Security Breach: Signed, Sealed, Delivered
In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.
We racked our brains for a while, coming up with complex scenarios that always fell short in the carryout. And then, the simplest option became the obvious choice: pretend we are out-of-town employees with VPN problems. We explained that our VPN wasn’t working, no matter what we tried, and that we probably just needed to reinstall it. We said we were staying at a particular hotel and asked if the company would mind Fed Ex-ing the CD to the hotel.
And of course, our clients were happy to oblige.
We went to the hotel, asked for a package for so-and-so, and walked away with a major building block for the attack.
The Takeaway: Anonymity and Red Flags
It is essential to educate employees on the danger of employees, vendors, or clients that demand anonymity—and help them recognize behaviors that should send up red flags.
Employees should be trained to make a mental note if they are:
- Asked not to track or write down any information about a phone call.
- Asked to call a caller back at a different number than the one listed.
- Asked to just not mention a phone conversation or email they’ve received.
- Asked to send a package to a public location instead of a published corporate address.
At best, these requests may indicate some sketchy employee behavior that may need to be investigated. At worst, they may indicate a social engineering attack in progress.