Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: How to rob a bank: A social engineering walkthrough

Jim Stickley | Oct. 27, 2011
If a company hires us for a social engineering engagement, typically they want us to get in and get to their back-up tapes, or into the data in their document room.

A few years ago I got a device at Home Depot. It's like a measuring tape, but not a regular measuring tape. It has a laser pointer and makes a clicking noise. This device is like the Tricorder on Star Trek for me. I can do any magical thing with it as far as I'm concerned. I'll put it up to a socket and say "This looks like it has too much current running through it." And they just believe it. It's amazing the stupid things I can do. It's the bells and whistles that count and people want to see that you have products.

In the meantime, my partner is going under desks. If the employees are there, he'll say "Hey, do you mind if I get under your desk for a minute? I'm just checking for any kind if fire danger." If the employee asks "What kind of danger could be under my desk?" He will say "You know that fan on the back of your computer? If it stops spinning that could be a fire hazard." This kind of explanation sounds reasonable.

My guy gets under the computer and in his bag he has a bunch of dongles. He easily installs one on the employee's computer and now all data is going through this device. Of course, while my partner is under the computer, the person can't see what they're doing and they usually just wander off.

At that point we usually meet back up and discuss with each other out loud all the places where we've already been. That way we really have a good idea of what's been accomplished and he can go back into places where I was unable to steal anything because of my escort. He'll say "I've hit all the desks." I'll say "Can do me a favor and go back and check in here again?" and mention some place where I may have seen something interesting and I want him to go back and take care of it.

On our way out, we don't want them to know we're done. We want to be able to come back another time. This is where our guy in the car will make a fake call to the walkie-talkie and tell us they need us to respond to a call. I look at my escort and say "Hey, sorry, we'll be back."

We show back up in the next few days, do a quick recheck, go back in and get the dongles we've installed on the computers. We'll do another quick run through, claiming we've lost our original inspection form. Since we've already taken everything already, the second visit is quick. We them tell them we're all set and will send a report in the mail.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.