Sometimes, successful social engineering attacks mean they got lucky. And sometimes, the attackers make their own luck.
The attacker piggybacks his way into the building and picks the lock to the executive office space. He sees that one of the VP's office doors is open and the office is unoccupied. Seizing the opportunity, he enters the office and begins to look around.
After a minute, he hears the receptionist return to her desk outside of the VP office. Thinking outside of the box and utilizing the powers of improv, the attacker takes a business card off the VP’s desk, noticing that the receptionist is looking in.
“Can I help you?,” she asked.
With a smile cut across the attacker’s face, he looks down at the business card and turns to address the question. “Yes, I am looking for John Doe. This is his office, right?”
“Yes, but he is in a meeting in the conference room," she said. "Did you have an appointment?”
“Kind of. I was supposed to install an encryption client on his laptop today. It would only take a moment,” he replied.
“Well, he should be back in about an hour or so. Would you be able to come back then?,” she asked.
“Honestly, I have a lot of systems to work on and I would like to go ahead and knock his out while I’m here. I will be heading back to corporate early tomorrow, and I still have a lot to do,” he said.
“Well, let me ask him and see what he says,” she said.
The receptionist makes her way down the hall to the conference room. At this point, the attacker could leave and risk compromising the engagement or gamble with luck.
A few minutes later, she returns and says, “He said that he put a ticket in for something like that, three weeks ago."
With a scrunched brow of concern on his head, he followed up with a sympathetic, “Ha ha. Yeah, we’ve been a little backed up; hence the time crunch.”
“Well, I think he would prefer to be here for any changes," she added.
“That is okay. Could you at least do me a favor and let me get the serial number off the bottom of the laptop?,” he asked. “I want at least some proof that I came by.”
The attacker starts to make his way to the office. Although hesitant, the receptionist follows. The receptionist then smiles, nods, unmounts the laptop and hands it to the attacker.
The above story is from a social engineering and physical security assessment that I conducted recently. When fight or flight comes, we sometimes need to remind ourselves of the tenacity of an outside attacker. Real criminals will be just as determined, but typically have a lot more time to plan. With that said, as security consultants playing the role of the attacker during an assessment, we can take more risks – especially if it is near the end of an engagement, and we really want to drive home a point.
I can't stress enough how important a security culture is within a company and how a comprehensive security awareness training program should be. In this case, it should also include a well-developed change control policy. But what about that ace card? What are the odds that a ticket is still pending? Well, you’d be surprised.
I speak at a lot of different conferences about ‘gamble and get lucky’. The main point is that as an organization, you need to be ready for an attacker to try these tactics. If you are not aware of them, it increases the chance that they are successful. Here are some key points from this theme:
Gamble and Get Lucky
Receptionist Exploit: “I’m sorry. I seem to have left my USB drive from my last visit. Did anyone return it or put it in lost and found?” If so, this could be some free and easy information.
Receptionist Area: Walk through the front door and have them buzz you in to the protected area. Some offices do not have proximity readers at the visitor receptionist’s desk but they often have the buzzer underneath the desk or off to the side. If they aren't there, see if you can buzz yourself in.
Dumpster Diving: Trash cans and dumpsters are public domain, UNLESS it’s locked or is behind a locked door or fence. Then, that’s trespassing. If you're certain there's a high chance that you'll be approached and questioned while going through the trash, then take on a role that wouldn't be so "out of place." For example, a homeless person. However, if you do get caught and can't act your way out of it, then you'll need your “get out of jail” letter.
Lie: Pose as person accepting donations for charity (It’s okay. It’s part of your job.). See if they have any old/outdated server hardware they are willing to sale or donate. If yes, SCORE! Chances are that their devices will still have current configurations for the organization, and maybe even some sensitive information.
Creep: The target has probably left a digital fingerprint somewhere, and there are many open source resources to check:
- Foreclosures, census records (ancestry.com), blogs, emails, help forums, property taxes, etc.
- Find social media accounts and browse pictures. You might find other people to pivot off of, or, maybe a picture of them in an office with credentials on post-it notes stuck to a monitor. It really does happen!
Perception Check: Look on desks and whiteboards, as well as in trash cans, internal newsletters and unlocked offices. You'll be surprised how many write important credentials or "hints" on post-it notes and stick them to their screen, somewhere around their desk or in an unlocked drawer.
Your Credibility Goes a Long Way
Backstory: Where are you from? What vendor are you with? Who are you visiting? Are you a contractor? Which department? This is great information to know when you build the story of who you are, along with other related information. Make sure that you have your story straight before you engage and interact with the target.
Social Skillsets: When performing social engineering via telephone or in person, the ability to improv, pull off an accent or use another language can come in handy.
- Check out improv, vignette or acting classes and seminars to build on these skill sets and help yourself become more comfortable and confident when taking on these roles.
Listen: Keep your eyes open and mouth shut. So much is assumed from others when you just shake your head in agreement or as if you know what they are talking about. Let them assume that you’re familiar with their subject or can relate to their situation. This builds trust, which can lead to diarrhea of the mouth. Drinks are also a good motivator.
As a potential target, you need to be ready for the amount of time and effort an attacker is going to work to infiltrate your organization. You should appreciate that they are using, what you probably think of as nonstandard techniques, and as a result, you should work on nonstandard security controls.