How to rob a bank: A social engineering walkthrough

http://www.csoonline.com/article/print/692551

Print

Close Window

From: www.csoonline.com

How to rob a bank: A social engineering walkthrough
Professional social engineer Jim Stickley walks through the steps he typically takes to fool clients into thinking he's there for fire safety, while he's really proving they are an easy target for a data breach
TraceSecurity's Jim Stickley, as told to Joan Goodchild, CSO October 26, 2011 If a company hires us for a social engineering engagement, typically they want us to get in and get to their back-up tapes, or into the data in their document room. Let's say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we'll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you'll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.

[Jim Stickley explains his social engineering methods in Social engineering: My career as a professional bank robber
We walk into the facility and make sure that all the chatter is coming loudly into to the walkietalkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down. Learn more about social engineering tricks and tactics 4 ways criminal outsiders get inside 3 examples of 'human hacking' Exploiting 5 security holes at the office (includes video) I show the person at the front desk my badge. They'll say "Hi, how's it going?" I'll say "Good, I'm here to do a fire inspection." They say "Great" and assign someone to us, like a teller. It's generally someone who's nice. I'll start talking with them, flirting with them, or whatever it takes. We'll start walking around. While I'm talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say "Can you come back here? I need to keep you guys together." We say "Sure, sorry." But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he's a fireman and thinks "Let's just let him do what he needs to do."

[Read about the latest scams in 5 more dirty tricks: Social engineers' latest pick-up lines
At that point, my partner's job is to start stealing everything he can steal and start putting it in his bag. And he also has to get under the desks of any employee he can find and start installing these

1 sur 2

28. 10. 11 23:26

" We show back up in the next few days.How to rob a bank: A social engineering walkthrough http://www. sorry. It's the bells and whistles that count and people want to see that you have products. giving them advice on keeping their facility fire safe.csoonline. If you talked to them a week earlier." I'll comment on space heaters. they never thought they'd fall for some of the stuff we pulled. That way we really have a good idea of what's been accomplished and he can go back into places where I was unable to steal anything because of my escort. We'll do another quick run through. I stay with the person who is escorting me and my whole job now is keeping them entertained. This is where our guy in the car will make a fake call to the walkie-talkie and tell us they need us to respond to a call. By the time it's over." I'll say "Can do me a favor and go back and check in here again?" and mention some place where I may have seen something interesting and I want him to go back and take care of it. and gotten access to log-ins and passwords because we've been recording that information with the key logging devices." This kind of explanation sounds reasonable. On our way out. He'll say "I've hit all the desks. [Also see A real dumpster dive: Bank tosses personal data. even though I really have no idea what I'm talking about. there is often a total look of shock on the employees' faces. do a quick recheck. while my partner is under the computer." And they just believe it. the second visit is quick. 11 23:26 . whether it be online sites or local accounts on their system. Its miserable. It's stuff they never thought would happen. But it's a learning experience we hope they will all learn from. We've been on their wireless network and have been able to hack into that as well. laptops. but it's crazy how lucrative it is. claiming we've lost our original inspection form. checks. do you mind if I get under your desk for a minute? I'm just checking for any kind if fire danger. If the employees are there. I can do any magical thing with it as far as I m concerned. but not a regular measuring tape.com/article/print/692551 little keyboard loggers. When we've done everything we need to do. my partner is going under desks. the last thing we will do is a dumpster dive. Since we've already taken everything already. At that point we usually meet back up and discuss with each other out loud all the places where we've already been. We want to be able to come back another time. It's amazing the stupid things I can do. We them tell them we're all set and will send a report in the mail. I'll put it up to a socket and say "This looks like it has too much current running through it. go back in and get the dongles we've installed on the computers. we don't want them to know we're done. He easily installs one on the employee's computer and now all data is going through this device. In the meantime. A few years ago I got a device at Home Depot. I'll pull out cords and say "This looks a little bit dangerous. we'll be back. I look at my escort and say "Hey. It's amazing how much confidential information ends up in the trash. and it can happen to them. It's like a measuring tape. Of course. We show up with rubber gloves and start ripping bags open. This device is like the Tricorder on Star Trek for me. I make stuff up and probably give the worst advice ever. It has a laser pointer and makes a clicking noise. the person can't see what they're doing and they usually just wander off. 2 sur 2 28. I keep walking around rooms. © CXO Media Inc. 10.] When we show up after the engagement to present what we found. we've stolen stuff. I'm completely winging it. My guy gets under the computer and in his bag he has a bunch of dongles. But now they see it can happen." If the employee asks "What kind of danger could be under my desk?" He will say "You know that fan on the back of your computer? If it stops spinning that could be a fire hazard. he'll say "Hey.

Sign up to vote on this title
UsefulNot useful