5 Interesting and Creative Ways Of Social Engineering
Why bother getting (or doing yourself) hack into a system when you can most likely socially engineer someone to give you the information you want?
Here’s a few Interesting and Creative Ways Social Engineering has been used (do not try these at home, it’s definitely illegal).
Carry a ladder, wear a bright orange vest, a security badge, repair mans shirt etc.
Dressing the part is one of the most important parts to getting access to what you want, once you have access you’re in. So, first dress for the part, what is a common look of the people you want to impersonate going in and out of the building.
Here’s a VERY simple example of how this could go down in a corporate environment.
Have a few names ready, don’t worry if they’re wrong. Imagine this, you walk up to a secretary and you say “Hi, (fake name) said I needed to replace an AC unit part int he server room” using a common name would work best. Once you have access do as you please. This could work for many situations.
#2 Common Items Around The Office
If you’ve ever paid for gas with your credit card at the pump, you know there is a little device called card skimmers thieves use to steal your card data. That’s one way, how about a few of these.
- Place a “Secure Shredder Box” in a public location (it has to make sense where it’s placed). Better yet, find out the company a business uses to shred sensitive documents (let me guess Iron Mountain?). This works for trash cans as well.
- Dress up like an Iron Mountain employee, you now have access to the shredding box of highly sensitive corporate documents.
- Dress as a postal worker and take the outgoing mail off the secretaries desk, there’s usually a pile of them, you might have to ask for them from the secretary. Make sure you know the usual postal route time of pickup.
- Cleaning crews generally have access to more secure locations than other employees, especially after hours. Call up the company who does the cleaning, find out the name of the owner or manager, show up in your cleaning outfit and tell them ‘jose’ sent you for training.
#3 Authority Figures
From our early childhoods we are told over and over to respect and listen to authority figures. This means even someone as simple as a Security guard can be used to get access to people, places and things others would not be able to.
#4 Targeted “Real Life” spam
When targeting someone you can go as far as taking pictures around the location the person would usually identify with and email them and get them to do things they would not normally do.
Imagine I send you a real photo of your car in the parking lot at work and contact this person via email stating, “I’m so sorry I hit your car, show the picture and place the link to a malicious download.” While this might sound stupid to some, if you can infect just one PC at a company you have access to many insecure servers. Most IT and managers, when talking about internal servers have the attitude “It’s only internal so don’t worry about it” in regards to patches and other vulnerabilities. Infecting just one PC or device and getting access to give a lot more access to the business and its customers.
#5 Spam Calls
We hate them all, spam phone calls. Sometimes though, they get answered. Imagine you get a call from a number you don’t know, over and over in a short time span. You may ignore it (after 5 times it gets really annoying), answer it or call it back.
If you can get someone to call you back, it’s very easy to obtain tons of personal information. Imagine you call back and the phone is answered by your security company, let’s say ADT. So let’s say I have an IP phone setup, I spam and they call back and ….
O: ADT how can I assist you.
C: Yes, you keep calling me stop calling me
O: Sir/Maam, our records indicate your account is overdue.
C: I paid it last month on time.
O: I apologize, out records show there’s an outstanding balance of $10, if you can just confirm a few things with me, we might be able to remove this charge since I don’t have any previous late payment notes on your account
C: What do you need..
And… I think you get the picture.
Social Engineering is very serious and becoming more of an issue in corporations as well as individuals, if you are at the managers level or higher in any organization, I urge you to take action, let your boss know how social engineering works if they are not familiar and train your team to be prepared for it.