Social engineering fake outs

Learn how a consultant infiltrated his client’s buildings and networksEveryone can get duped by con men. It just takes one opportunity for the bad guys to take advantage. Social awareness campaigns hinge on keeping employees diligent when it comes to security at their company. That link from the IRS, your bank or the post office sure looks real – but look a bit closer.

Enter Anton Abaya. A senior assessment and compliance consultant at Accudata Systems, he is asked to come into a company unannounced to employees to see where the holes are in the network and the physical security. Here he shares some of his experiences. The clients’ names have been withheld to protect the innocent.

This is not a stickup

I went into a bank wearing a fake badge with the client’s logo and the word ‘IT CONTRACTOR’ that I made from basic materials at Staples. Before I even said anything, the receptionist asked if I was there to fix the fax machine, and I said “Yes”. At that point, I also “fixed” other computers onsite including teller systems.

I was able to access everything because the bank’s staff fully trusted us. We gained physical access (including plugging in my own USB drive and launching applications off it) onto teller workstations, other workstations for creating new bank accounts, physical security systems (like the video monitoring system). The bank staff let us roam around accessing pretty much anything we wanted under the context of ‘we’re doing some routine maintenance and tightening up of security’. I kept a close eye on the bank’s security guard, who really didn’t pay much attention to me.

The bank had procedures in place that required bank employees to always call the official IT help-desk lines at the corporate headquarters to confirm all work authorizations as well as ask for identification. I came in during lunch hours as I figured the bank manager would not be there.

For my sweetie

Around Valentine’s Day, I dropped off a box of chocolates with balloons attached at a client’s reception area and a USB drive that said ‘To my love’, but with no recipient details. The USB drive, when opened, plays a cute ‘I love you forever my Bunny’ video, and behind the scenes runs a benign executable that reaches back to our servers to prove it ran.

The receptionist gave it to another administrative office employee (manager), who opened it. They did not involve IT.

"F" on that test

I once pretended to be a student at a major university client taking a senior-level class in IT and was doing research on ‘Real-world IT problems’. I engaged the manager of Windows Systems at the university and was able to get him to run a benign executable that reaches back to our servers to prove it ran.