Wednesday, April 30, 2014

Oh the Humanity: Picture of a Thief

In order to improve security awareness among staff, the first step is to change each employee’s mental picture of what it means to be a thief. Every social engineer who calls will not be an easy-to-spot gentleman with an oily voice and diabolical laugh. Awareness cannot be based on preconceived notions about gender, personality, and level of authority.

social engineering, phone fraud, theft, danger
In order to be successful, social engineers will go to any lengths, will play on your employees’ weaknesses, and will find ways to get in their heads.  For many men, that weakness is a friendly girl.

For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.

Problem #1: The Perception of Danger

Imagine your average social engineer. What do you picture? If you’re thinking about either of our chief pretexting experts, picture a bearded guy, around 6’4.” Hairy and manly.

Now imagine our very manly caller trying to get a VPN password reset. In one particular case, he found himself blocked every time he was asked for an employee ID. Since he didn’t have an ID, he had to get creative, and began a second round of calls to employees, just asking for employee IDs.

Finding an staff member who was willing to give up that sensitive little building block was not easy—thumbs up for them! Yet, a persistent social engineer is almost always rewarded—and he finally found someone willing to share: Isabelle Martin.

Elderly. Southern. Female. Sweet as molasses.

Yes, our gruff and masculine pretexter was forced call the IT help desk as the lovely Mrs. Martin.

He called and just gave it a try, speaking in a high, sweet, Southern female voice. Not surprisingly, he found himself on hold for 10 minutes. Then, after a few more questions, he was put back on hold for five more minutes. Since “on hold” is the death knell for any social engineering attack, he was sure it was over.

Was his cover was blown? Nope.

Turns out, at the end of the conversation, it was revealed that Mrs. Martin didn’t even have VPN at all. Our caller wasn’t on hold because the clients were suspicious. They were just desperate to help a little old lady with a computer problem.

These two stories prove that suspicion is a very uncommon response. Customer service is often desperate to help anyone with an even slightly plausible story and moderately believable accent. This perfectly illustrates the first problem: employees are easily distracted by their preconceived notions about who is—and who is not—dangerous.

Problem #2: Familiarity Breeds Complacency.

Most workdays run smoothly. People do their jobs, projects go according to plan, and everyone goes home at 5:00. And when it’s business as usual 99% of the time, it is hard to maintain employee vigilance toward malicious attacks. Frankly, it’s very hard for people to admit that they are being lied to, even when situations seem unusual or suspicious.

Here’s an example. Several years ago, we were hired by a financial organization to see if we could fraudulently obtain the ability to run people’s credit. This group has stringent guidelines for gaining access to customer information, because a breach of their system would be catastrophic. They asked us to help them vet their process by applying to gain customer credit information.

In order to get the information they wanted, we needed to be a financial business— with a business license, two business references, leases, corporate contact information, a bank account that could be checked by phone and email, and even a mandatory site visit.

Initially, it sounded impossible. But Photoshop helped us fake a lease and business license (both of which looked like it had been copied a million times). It took a couple of weeks to fake two separate reference companies and fabricate a bank—and we tacked on another couple of weeks to fake fully functional websites for each of these fake businesses.

Finally, after clearing out our office and adding a fake sign, we were ready. Prepaid cell phones and hand-printed credentials in hand, we waited for our site visit.

The day came. Our visitors came in the door, verified the fact that our establishment was, in fact, an office, checked a box, and left.

Due diligence? Nada. They never even looked at our paperwork.

All it would have taken to shut us down was a little checking. Look up the bank and see if it exists. Check the references. Check the business license. It would have been so easy to get caught, but we weren’t—and we had customer credit information at our fingertips by the end of the day.

Businesses who complete these sorts of checking processes should get a chill up their spine when they read stories like this. “Seems legit” is no way to approach due diligence, but the average employee may do the job halfway, simply because it’s so statistically unlikely that they are being defrauded. Again, it’s hard to believe you are being lied to.

Social engineers and other thieves know exactly how to manipulate employees—and it's hard to change human nature. And, while there is no one way to improve your human firewall, you can start with training written for employees by folks who understand the struggle. 

More Stories in our "Oh, the Humanity" series