎙Darknet Diaries Ep. 144: Rachel
TLDRIn this episode of Darknet Diaries, Jack Rhysider interviews ethical hacker Rachel Tobac, who shares her journey into the world of social engineering. Rachel details her experience of hacking into a bank's system by spoofing phone numbers and fooling customer support. She also discusses her role in uncovering how a tech company's mergers and acquisitions were leaked, by posing as a journalist and later, as a job applicant. Rachel's story showcases the power of human manipulation and the potential vulnerabilities in cybersecurity, emphasizing the importance of ethical hacking and awareness training to combat such threats.
Takeaways
- 📈 The story begins with Jack sharing an experience of being scammed by a caller who claimed to have a stock prediction algorithm.
- 🎓 Rachel Tobac's origin story in social engineering started from watching a movie as a child, which sparked her interest in espionage.
- 🚫 Rachel faced discouragement from her guidance counselor when she expressed interest in coding classes, steering her towards other subjects.
- 🧠 Despite having a degree in neuroscience and behavioral psychology, Rachel found her way into the tech industry through improv and a lateral move.
- 🏆 Rachel's success in the Defcon social engineering contest, placing second three years in a row, led to the start of her career and the founding of her company, SocialProof Security.
- 💸 As a social engineer, Rachel was hired by a bank to test their security by attempting to take over customer accounts through various communication methods.
- 📞 Rachel used phone spoofing as a tactic to gain trust and extract information during her social engineering attacks, highlighting the vulnerability of caller ID systems.
- 📝 During the 60 Minutes episode, Rachel demonstrated a voice cloning and spoofing attack on Sharyn Alfonsi's coworker, Elizabeth, with her consent.
- 🔍 Rachel's use of open-source intelligence (OSINT) and AI in her hacks underscores the increasing importance of these technologies in the field of cybersecurity.
- 🚨 The story underscores the need for better security protocols and awareness training to protect against social engineering and other cyber threats.
- 🌐 The impact of social media and public platforms on personal privacy and security is a significant theme, as information shared can be easily exploited by attackers.
Q & A
What method did the scammer use to accurately predict the stock prices?
-The scammer used a method of dividing and conquering his victims through a mathematical game. He would call a large group of people, tell half that a stock would go up and the other half that it would go down. He would then repeat this process over several weeks, narrowing down to a small group of people to whom he appeared to always predict correctly.
How did the scammer try to exploit Jack after gaining his trust?
-The scammer tried to exploit Jack by telling him about a company whose stock price was going to explode and that they were in the initial investor round. He asked Jack if he wanted to invest, starting with a question about investing ten grand.
What was Rachel's origin story that led her to social engineering?
-Rachel's origin story began with her watching the movie Harriet the Spy, which made her realize that being a spy was a job girls could do. This idea stayed with her through her childhood and later, despite not getting into coding, she found her way into social engineering through a nonlinear path involving neuroscience, behavioral psychology, and improv.
How did Rachel get into the field of information security?
-Rachel got into information security after her husband introduced her to Defcon, an annual hacker conference. Despite her initial reluctance, she attended and was fascinated by the social engineering contest. This experience sparked her interest and led her to apply for the contest, which she eventually won, launching her career in social engineering.
What is the Social Engineering Village that Rachel's husband described to her?
-The Social Engineering Village is a popular area at the Defcon conference where participants demonstrate various social engineering techniques. Contestants are placed in a soundproof glass booth in front of an audience and make calls to companies to extract information, showcasing their skills in elicitation, pretexting, and persuasion.
What was the strategy Rachel used to trick the bank's customer support into giving her access to accounts?
-Rachel used a strategy of posing as a customer who lost access to all her devices and was traveling abroad. She attempted to convince the support team to change the email address or phone number associated with the account to one she controlled. When this failed, she switched to a phone call approach, spoofed the customer's phone number, and used voice manipulation and a convincing story to gain the support team's trust.
How did Rachel manage to spoof phone numbers?
-Rachel managed to spoof phone numbers by using an app available on the App Store, which allowed her to make calls appear as though they were coming from a different number, in this case, the customer's number that she was trying to mimic.
What was the result of Rachel's attempt to gain access to the bank accounts?
-Rachel was successful in her attempts to gain access to the bank accounts. She managed to convince the support team to send her documents for identity verification. Using Photoshop, she and her husband created fake documents that matched the account details, which granted her full admin access to the accounts.
What was the purpose of the edge cases that Rachel helped the company set up after the penetration test?
-The purpose of the edge cases was to create scenarios that would help the company identify and prevent potential security breaches in the future. These scenarios would test the company's protocols and help them find practical ways to verify identity correctly and make it harder for attackers to gain access.
What is the significance of LinkedIn in the context of social engineering?
-LinkedIn is significant in social engineering because it provides a wealth of personal and professional information about individuals. This information can be used to target specific people within a company, guess their email addresses, and even deduce technical details about the company's infrastructure, making it easier for social engineers to carry out their attacks.
Outlines
📞 The College Scam Call
Jack recounts a college experience where he received a scam call about stock predictions. The scammer accurately predicted a stock's rise and fall over multiple weeks, eventually revealing an algorithm that supposedly cracked the stock market. Jack's curiosity led him to discover the scammer's method of splitting the audience and playing the odds, which appeared as a perfect prediction to a select few.
🎓 Guidance Counsellor's Misguided Advice
Rachel shares her origin story, starting with her childhood fascination with the idea of being a spy, inspired by the movie Harriet the Spy. Despite her interest in technology, misguided advice from her guidance counselor led her to not pursue coding classes. Instead, she pursued a degree in neuroscience and behavioral psychology, which eventually and unexpectedly led her to a career in social engineering.
