Rook Uncut: Successful Social Engineering Stories
With new data breaches or information security concerns making headlines each day, we are often approached by peers, friends, family, and the media to provide insight. Rook Uncut gives you our quick and raw answers to security questions. If you missed the last edition of Rook Uncut, check it out here.
Chris Blow, Security Consultant at Rook, shares highlights from some of his most successful social engineering engagements.
What are your favorite social engineering engagements you’ve worked on?
I shared a couple of stories recently with CSO Online that I think are some of my more interesting engagements. I’ve also done some work with retail stores that required a lot of thinking on my toes and having a quick reaction time. I recently had an engagement like this where I needed to go into retail stores located within malls — malls that I frequent every now and again. Luckily most of the stores’ employees are in their late teens or early twenties, making it much easier to find information about them. However, coming up with a plan on how to enter the stores was a little harder.
I came up with three or four plans in my head as I walked into the store with my PwnPlug “power strip” in my bag. I ended up talking with a manager-in-training and while taking in a quick survey of the store layout, I saw they used VeriFone terminals for their credit/debit transactions and they were the newer terminals. Bam! There’s my story! I quickly became a VeriFone employee and was able to enter that same store on three different occasions with different people each time. (I had some issues with the cellular modem on the PwnPlug).
One manager questioned my validity and asked for a VeriFone badge or business card. I told him that I’d only been with the company for two weeks and wasn’t given any of those things yet. He went along with it and sent me on my way. In case I was questioned about the work I was doing, I sent an email to myself that appeared to come from the client with some general work orders and it stated, “We don’t want a Target or Neiman Marcus type incident happening to us.” Everybody was totally on board with that and didn’t question a thing until their help desk called one of the retail locations where I was on site. They saw one of the POS terminals having flaky network connectivity and wanted to troubleshoot. They ended up talking with me and asked who authorized me being there. I gave them a name of a security/compliance manager and a phone number. The help desk decided to go track him down in the office apparently and I was asked to stick around while this issue was resolved. After about 20 minutes, I knew I needed to get out of there, so I showed one of the managers my email showing the other stores I needed to visit that day and that I wanted to beat the rush hour traffic.
I left them with a name and phone number and he sent me on my way stating that they’d be in touch. One of my colleagues needed to go to this location the following day for a wireless assessment of that store. He called me and let me know that there were mall cops constantly patrolling that store and that when he went to pull his laptop out of his backpack while sitting close by, one of the mall cops told him to get his computer and bag out of the area.
(Sidenote: he ended up going to another bench about 50 feet away and was able to use his laptop without a problem.)
What are some differences between physical social engineering and email social engineering?
In a physical situation, almost everybody wants to be helpful regardless of the social engineer’s demeanor and if the first person you speak with isn’t helpful, there are always other people…and other entrances. From an email perspective, most folks know the typical “Free iTunes Gift Card”-type of spam. If a social engineer truly wants to gain access to a company, the email must be targeted and must pique the employee’s interest without much thinking on their part.
Why do you think social engineering can be so successful?
Social engineering is all about exploiting what we learned on Sesame Street years ago: trust and help one another. Typically, the human element is the weakest point to any corporate security program. On the whole, people want to be helpful; social engineering exploits that vulnerability.
