Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Social engineering stories from the front lines

George V. Hulme | Jan. 30, 2015
It's always amazing how little attention social engineering attacks get when discussing enterprise information security risks. After all, it's usually easier to get an unsuspecting employee to click on a link than it is to find an exploitable vulnerability on a reasonably hardened webserver. Social engineering attacks come from many different angles: from targeted e-mails, phone call pretexting, or acting like a service technician or other innocuous person to obtain access to the IT resources and data they seek.

"Due to the rise in inclement weather, we're committed to our employee's safety and are in the process of upgrading our remote access gateway so that everybody has the opportunity to work from home. Please click the link below to install the new software. You will be asked to enter your credentials before continuing."

It worked. Within an hour, Blow had more than 60 percent of the employees giving him their logon credentials. "By the time the information security department figured out what was going on (about 90 minutes), I had more than a 75 percent success rate. These users comprised a sampling from every department including marketing, IT, and C-level executives," he says.

Person-to-person cons

While emails and telephone calls are effective, sometimes it's crucial that the attacker gets onsite and social engineers in person. "Over the years, I've posed as an AT&T technician, a UPS delivery man, an angry executive, and a lot of the other typical guises talked about in our industry. One of my favorites was posing as an exterminator," explains Blow.

For that "exterminator" engagement, Blow had numerous physical locations he needed to breach — before the different branches had time to discuss his activities with each other. "I had several 'work orders' printed and several executives listed in the description, along with the CFO's signature. I'd taken the time to find out as much as I could about the people at these branches, but a lot of them didn't have much of a digital footprint," he explains.

That made it more challenging, but certainly not impossible. In the event he did have trouble getting in, Blow had someone at his company on the ready and prepared to support his front if an inquiry was made. Blow had other tricks up his sleeve, too, if needed, such as spoofing incoming phone calls. "What I wasn't prepared for was to be stopped at the front desk at my first location and almost not make it past. Apparently, the company had been using another pest control company for more than 30 years and immediately said that I wasn't 'Bob.'"

Blow needed to think quickly, and he did. "I told them that they were subcontracting jobs over the next few months due to high demand of exterminators in the area. I was even nice enough to place a phone call to "Bob" (one of the employees at my company) and we made up a believable story," he says.

After a few more minutes of talking with her and with the vice president at that branch, Blow was still denied. He told them that he would be back with more proof. Luckily for Blow, this branch was a pretty large campus, so he just snuck in another door and was able to get everything he needed without being questioned.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.