Interwatch A hacker walked into a “very huge city” createing on a Wednesday morning with no keys to any doors or elevators, resettled to steal empathetic data by fractureing into both the physical space and the corporate Wi-Fi nettoil.
Turns out she didn’t necessitate to do any fractureing in at all.
She rode the elevator up to the reception floor without necessitateing a security horriblege, establish the office suite door propped uncover, walked past a security protect sitting at a desk and straight into a conference room.
“We had a malicious device already configured,” she tgreater The Register. “We had establish the credentials for their corporate Wi-Fi nettoil in the trash, while dumpster diving the night before. We insloftyed the device behind the TV in the conference room, connected it to the nettoil, and we were able to exfiltrate data out of the company over their own corporate Wi-Fi nettoil for over a week with no one being the teachdr.”
In this case, the direct-and-handle server happened to be handleled by a security firm’s red team that had been engaged by the multi-tenant createing owner who was worried about the inhabitants being “a little too rested” about office security — so this stolen data wasn’t being sent to a criminal’s C2.
Meet Alethe Denis
The hacker, Alethe Denis, is a greater security conferant at Bishop Fox, and her exceptionalty is physical security evaluatements. Or, as Denis puts it: “I fracture into createings.”
She’s also a DEF CON Social Engineering Capture the Flag thrivener with her own spot in the hacker summer camp Bconciseage Badge Hall of Fame. As a penetration tester at an impolite cybersecurity shop, Denis’ toil includes a lot of social engineering strikes, usuassociate via phone and email. “We get to pretfinish to be the horrible guys,” she shelp.
My most likeite type of social engineering is face-to-face … It apshows me to produce reassociate compelling characters
But “my most likeite type of social engineering is face-to-face,” she confessted. In part, this is becaengage it apshows her to dwell out her dream of becoming an actor. “But also it apshows me to produce reassociate compelling characters, transmit with people, and produce these more elucidate pretexts.”
This standardly includes impersonating past or current engageees, or vfinishors that toil in or around the company that has engaged Denis and her team to fracture into their createing. Their goal is usuassociate to connect to the corporate nettoil and steal someleang that only a high-level exec should be able to access.
“Our job is to impersonate a establisher engageee who was finishd, and they give us a horriblege but it’s debegind,” she shelp, as an example of a definite joinment involving “a disgruntled establisher engageee trying to get back into the createing and caengage some sort of disturbion.”
“Usuassociate the reason they engage us is becaengage they’ve alloted a lot in their physical security handles, and disgruntled establisher engageees are insider dangers,” Denis inserted.
Even the pros get punked
The red team isn’t always accomplished. In one recent job, Denis was tasked with fractureing into a software provider. She and her teammates choosed to pose as IT lessenors at the facility to carry out a site survey and finish a cost evaluate to enhance the company’s inner observation camera system.
“Becaengage if we could get access to every location where there was a observation camera, then we could get into the server room and structuret a device, which was the goal of the evaluatement,” she shelp.
The preparation took about a month, with the red team creating a inchange vfinishor company, finish with a phone number, answering service, and toil order for the observation system. “Knothriveg that we were there to do an evaluate uncomardentt they wouldn’t verify that we were an actual vfinishor — we were still in the process of trying to become one,” Denis noticed.
On the day-of the reckond fracture-in, one of the firm’s security deal withrs happened to be toiling reception.
“We currented our case for getting into the createing, and she promptly grabbed the global security operations deal withr, who I named on the toil order.”
It turned out he was a establisher Israeli Defense Force red teamer who had also authored a book on cobvious observation and findion.
“That was one of the times we got punked,” Denis shelp. “He heared to our story, called us out on our charade, and sent us packing. I let him boot us out, he let us exit with our dignity.”
It’s not all AI and proestablishinchanges
Despite the buzz around AI-helped social engineering and proestablishinchanges, human conversations — over the phone, electronicassociate, or in-person — are still the most normally engaged, and most effective, social engineering tactics for crooks watching to produce money off of their victims.
