Impersonation; Easier than you think - Part 1

Social engineering by impersonation is very common. For example, an attacker will call the help desk pretending to be an employee, claim to have forgotten their password and ask the help desk to reset it or give it to them. The help desk will frequently do this without verifying the identity of the caller. Our testing shows that this is a very common scenario – successful at most organisations in all business sectors.

Another technique involves visiting the premises in person. As a bogus employee, visitor or cleaner, it is simple to look for information lying on desks, overhear conversations, plug in a keylogger or even just use a vacant desk & PC. In one case, I was able to gain access through the building’s back door, walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers.

The office cleaner wanders around the IT department emptying bins into a black plastic sack. He bends below each desk to look for stray sandwich wrappers and plastic cups. Whilst he’s under the desk, it is a matter of seconds for him to attach a hardware keylogger between keyboard and system unit.

These small keyloggers are effectively invisible on the back of the computer, and record every keystroke the IT folk make for the next week. They will capture usernames and passwords, as well as every e-mail and browser entry. Often this will include credit card information from Internet shopping, home address details, bank account details – in fact whatever the individual typed into the computer during that week.

Of course there are plenty of similar opportunities throughout the organisation – the CEO’s secretary’s PC for instance, or the Finance Director’s. Most organisations are vulnerable to this type of attack and will never know that it has taken place. The truth is that virtually no-one conducts proper staff vetting, and they certainly don’t check the cleaner’s credentials!

This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at http://www.fbtechies.co.uk