While hackers typically use technology to gain access to the data on the systems they seek to attack, they often begin their assault by conducting a reconnaissance of their target. This reconnaissance may take the form of phishing emails, dumpster diving, visiting the company website, social media, or numerous other non-technical methods known collectively as ‘social engineering’. What follows is a true story of how social engineering was used to gain entry to the data of an organization.
One morning, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they researched the company for two days before setting foot on the premises. They learned key employees’ names by calling HR; they pretended to lose their key to the front door, and a man let them in; they “lost” their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding useful documents. They asked a janitor for a garbage pail and carried all of this data out of the building. The strangers had studied the CFO’s voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
The strangers were network consultants performing a security audit for the CFO without any other employees’ knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.
Like our fascinating blogs? Want to receive them daily? Like and follow us on Facebook and Twitter!
Kapil Raina, security expert at Verisign