When most people think about sophisticated robberies, images of masked, armed robbers dressed in black from head to toe enter their minds. What they don’t picture is an ordinary guy walking in off the street dressed in business casual clothes with clipboard and USB drive in hand. While not physically threatening or intimidating, this guy can actually represent a much greater risk to organizations. WikiLeaks is the perfect example.

One particular social engineering exercise I ran consisted of the usual components – phishing emails, media disposal review, and a physical assessment. The end of the engagement was nearing with the physical test all that was remaining. Earlier in the engagement I had conducted some phishing attacks, involving a spoofed e-mail from a system administrator informing the employees of several security violations. And, since each department had (supposedly) performed poorly, the employees were instructed to visit a mandatory site containing security documentation. Of course, this was a malicious site only serving one purpose – to log login credentials and attempt to exploit the users’ browsers. My email was professionally written – no typos or blaring grammatical errors to draw suspicion to its legitimacy. A few employees took the bait, but soon after the email was delivered, administrators proactively deleted my email and blocked my site. Well done.

Even though the phishing emails themselves weren’t entirely successful, this didn’t mean they couldn’t be useful in another attack. I would next pose as an IT Emergency Response Team member. I was confident that my insider knowledge about the phishing emails could be used to convince non-IT staff that I was a legitimate IT technician with the company.

I dressed up with my clip board, fake forms that I created for the task, and USB drive filled with custom programs and entered the building. I posed as part of the new IT Emergency Response Team, flashing my fake emergency response form and business card and referencing the malicious e-mails that required computer scanning to check for viruses. Using my false identity and insider information, I was able to get access to computers and execute my tools and gather information for each host. Had I been a malicious attacker I may have been able to install a rootkit or other malicious software for a persistent back door into the network to gather confidential data. Eventually, I was caught after an employee called headquarters to verify my identity. Luckily, this robber had a “get out of jail free” letter from the company stating the purpose of my presence.

With search engines like Google, company names, numbers and other information can be gathered by potential attackers in seconds and used to orchestrate real corporate social engineering attacks. The easiest and most effective means of prevention is to conduct regular employee awareness training sessions. Teaching employees methods that real attackers use to break into companies can help reduce the likelihood that your company will fall victim to a real social engineering attack. Real life experience through social engineering exercises is perhaps the best teaching tool of all.

This post was published with client permission.

Andrew Ridings

Andrew Ridings is a Security Analyst at True Digital Security with a passion for penetration testing and social engineering. Andrew received his Bachelors of Science in Information Assurance and Forensics at Oklahoma State University and holds CNSS 4011 certification.

Walt Conway has some interesting commentary [treasuryinstitute.org] on the recently released Verizon data breach report [verizonbusiness.com].

All the valuable PCI compliance insight aside, I found the statistics on the prevalence and value of targeted attacks to be especially interesting.  We are frequently engaged to perform social engineering exercises for our clients, primarily to help them stress the importance of security policies, procedures, and communication to their employees.

While our generic email campaigns typically fool a few of the overly curious or too-quick-to-click crowd, the more informed (targeted) phishing campaigns are overwhelming effective to the point that we often need to reassure our clients that the world is not ending.  Unfortunately, this report highlights the fact that targeted attacks are not just elements of security company sales talk.

Dominic Schulte

Dominic Schulte currently serves as the Managing Director of Security Services & Consulting at TRUE, where he is responsible for the execution of a wide range of security and regulatory compliance services. Previously, Dominic worked with the National Security Agency (NSA) as a Global Network Exploitation and Vulnerability Analyst in the National Security Incident and Response Center (NSIRC). He holds CISSP, QSA and CNSS 4011-4015 certifications.