Social engineering is a service that my team and I get involved in on a fairly frequent basis. While for the most part this involves remotely trying to convince targets to click on links in emails, browse to fake login pages, download carefully constructed files which lead to remotely accessible shells, or politely asking them for their passwords over the phone (all of which have been successful on multiple occasions), physically obtaining access to a client's site is one of the activities that I most look forward to.
There are a number of useful gadgets available to gain physical access to client's offices, including devices such as the ubiquitous Proxmark, our own HumblePi (https://www.dionach.com/blog/using-hardware-devices-to-gain-internal-access) and of course a small set of lockpicks. Generally though, all that is needed is a notepad and pen, a cup of coffee, and a good cover story.
Two common cover stories that my team and I have used successfully over the last couple of years include the following:
1) Meeting Room Mix-Up
This is personal favourite as it takes advantage of the fact than many companies with multiple offices share meeting spaces, and these frequently get double-booked or changed at short notice. The basic premise is that two people from somewhere other than the target office, for example a member of staff from one office and a client, have a meeting scheduled for the next day. Due to a mix-up, the client is heading to the target office, not to the member of staff's actual office, which is a significant distance further away. The member of staff is very apologetic for the very short notice and the inconvenience, and assures the target that any old room will do, and it will only really be for an hour at most. Most of the time, the target will offer an unused office out of a desire to help a colleague in a difficult situation. Most of time that we have used this scenario, the office has provided us with internal network access, unsupervised access to at least one workstation, and in one case, unsupervised access to a cabinet full of customer details.
2) IT Support Visit
This is a fairly classical scenario, and takes advantage of the fact that despite the ubiquity of technology in most business, there is still an element of mystery surrounding IT support and the occasional misbehaving update. This one can sometimes be performed with no pre-seeding, and purely turning up at a target site armed with a laptop and a stressed manner is enough. Better results are generally obtained, however, by preparing the target site to receive a visit from the social engineer with a carefully crafted spoof email which mentions a routine visit to address some reported email failures, or a phone call to someone asking them to verify that they can access files on their new "X-Drive". The network share mentioned doesn't actually exist, and so the called user will fail to access it. A polite question to check if anyone else has the same problem will lead to an agreement to come round as soon as possible to resolve the problem.
The main reason for the success of the scenarios above is that staff are generally worried about challenging people they don't know, or about reporting things that appear suspicious. This is something that any internal security awareness program should tackle as a priority. People who are where they are authorised to be, and doing something that they are authorised to do, will generally not object to being challenged - provided that the challenge is handled professionally and politely - and so staff should be encouraged to challenge and to question, and to report anything potentially suspicious using defined internal channels. It should be clear that this is in the aim of improving internal security for the organisation as a whole.
Asking someone for identification when they attempt to enter an office should be a routine practice, and verifying provided details with a trusted source should be encouraged. For example, in either of the scenarios above, calling the attackers claimed office on an internally listed number would have quickly unravelled the social engineer's cover story. As an additional precaution, the social engineer could have been asked to provide identification. This should not be relied on as sole verification, however, as identification can be easily faked in most cases.
For more information on social engineering and steps that can be taken to protect against it or to limit its impact and exposure, consider looking at some of our other blog posts, such as: