A Blog from QualiTest

Social Engineering: It Takes a Thief

Social engineering involves taking advantage of the kindness of strangers, informally breaking through cyber security.

Social engineering takes advantage of revealing a company’s cyber security risks, where the initial entry vector relies on human psychology, not high-tech hacking you might find on an OWASP vulnerability list.  Let’s discuss some social engineering penetration techniques by putting you in the mindset of a perpetrator.

Most facilities will let in a delivery person rather easily, or perhaps a telecom/cable TV repairman or plumber.  Maybe you can find an exterior door where people go out to smoke and enter that way, especially after offering someone a smoke.  Even if you can only get to use the bathroom (an emergency request few would turn down), a ceiling tile may provide easy access to internet cables for attaching a sniffer to.

If the company is an office building renter, then there are building-based ways to fake one’s way in, such as fire marshal (send people out of rooms of your choice), exterminator (“We cleaned the office above yours – let’s make sure nothing found its way down”), or tracking down a phone problem (with access to your communications lines).

If you can get into the building, using a phone that identifies as an internal line can add to your credibility.  Making an inside call with a visible phone extension makes any request more believable, possibly posing as an IT repairman who is really installing malware or enabling a remote connection.  Maybe an outside call is sufficient, using a sob story designed to make the victim think they are a heroic helper.  If you made it to someone’s office, try to get on the computer – maybe it has not timed out since the person walked away, has no password, or has the password on a sticky note.  Or you can put thumb drives with malware in the lunch room and claim it is a thank you from a known company client.  Or you can post a new help desk number on a flyer that points to your confederates.

Even if you don’t make it into the building, an outside call or email may succeed as bait.  Make sure you do a little research first.  The company website or LinkedIn or Facebook or company newsletter can tell you about some of the employees.  Maybe you can spam your way in by email with a spoofed email address or spear phish anonymously with something you should see (“About the new tax changes” to Finance, “About X” to someone about to give a webinar on X, etc.).  Perhaps you can offer a free account in your email, where they may divulge their email and standard password.

If you don’t think your company can be penetrated by this type of social engineering, you may be in need of cyber risk assessment.  Don’t risk your company’s secret data.  Go with a well-established company with a solid IT testing reputation.