How To Hack Into The Music Industry

It is a doctrine of war that we must not rely on the likelihood of the enemy not coming, but on our own readiness to meet him: not on the chance of his not attacking, but on the fact that we have made our position invincible- Sun Tzu

Part 1: Targeting Artist & Fans using social-engineering tactics
Sample site:
Tools: Social-Engineering Toolkit & The Harvester

When it comes to the vulnerabilities presented by the online aspects of the music industry, the opportunities for penetration tester’s to employ their skills are far and wide. However; as numerous as these opportunities may be, they are still for the most part often overlooked. And with great peril.
Think about something for a moment. When’s the last time that you or anyone that you know have gone into a brick and mortar record store and purchased the music that you felt like listening to? Why would you when you can just as well go online and obtain whatever type of music that suits your taste for free or at a far lesser price than what you’d pay at the record store? Sometimes what you pay for that music may be as simple as registering to a site and creating an account. Ta’Dah! Unlimited music. It cost you nothing. Or did it?
We’re all aware that there are computer systems floating around in cyber-space minding their own business without any human interaction. However, I personally stand on the belief that behind every active operating system online there is a human being at the other end of it. And humans my friend, are vulnerable. Human beings can be hacked. And so the story begins…If I were an attacker.

If I were an attacker and I decided to go phishing into this gigantic ocean called the music industry, here’s an example of how I could very easily put together a social-engineering scheme. We’ll take this website as our target. Mainly because I am personally okay with one of the writer’s over there. I am a die-hard fan of the Gazzmic Revolution. But more so, the entire theme of this site to me was a perfect model to use showing how easily an attacker could take just the content of the site alone and use it  against itself to craft a social-engineering scheme. (Note: Notice how in this example the actual web site was never even tampered with by the attacker. All gathered information was passive in nature.)

The attacker would be making use of only two tabs within the entire site to construct his scheme around. Namely, The Gazzmic Manifesto Tab and The Invite Code tab.

Now. Whoever wrote The Gazzmic Manifesto did one hell of a good job. That Manifesto reads brilliant. However, to an imaginative social-engineer, the attacker could very easily fire up SET in conjunction with The Harvester and have a mighty fun field day with the content and theme of this site by making use of the mass mailer attack. Here’s how the original Manifesto reads:

Now imagine an astronomical number of artist and fans being targeted with an email containing the original manifesto with the last line reconstructed to read:

Join The Gazzmic Revolution!Gazzmic is your revolution. We believe that we are on the cusp of a new Renaissance in music, made possible by web technology. Fear not the future! Join the grass-roots movement that will take on the corporate giants head-on. With your help, we can take back music for the artists and fans. That’s why we’ve exclusively chosen you as one of our artist/fans to be featured in our upcoming SKYPE interviews where you’ll have the opportunity to introduce the world to the new revolution. Remember, this is your revolution!To assist our artists/fans with claiming their exclusive spot in the revolution, we’ve created a members only access page on [NAME OF SOCIAL MEDIA SITE]. This link will direct you to a custom page that we’ve created for security purposes to protect the privacy and integrity of our members. By signing into this page you will be directed to the official public page. At this point there’s nothing more to do. You’re account will be automatically created. You will receive a follow-up email asking you to confirm your account. Click here [link with attackers ip address] to begin the revolution.

( Of course, given that the victim fell for the attack, if you were an attacker the results are apparent right there inside your command terminal. If on the other hand, you were a penetration tester, depending on the scope of the penetration test, you could send follow-up emails to all of the victims containing their usernames and passwords revealing to them that their accounts have been compromised. You could even outline the details of the attack and offer tips and recommendations on how they could defend themselves from future attacks. Imagine how valuable these type of findings would  be to a music industry executive? )

Now the other part of the site that we’ll make use of is the Index Tab? I thought this was ideal because it hints at exclusivity. It plays on the psychology of the victim in such a way that it makes them feel “ chosen ”.

Here’s the original invite code presented along with the same message reconstructed by the attacker. Look here to see how the page looks on the actual site.

Now here’s the attacker’s message, mind you, presented to the victims in the form of an email:

” Invitation codes were provided in the past to select bands for testing purposes. We are no longer accepting nor using invitation codes. Instead, we have set up an exclusive screening process of all artist/bands. We will now send you an email containing the link to an exclusive page that we have created for all artist and bands located here on this [NAME OF SOCIAL MEDIA SITE] Follow the link inside of the email and sign into the site using your current credentials. (Note: we’ve created an exclusive page to ensure the privacy and integrity of our members accounts. Once you log in you’ll be directed to the official public page of this social media site. At this point, there’s nothing more that you need to do. You’re account will have been automatically created for you. ) You will receive an email asking you to confirm your account. Music Will Never Be The Same! Click on this link [the attackers ip address] to be invited into the revolution.

Now this is just a very basic case study. It is in no way intending to point out a vulnerability in the Gazzmic Movement and what they have going over there. Nor was it meant to instruct one in the use of tools like The Social-Engineering Tool Kit. If you wish to learn more about the tool and it’s usage you can either visit the link provided at the top of this post or just Google it own your own. There’s tons of information covering it. This was just an example pointing out one of the ways an attacker could carry out a social-engineering attack in the arena of the online music industry. People love music. People love having the shot at being the star. But people are vulnerable, my friend. Humans…can be hacked!