💻 From Teacher to Tech
Rachel's journey into the tech world began with improv and teaching, which transitioned into a community manager role at a tech company. Her husband introduced her to the world of hacking through Defcon, a hacker conference. Despite initial reluctance, Rachel found her calling in social engineering after witnessing a live hacking contest at Defcon.
🥇 Second Place at Defcon
Rachel's first experience competing in the social engineering contest at Defcon led to her winning second place. Her success was unexpected, as she had only recently discovered her talent for social engineering. This accomplishment sparked her interest in pursuing social engineering as a career, leading her to apply and compete in the contest for the following two years, securing second place each time.
🚀 Launching SocialProof Security
After consistently placing second in Defcon's social engineering contest, Rachel was approached by companies wanting to learn more about hacking and how to prevent it. This led her to establish SocialProof Security in 2017, a company focused on social engineering for hire. Her clients included major tech companies and government organizations, demonstrating her significant impact in the field.
🏦 Hacking a Bank
Rachel describes a penetration test for a bank, where she was tasked with hacking into customer accounts through phone calls, emails, or chat. Despite initial setbacks with the chat feature, Rachel successfully spoofed a customer's phone number and used social engineering tactics to extract personal information from the bank's customer support, highlighting the vulnerability of voice-based authentication.
📞 The Art of the Spoof
Rachel explains the process of phone number spoofing, a technique used by social engineers to manipulate targets into revealing sensitive information. She discusses the ease of spoofing numbers and the limitations of current security measures, emphasizing the need for better protocols to prevent such attacks.
🤝 Building Trust with a Fake Journalist
Rachel's attempt to pose as a journalist to extract information about a company's upcoming mergers and acquisitions was unsuccessful. Despite her efforts to build a believable persona and engage with company employees, she was unable to obtain any significant insider information, indicating a higher level of security awareness within the company.
📝 The Phantom Applicant
Rachel details her strategy of applying for a product manager role within a company to gain access to information about potential mergers and acquisitions. She invested significant time in creating a convincing persona, including a social media presence and relevant experience, to prepare for the interview process.
🎭 Navigating the Interview
Rachel successfully progressed through the interview stages, maintaining her cover as a prospective product manager. During the interviews, she subtly extracted information about the company's acquisition plans by asking indirect questions, leading to confirmations in the form of hints and generalities from several interviewers.
🏆 Winning the Job
Rachel's social engineering tactics not only allowed her to gather valuable information about the company's acquisition plans but also led to her being offered the product manager position. Her findings were presented to the security team, who recognized the need for clearer communication protocols to prevent future leaks.
🎥 Live Hacking on 60 Minutes
Rachel was approached by 60 Minutes to perform a live hack, aiming to demonstrate the potential of AI in scamming. With the consent of the show's host and her coworker, Rachel planned to use AI to clone the host's voice and trick the coworker into revealing personal information. The challenge was to execute the hack naturally and without arousing suspicion.
🗣️ The Voice-Cloning Tool
Rachel's use of a voice-cloning tool allowed her to replicate the host's voice and make a phone call to the coworker, requesting personal information under the guise of the host. Despite the inherent technical delays and audio discrepancies, the coworker provided the information, illustrating the effectiveness of such social engineering tactics.
🔐 The Future of Trust and Verification
The discussion shifts towards the future implications of AI cloning on trust and verification in communication. The need for cryptographic keys and secure verification methods is highlighted to establish genuine communication channels and prevent falling victim to sophisticated AI-based scams.
🌟 The Evolution of Human and Technology
Jack expresses his excitement for the rapid advancements in technology and its impact on human evolution. He envisions a future where human intelligence and technology will continue to evolve and merge, creating new possibilities and challenges that will shape the future of humanity.
Mindmap
Keywords
💡Social Engineering
💡Ethical Hacking
💡Voice Cloning
💡Deepfakes
💡Data Brokers
💡Open-Source Intelligence (OSINT)
💡SIM Swapping
💡Multi-Factor Authentication (MFA)
💡Penetration Testing
💡Cryptography
💡Security Awareness Training
Highlights
The story begins with Jack receiving a call from a scammer who claims to have a stock tip.
The scammer calls back a week later, and the stock he mentioned indeed goes up.
Jack learns about the scammer's method of cold-calling and narrowing down victims who to target.
Rachel Tobac shares her origin story of becoming interested in social engineering after watching a movie.
Rachel's guidance counselor discouraged her from taking coding classes because she would be the only girl.
Rachel's path to infosec and hacking is nonlinear, starting with a degree in neuroscience and behavioral psychology.
Rachel's husband introduces her to Defcon, a hacker conference, where she discovers her talent for social engineering.
Rachel competes in the social engineering contest at Defcon and places second, launching her career.
As a social engineer, Rachel is hired by companies to test their vulnerability to social-engineering attacks.
Rachel uses voice cloning and phone number spoofing to trick a coworker into revealing personal information.
Rachel's work in social engineering often involves creating fake online personas, or 'SOC accounts'.
The importance of consent is emphasized in ethical hacking, as Rachel obtains consent before performing any hacking.
Rachel's appearance on 60 Minutes demonstrates the potential of AI in scams and the need for increased security measures.
The episode concludes with a discussion on the future of security and the need for new methods to establish trust in a world of deepfakes.
The transcript highlights the increasing sophistication of scammers and the need for public awareness.
The transcript showcases the journey of a person with no coding background becoming a successful social engineer.
The transcript provides an inside look into the world of social engineering and ethical hacking.
The transcript emphasizes the importance of privacy and the risks associated with sharing personal information online.
The transcript explores the potential applications of AI in both positive and negative ways, changing the landscape of security.