Skip to main content

Impersonation; Easier than you think - Part 1

Social engineering by impersonation is very common. For example, an attacker will call the help desk pretending to be an employee, claim to have forgotten their password and ask the help desk to reset it or give it to them. The help desk will frequently do this without verifying the identity of the caller. Our testing shows that this is a very common scenario – successful at most organisations in all business sectors.

Another technique involves visiting the premises in person. As a bogus employee, visitor or cleaner, it is simple to look for information lying on desks, overhear conversations, plug in a keylogger or even just use a vacant desk & PC. In one case, I was able to gain access through the building’s back door, walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers.

The office cleaner wanders around the IT department emptying bins into a black plastic sack. He bends below each desk to look for stray sandwich wrappers and plastic cups. Whilst he’s under the desk, it is a matter of seconds for him to attach a hardware keylogger between keyboard and system unit.

These small keyloggers are effectively invisible on the back of the computer, and record every keystroke the IT folk make for the next week. They will capture usernames and passwords, as well as every e-mail and browser entry. Often this will include credit card information from Internet shopping, home address details, bank account details – in fact whatever the individual typed into the computer during that week.

Of course there are plenty of similar opportunities throughout the organisation – the CEO’s secretary’s PC for instance, or the Finance Director’s. Most organisations are vulnerable to this type of attack and will never know that it has taken place. The truth is that virtually no-one conducts proper staff vetting, and they certainly don’t check the cleaner’s credentials!

This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at (opens in new tab)

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.