HOW TO ROB A BANK OVER THE PHONE

Black Hat Eu 2017 — Live coverage

LESSONS LEARNED AND REAL AUDIO FROM AN ACTUAL SOCIAL ENGINEERING ENGAGEMENT

By Joshua Crumbaugh of Peoplesec

Joshua Crumbaugh is the founder of PeopleSec and experienced penetration tester with an impressive background performing high end security assessments against high profile targets. He is also an expert social engineer who has talked his way into bank vaults, fortune 500 data centers, corporate offices, restricted areas of casinos and more. His experiences highlighted a significant need for a better “human solution” — This led him to a passion in social engineering and better understanding ways to stop social engineering attacks.

Why is Joshua sharing audio from social engineering attempts?

  • People should not be fired for falling victim, because that is a failure of management, not the employee.
  • Red Teamers should get on the phone more.

He starts by sharing an audit clip. Where somebody is tricked into running a script on his own machine.

In social engineering recon is everything. Learn how you get to you target to do what you want him to do without hime finding you out. Good recon can blind your target.

The Blue team should do recon too and know what informaiton is around about them.

Good social engineer creates a us against the world situation and Joshua gives us and audit clip that demonstrates that.

As a defense you could agree to a password between yourself and a vendor.

Most important lesson when social engineering: Never break character. Sometimes it takes a little more calls or you need to regroup or a bigger pretext.

Sometimes you need to shift the blame. This is referred to as the “My boss” rule.

It really helps to ask somebody for permission to use their time.

Sound effects in the call (even dim) help you reenforce your pretext.

Smile and laugh frequently on the phone, it really helps you gain trust.

Overall Joshua played us clips where he:

  • Managed to get his target to run a powershell script on his system
  • Got physical access to the bank building
  • Explains how he was able to get physical money.

Bleu Team

  • Sales are the most likely to click on a link in an email
  • Developers are close seconds and they have local admin
  • People have an attention span on 8 seconds.
  • Educations should be fun.

He shows a more entertaining awareness video.


This story was life blogged at Black hat EU 2017 in London. It is an attempt to cover the materials on stage as they are presented and do not reflect the work or opinion of the author.