Find more interesting topics like this one covered at The Hacker High School.

Wow! Was I Just Socially Engineered?

Okay. Regardless how on top of your game you may think that you are, people- when it comes to Social Engineering I really would like for you to be aware that IT CAN HAPPEN TO YOU. Period. As a matter of fact, I’ll even go so far as to say not only CAN it happen, but as sure as the Sun rises loyally every morning in the east and lowers in the west, it WILL HAPPEN. It’s only a question of when it’s going to happen and what flavor the tactic will present itself in. With that being said, let us proceed.

What exactly is “ Social Engineering ” ? Social Engineering is defined as the process of deceiving people into giving away access or confidential information. Wikipedia defines it as: “is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.“Although it has been given a bad name by the plethora of “free pizza”, “free coffee”, and “how to pick up chicks” sites, aspects social engineering actually touches on many parts of daily life. Many consider social engineering to be the greatest risk to security.   ( As defined on the official Social Engineering web site. )

So this guy walks into the motel. About an hour or so before I clock out for the night and hit the deuces. This guy, leather notebook in hand, wearing a navy blue jump suit with the white stripes down the side of the arms and the legs. A coach of some school or some kids by all means. I’m telling ya, this guy was freaking Jerry over at Penn State. ( I should shoot for the video footage so you could see this for yourself..really ). So he walks up to the desk and I’m like…thinking he has reservations, for his sake anyway because dude…we’re booked to the max. There’s an oil boom here are ya kidding me? But anyway, so he’s like no reservation..but how are we looking tomorrow? Tomorrow? Dude, tomorrow? It’s midnight now…what about tomorrow?

How is your internet service at the hotel, do you guys have a business center for the guest that has computers….with audio ability that can support my ear buds? Dude, are my ears and eyes deceiving me or are we really having this conversation? Do you mind if I take a look at the computer, Quintius, ( not 3 minutes later and we’re already on a first name basis…BUT I HAVE NO CLUE WHO THIS GUY IS. I know that he’s a guest, he’s respectable- c’mon the guys a coach traveling. ), I just want to see if I’ll be able to work on some business that I have to take care of? No problem you’re covered, dude, we have WiFi. (Granted, you’re taking care of business in traffic literally, security can’t be too high up on your list anyway. ) Well, that’s just the thing, Quintius, I DIDN’T BRING MY LAPTOP WITH ME, I’m from California ( what does that have to do with the price of tea in China? ), I’ve been staying in the hotels but none of the computers in the business centers were compatible with my ear buds. You say you have rooms tomorrow I can just book my reservation all at the same time and we’ll see if this spot is going to work for me. Customer service wins!

So the clock is ticking and has continued to tick all the way to the the point in all of this where it’s time for me to throw up deuces. That much time has passed with this coach in my business center booking his reservation with the help of his ear buds. Hey coach, it was nice meeting ya, is this spot going to work out for ya? Mouse click. ( Expected. ) Yes, this is just fine with the hard-drive propped on top of the trash can and the screen showing just enough traces of Twitter for me to be able to remember that it’s either #FF or I’ve freaking missed it again. ( Sorry, Tweeps…this is what I’m dealing with at the moment. :( ) Well, I guess we’ll talk tomorrow. Our night auditor is coming in so when she comes by just let her know the situation with you being stuck out of a room tonight and having to come in here to reserve a room for tomorrow on our computers. Nice chatting with ya coach….( umm…what was his name again, I didn’t catch it? Did you? )

Fast-forward. As hard as it may be to believe…this story is not over. As a matter of fact, this is how it ended. With me sitting on my couch tapping buttons on my laptop and my spider-senses are telling me….SOMETHING ISN’T RIGHT! ( Never doubt your spider-senses when it comes to security….esp. cyber-security. )

    • Text message to my night auditor. 2:14 a.m. : Hey, check the business center and let me know if there’s still a creepy guy in there wearing an Adidas suit.
    • Reply: K. Lol. Yep’. I don’t want to see whatever is on the screen because when I peeked in there he had his head phones on and he was licking his lips.
    • My response: Okay, this is what you do. Tell him without a reservation you’ll need a copy of his driver’s license in order for him to access the guest computers. If he refuses…lock him out and kick him out.
    • Reply: Is he not in-house?

My response: No, he was suppose to be in there making a reservation for tomorrow because we didn’t have any rooms tonight. So either he gives you his license while he continues to make his reservation or he leaves. Point? He’s a fucking pervert and needs to get the fuck off the system and the premises.

  • Reply: K, got him out.
  • Response: Thank you. ( Mind you….2:33 a.m. when it all ended. )

The End

( This post was based on actual events that transpired two nights ago. )

What makes this story even more dramatic is not only did it happen to a customer service representative at the front desk of a hotel, it just so happens that this rep is also a first year systems security student with the end goal of becoming an ethical hacker. Point taken: IT HAPPENS.