P. 1
How to Rob a Bank - A Social Engineering Walk Through

How to Rob a Bank - A Social Engineering Walk Through

|Views: 4|Likes:
Published by mynameisnothing

More info:

Published by: mynameisnothing on May 01, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





How to rob a bank: A social engineering walkthrough



Close Window

From: www.csoonline.com

How to rob a bank: A social engineering walkthrough
Professional social engineer Jim Stickley walks through the steps he typically takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach
TraceSecurity's Jim Stickley, as told to Joan Goodchild, CSO October 26, 2011 If a company hires us for a social engineering engagement, typically they want us to get in and get to their back-up tapes, or into the data in their document room. Let's say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we'll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you'll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.

[Jim Stickley explains his social engineering methods in Social engineering: My career as a professional bank robber
We walk into the facility and make sure that all the chatter is coming loudly into to the walkietalkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down. Learn more about social engineering tricks and tactics 4 ways criminal outsiders get inside 3 examples of 'human hacking' Exploiting 5 security holes at the office (includes video) I show the person at the front desk my badge. They'll say "Hi, how's it going?" I'll say "Good, I'm here to do a fire inspection." They say "Great" and assign someone to us, like a teller. It's generally someone who's nice. I'll start talking with them, flirting with them, or whatever it takes. We'll start walking around. While I'm talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say "Can you come back here? I need to keep you guys together." We say "Sure, sorry." But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he's a fireman and thinks "Let's just let him do what he needs to do."

[Read about the latest scams in 5 more dirty tricks: Social engineers' latest pick-up lines
At that point, my partner's job is to start stealing everything he can steal and start putting it in his bag. And he also has to get under the desks of any employee he can find and start installing these

1 sur 2

28. 10. 11 23:26

even though I really have no idea what I'm talking about. we'll be back. I keep walking around rooms. giving them advice on keeping their facility fire safe. 2 sur 2 28. It's the bells and whistles that count and people want to see that you have products. [Also see A real dumpster dive: Bank tosses personal data. my partner is going under desks." We show back up in the next few days. It's stuff they never thought would happen.csoonline. But it's a learning experience we hope they will all learn from. claiming we've lost our original inspection form. He easily installs one on the employee's computer and now all data is going through this device. laptops. the last thing we will do is a dumpster dive.How to rob a bank: A social engineering walkthrough http://www. When we've done everything we need to do." I'll say "Can do me a favor and go back and check in here again?" and mention some place where I may have seen something interesting and I want him to go back and take care of it. but not a regular measuring tape. At that point we usually meet back up and discuss with each other out loud all the places where we've already been. go back in and get the dongles we've installed on the computers. whether it be online sites or local accounts on their system. but it's crazy how lucrative it is. Of course. sorry. A few years ago I got a device at Home Depot. checks. It's amazing the stupid things I can do. This device is like the Tricorder on Star Trek for me. By the time it's over. On our way out. My guy gets under the computer and in his bag he has a bunch of dongles. and it can happen to them. I stay with the person who is escorting me and my whole job now is keeping them entertained. It has a laser pointer and makes a clicking noise. do you mind if I get under your desk for a minute? I'm just checking for any kind if fire danger." If the employee asks "What kind of danger could be under my desk?" He will say "You know that fan on the back of your computer? If it stops spinning that could be a fire hazard. In the meantime. he'll say "Hey. there is often a total look of shock on the employees' faces. We them tell them we're all set and will send a report in the mail. We'll do another quick run through. and gotten access to log-ins and passwords because we've been recording that information with the key logging devices. Since we've already taken everything already. we don't want them to know we're done. Its miserable. © CXO Media Inc. I'm completely winging it. If the employees are there. But now they see it can happen." And they just believe it. This is where our guy in the car will make a fake call to the walkie-talkie and tell us they need us to respond to a call." I'll comment on space heaters. We want to be able to come back another time. I make stuff up and probably give the worst advice ever. He'll say "I've hit all the desks. the person can't see what they're doing and they usually just wander off.] When we show up after the engagement to present what we found." This kind of explanation sounds reasonable. I look at my escort and say "Hey. It's like a measuring tape. the second visit is quick. It's amazing how much confidential information ends up in the trash. they never thought they'd fall for some of the stuff we pulled. 11 23:26 . do a quick recheck. I can do any magical thing with it as far as I m concerned. while my partner is under the computer. 10. We show up with rubber gloves and start ripping bags open. I'll put it up to a socket and say "This looks like it has too much current running through it. We've been on their wireless network and have been able to hack into that as well. That way we really have a good idea of what's been accomplished and he can go back into places where I was unable to steal anything because of my escort. I'll pull out cords and say "This looks a little bit dangerous.com/article/print/692551 little keyboard loggers. If you talked to them a week earlier. we've stolen stuff.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->