Everyone can get duped by con men. It just takes one opportunity for the bad guys to take advantage. Social awareness campaigns hinge on keeping employees diligent when it comes to security at their company. That link from the IRS, your bank or the post office sure looks real – but look a bit closer.
Enter Anton Abaya. A senior assessment and compliance consultant at Accudata Systems, he is asked to come into a company unannounced to employees to see where the holes are in the network and the physical security. Here he shares some of his experiences. The clients’ names have been withheld to protect the innocent.
This is not a stickup
I went into a bank wearing a fake badge with the client’s logo and the word ‘IT CONTRACTOR’ that I made from basic materials at Staples. Before I even said anything, the receptionist asked if I was there to fix the fax machine, and I said “Yes”. At that point, I also “fixed” other computers onsite including teller systems.
I was able to access everything because the bank’s staff fully trusted us. We gained physical access (including plugging in my own USB drive and launching applications off it) onto teller workstations, other workstations for creating new bank accounts, physical security systems (like the video monitoring system). The bank staff let us roam around accessing pretty much anything we wanted under the context of ‘we’re doing some routine maintenance and tightening up of security’. I kept a close eye on the bank’s security guard, who really didn’t pay much attention to me.
The bank had procedures in place that required bank employees to always call the official IT help-desk lines at the corporate headquarters to confirm all work authorizations as well as ask for identification. I came in during lunch hours as I figured the bank manager would not be there.
For my sweetie
Around Valentine’s Day, I dropped off a box of chocolates with balloons attached at a client’s reception area and a USB drive that said ‘To my love’, but with no recipient details. The USB drive, when opened, plays a cute ‘I love you forever my Bunny’ video, and behind the scenes runs a benign executable that reaches back to our servers to prove it ran.
The receptionist gave it to another administrative office employee (manager), who opened it. They did not involve IT.
"F" on that test
I once pretended to be a student at a major university client taking a senior-level class in IT and was doing research on ‘Real-world IT problems’. I engaged the manager of Windows Systems at the university and was able to get him to run a benign executable that reaches back to our servers to prove it ran.
Too good to be true
I once distributed 1,000+ flyers at a university campus advertising a free iPad if they filled out a short survey on what social networking sites they use (e.g. Facebook, Twitter, Yelp, etc.). The survey site was made to look like it belonged to the university, used a phony domain name, and asked users to provide their username and password at the end of the survey.
I once sent phishing emails that informed the recipient that the company’s parking services had ticketed them and owe a $100 fine for parking next to a fire hydrant. We even coupled another vulnerability that allowed us to piggy-back of the company’s own website (e.g. www.companyname.com/login) to add legitimacy to the phishing email. The email gave them the option to dispute (or be forgiven) if they logged into a specially created website with their company credentials. We scammed more than 50 employees, including a medical records clerk, payroll clerk, accounting clerk, financial manager, and IT admin/programmer.
Tailgating into a company’s office, pretending to be from IT, and asking various employees to use their computer for a “just a minute” because “there’s a virus going around”. Most employees just gave us immediate access and we would then plug in our USB drive and run our executables to ‘phone home’. For others that had a higher risk of challenging our presence there, we had a fake badge and various stories (e.g. “I’m new here which is why you haven’t seen me before”).
Data for sale
Walking into a large merchant store, we convinced the store manager that we were from corporate IT, and that I needed access to their server closet by telling them their hard drive is dying and needs to be replaced. We had our fake badge, business casual attire, brought various props like a replacement hard drive, a clipboard with the company logo, screwdrivers, and networking gear.
You earn how much?
“Accidentally” CC’ing targeted employees a fake email conversation between their HR manager and an HR employee with a payload-enabled attachment entitled “Salary Report 2015.xlsx”. The ‘accidental cc of a salary report’ is surprisingly very effective. We have previously received a response rate as high as 60 percent of the targets coupled with a tendency to have low reporting by staff to IT or Infosec personnel. We’ve used this on multiple occasions at different clients where anywhere from 100 to 300 employees were targeted.
Image from iStockPhoto.com