Interview A hacker walked into a “very big city” building on a Wednesday morning with no keys to any doors or elevators, determined to steal sensitive data by breaking into both the physical space and the corporate Wi-Fi network.
Turns out she didn’t need to do any breaking in at all.
She rode the elevator up to the reception floor without needing a security badge, found the office suite door propped open, walked past a security guard sitting at a desk and straight into a conference room.
“We had a malicious device already configured,” she told The Register. “We had found the credentials for their corporate Wi-Fi network in the trash, while dumpster diving the night before. We installed the device behind the TV in the conference room, connected it to the network, and we were able to exfiltrate data out of the company over their own corporate Wi-Fi network for over a week with no one being the wiser.”
In this case, the command-and-control server happened to be controlled by a security firm’s red team that had been hired by the multi-tenant building owner who was worried about the inhabitants being “a little too relaxed” about office security — so this stolen data wasn’t being sent to a criminal’s C2.
Meet Alethe Denis
The hacker, Alethe Denis, is a senior security consultant at Bishop Fox, and her specialty is physical security assessments. Or, as Denis puts it: “I break into buildings.”
She’s also a DEF CON Social Engineering Capture the Flag winner with her own spot in the hacker summer camp Black Badge Hall of Fame. As a penetration tester at an offensive cybersecurity shop, Denis’ work involves a lot of social engineering attacks, usually via phone and email. “We get to pretend to be the bad guys,” she said.
My most favorite type of social engineering is face-to-face … It allows me to create really compelling characters
But “my most favorite type of social engineering is face-to-face,” she admitted. In part, this is because it allows her to live out her dream of becoming an actor. “But also it allows me to create really compelling characters, interact with people, and create these more elaborate pretexts.”
This often involves impersonating past or current employees, or vendors that work in or around the company that has hired Denis and her team to break into their building. Their goal is usually to connect to the corporate network and steal something that only a high-level exec should be able to access.
“Our job is to impersonate a former employee who was terminated, and they give us a badge but it’s deactivated,” she said, as an example of a specific engagement involving “a disgruntled former employee trying to get back into the building and cause some sort of disruption.”
“Usually the reason they hire us is because they’ve invested a lot in their physical security controls, and disgruntled former employees are insider threats,” Denis added.
Even the pros get punked
The red team isn’t always successful. In one recent job, Denis was tasked with breaking into a software provider. She and her teammates decided to pose as IT contractors at the facility to perform a site survey and complete a cost estimate to upgrade the company’s internal surveillance camera system.
“Because if we could get access to every location where there was a surveillance camera, then we could get into the server room and plant a device, which was the goal of the assessment,” she said.
The preparation took about a month, with the red team creating a fake vendor company, complete with a phone number, answering service, and work order for the surveillance system. “Knowing that we were there to do an estimate meant they wouldn’t verify that we were an actual vendor — we were still in the process of trying to become one,” Denis noted.
On the day-of the planned break-in, one of the firm’s security managers happened to be working reception.
“We presented our case for getting into the building, and she immediately grabbed the global security operations manager, who I named on the work order.”
It turned out he was a former Israeli Defense Force red teamer who had also authored a book on covert surveillance and detection.
“That was one of the times we got punked,” Denis said. “He listened to our story, called us out on our charade, and sent us packing. I let him boot us out, he let us leave with our dignity.”
It’s not all AI and deepfakes
Despite the buzz around AI-assisted social engineering and deepfakes, human conversations — over the phone, electronically, or in-person — are still the most commonly used, and most effective, social engineering tactics for crooks looking to make money off of their victims.
“Their tactics are quite different from those we see talked about in security awareness training, or vendor pitches for tooling to prevent phishing and things like that,” Denis said. “Right now, the shiny new things are mostly AI connected and keyworded.”
While some scammers are using AI-assisted social engineering tools, and the potential exists for “very disruptive attacks” using deepfakes, in general, this technology doesn’t have the high-level return on investment that most cybercriminals want, she added.
“I have friends and connections at three-letter agencies, and those people are telling me that nation states are turning their attention away from creating deepfakes, and they’re going back to more traditional methods of voice phishing over the phone,” Denis said.
And those who fall victim to a highly-trained social engineer “won’t even be able to discern they’re being targeted by an attacker,” she noted.
“That’s what we’ve been seeing in most cases in recent years where there has been a large breach, or access granted to someone who should not have been granted access: the person who engaged with the attacker became the unwitting insider threat,” Denis continued.
“The attacker did such an excellent job of building that trust, of posing as an internal employee or a person who was entitled to that access,” she said. “And the person they were talking to had no idea — there was no way for them to identify that anything was wrong — and that is truly a failure of the process.”
Red team phishing tricks
Red teamers pretending to be the bad guys use these same techniques and tools to bypass security products that are supposed to detect and stop phishing emails.
They also use software-as-a-service products to deliver the phony phishes designed to look like they are coming from a third-party vendor, such as an employee engagement survey provider, or an internal HR or IT person.
While most people have been well-trained not to fall for phishes using politics, religion, or hot-button news topics as lures, there are more work-related issues that scammers can use to elicit a similar emotional response.
“What that looks like is a link to a policy that needs to be reviewed in order to answer a survey question,” Denis said. “The topic could be dress code, or return to office, or company-issued devices. Ordinary things, but also things that people are really passionate about: how much time they want to spend in the office, or what people want to wear to work. How they feel about their company-issued laptop, because everybody hates those.”
What the social engineer wants to do is trigger that emotional response
Denis and the team will send an email with a link to a PDF purporting to be the policy that needs to be reviewed to answer the survey questions. In reality, the document is the malicious payload and it executes when the employee clicks on the phony policy PDF.
“What the social engineer wants to do is trigger that emotional response,” Denis said. “They want to bypass the logical, thought-processing parts of the brain and rely on that animal, gut-level response. Then we hijack the amygdala and take the person with us to the first survey question, ask them to click on this link and at that point I’m sending them to a credential harvesting landing page.”
The goal is typically to gain admin-level access on a compromised machine, escalate privileges and see what else the red team can access in the organization’s IT system. If email alone doesn’t work, picking up the phone is very effective from the hacker’s perspective, too.
“I try to leverage them together,” Denis said. “I will call and say, ‘Hey, I sent you an email last week, did you receive that email?’ People will typically say, ‘No, I never got it.’ Of course they didn’t because I never sent one.”
But at that point, the victim already feels like they screwed up by missing an email last week, and now they feel indebted to the attacker. “They feel like they owe me. Then I can say, ‘while we are on the phone right now, is it OK if I resend it to you? Can you go ahead and just do this one thing?”
The best thing anyone can do to avoid falling victim to these types of voice-phishing attacks is to ask questions, and this will typically throw the attacker off balance enough to hang up and move on to the next target, she said.
And while Denis’ goal as a pen tester is to end the call with access to the target organization — and without the person on the other end of the phone even knowing they’ve been tricked — real-life attackers aren’t nearly as nice.
“Scammers don’t care how you feel at the end of this,” she said. “They’re going straight for the jugular.” ®