When most people think about sophisticated robberies, images of masked, armed robbers dressed in black from head to toe enter their minds. What they don’t picture is an ordinary guy walking in off the street dressed in business casual clothes with clipboard and USB drive in hand. While not physically threatening or intimidating, this guy can actually represent a much greater risk to organizations. WikiLeaks is the perfect example.
One particular social engineering exercise I ran consisted of the usual components – phishing emails, media disposal review, and a physical assessment. The end of the engagement was nearing with the physical test all that was remaining. Earlier in the engagement I had conducted some phishing attacks, involving a spoofed e-mail from a system administrator informing the employees of several security violations. And, since each department had (supposedly) performed poorly, the employees were instructed to visit a mandatory site containing security documentation. Of course, this was a malicious site only serving one purpose – to log login credentials and attempt to exploit the users’ browsers. My email was professionally written – no typos or blaring grammatical errors to draw suspicion to its legitimacy. A few employees took the bait, but soon after the email was delivered, administrators proactively deleted my email and blocked my site. Well done.
Even though the phishing emails themselves weren’t entirely successful, this didn’t mean they couldn’t be useful in another attack. I would next pose as an IT Emergency Response Team member. I was confident that my insider knowledge about the phishing emails could be used to convince non-IT staff that I was a legitimate IT technician with the company.
I dressed up with my clip board, fake forms that I created for the task, and USB drive filled with custom programs and entered the building. I posed as part of the new IT Emergency Response Team, flashing my fake emergency response form and business card and referencing the malicious e-mails that required computer scanning to check for viruses. Using my false identity and insider information, I was able to get access to computers and execute my tools and gather information for each host. Had I been a malicious attacker I may have been able to install a rootkit or other malicious software for a persistent back door into the network to gather confidential data. Eventually, I was caught after an employee called headquarters to verify my identity. Luckily, this robber had a “get out of jail free” letter from the company stating the purpose of my presence.
With search engines like Google, company names, numbers and other information can be gathered by potential attackers in seconds and used to orchestrate real corporate social engineering attacks. The easiest and most effective means of prevention is to conduct regular employee awareness training sessions. Teaching employees methods that real attackers use to break into companies can help reduce the likelihood that your company will fall victim to a real social engineering attack. Real life experience through social engineering exercises is perhaps the best teaching tool of all.
This post was published with client permission.