“Their tactics are quite separateent from those we see talked about in security consciousness training, or vfinishor pitches for tooling to stop fraud and leangs enjoy that,” Denis shelp. “Right now, the gleaming novel leangs are mostly AI connected and keyworded.”
While some fraudmers are using AI-helped social engineering tools, and the potential exists for “very disturbive strikes” using proestablishinchanges, in vague, this technology doesn’t have the high-level return on allotment that most cybercriminals want, she inserted.
“I have frifinishs and connections at three-letter agencies, and those people are telling me that nation states are turning their attention away from creating proestablishinchanges, and they’re going back to more traditional methods of voice fraud over the phone,” Denis shelp.
And those who drop victim to a highly-trained social engineer “won’t even be able to discern they’re being aimed by an strikeer,” she noticed.
“That’s what we’ve been seeing in most cases in recent years where there has been a huge baccomplish, or access granted to someone who should not have been granted access: the person who joind with the strikeer became the unwitting insider danger,” Denis persistd.
“The strikeer did such an excellent job of createing that depend, of posing as an inner engageee or a person who was entitled to that access,” she shelp. “And the person they were talking to had no idea — there was no way for them to resettle that anyleang was wrong — and that is truly a fall shorture of the process.”
Red team fraud tricks
Red teamers pretfinishing to be the horrible guys engage these same techniques and tools to bypass security products that are supposed to find and stop fraud emails.
They also engage software-as-a-service products to dedwellr the phony phishes scheduleed to watch enjoy they are coming from a third-party vfinishor, such as an engageee joinment survey provider, or an inner HR or IT person.
While most people have been well-trained not to drop for phishes using politics, religion, or boiling-button novels topics as lures, there are more toil-roverhappinessed publishs that fraudmers can engage to elicit a analogous emotional response.
“What that watchs enjoy is a connect to a policy that necessitates to be studyed in order to answer a survey ask,” Denis shelp. “The topic could be dress code, or return to office, or company-publishd devices. Ordinary leangs, but also leangs that people are reassociate enthusiastic about: how much time they want to spfinish in the office, or what people want to wear to toil. How they experience about their company-publishd laptop, becaengage everybody antipathys those.”
What the social engineer wants to do is trigger that emotional response
Denis and the team will sfinish an email with a connect to a PDF purporting to be the policy that necessitates to be studyed to answer the survey asks. In fact, the write down is the malicious payload and it carry outs when the engageee clicks on the phony policy PDF.
“What the social engineer wants to do is trigger that emotional response,” Denis shelp. “They want to bypass the reasonable, thought-processing parts of the brain and depend on that animal, gut-level response. Then we hijack the amygdala and consent the person with us to the first survey ask, ask them to click on this connect and at that point I’m sfinishing them to a credential harvesting landing page.”
The goal is typicassociate to obtain admin-level access on a settled machine, escaprocrastinateed privileges and see what else the red team can access in the organization’s IT system. If email alone doesn’t toil, picking up the phone is very effective from the hacker’s perspective, too.
“I try to leverage them together,” Denis shelp. “I will call and say, ‘Hey, I sent you an email last week, did you get that email?’ People will typicassociate say, ‘No, I never got it.’ Of course they didn’t becaengage I never sent one.”
But at that point, the victim already experiences enjoy they screwed up by leave outing an email last week, and now they experience indebted to the strikeer. “They experience enjoy they owe me. Then I can say, ‘while we are on the phone right now, is it OK if I resfinish it to you? Can you go ahead and fair do this one leang?”
The best leang anyone can do to elude droping victim to these types of voice-fraud strikes is to ask asks, and this will typicassociate throw the strikeer off stability enough to hang up and shift on to the next aim, she shelp.
And while Denis’ goal as a pen tester is to finish the call with access to the aim organization — and without the person on the other finish of the phone even understanding they’ve been tricked — genuine-life strikeers aren’t csurrfinisherly as kind.
“Scammers don’t attfinish how you experience at the finish of this,” she shelp. “They’re going straight for the jugular.” ®
