Common Social Engineering Attacks: Delivery Person
From Learn to be a true Social Engineer
One common attack is to impersonate a delivery person. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all your credentials, papers and "deliveries" in order to be able to pull it off.
USPS (United States Postal Service)
For example, someone dressed as a USPS employee is automatically trusted, since they are an employee for the US government. They usually can walk in and out of a building with freedom and even at time be let into secure areas to deliver packages with very little if no questions asked. This is a perfect attack vector for someone to take, since trust is already there.
A few things need to be in place first to pull this off. Of course one of the biggest is looking the part. Being aware of what delivery people you can impersonate, what they wear and what their route times are is very important. Nothing could squash your social engineer more than walking in a building dressed up as a United States Postal worker and being greeted by the normal postal delivery person.
So that begs the question, where can I obtain realistic and believable outfits?
How to Buy
The USPS is one of the easiest, yet the most risky, delivery persons to impersonate. There are many sites on the Internet to impersonate a delivery person. An attacker can easily locate postal uniforms online. Google will turn up many other sites, depending on the organization the attacker is trying to impersonate. As of late, it has become almost impossible to locate a usable UPS or FedEx outfit without locating one on Craiglist or Ebay. Due to the rise in crimes committing while impersonating these delivery people it is hard to locate these uniforms.
Another vector is a flower delivery, cake delivery or some other local delivery person that doesn't necessarily have standard uniform and can be copied very easily. One such service is very active in larger cities and that is Bicycle Messengers or Couriers. Many times these messengers will be let right into a building to deliver their package.
Of course another such method that can get you in the door but maybe no further is a pizza delivery person. As the secretary goes to check, maybe you might be left with her computer to plant a malicious USB key. Either way, it might get you in the door. Searches like this can lead you to find what you may need.
There are many other avenues so proper planning and research are needed. Unfortunately these same methods have been used to do bad, and this is why so many companies need to be aware of the ease that many attackers can use this vector.
Billionaire Robbed Through Impersonation
In 2007, a person posed as a delivery person, and robbed Ernest Rady, a billionaire who lives in San Diego. The person knocked at the door claiming to be a delivery person, and Ernest's wife opened the door for him.
Fake Delivery Man Beats and Robs 90 Year Old
On July 27th, 2009, a man posed as a UPS delivery driver, and knocked on the woman's door. He said he was from UPS with a delivery, and she opened the door for him. He forced his way in and stole money from her. 
Fake Delivery Man Stole People's Mail
A man pretended to deliver junk mail to mailboxes so he could steal letters with credit cards and ATM cards. He pleaded guilty to 46 charges of obtaining property by deception, two counts of handling stolen goods, and one count of theft.
One way to gain access to a network would be to deliver a free iPhone or iPod touch to someone in the company. The iPhone® / iPod® touch could be jail broken, and have software on it to automatically connect to the network. Once connected, it could send an email or connection back to a computer at a remote location. The penetration tester could SSH to the iPhone® / iPod® touch, and now has access to the corporate network.
Of course any free device that needs to connect to the computer can be delivered and hopefully give you access to their network.
How Can You Protect Yourself?
These attacks are hard to avoid, but with education, they can be. One of the best ways is to know who your delivery person is. Normally, it will be the same person for a given area. If it is not this person, ask for credentials. For UPS employees, they must carry identification with them in order to say who they are. Although with proper planning, an attacker can even fake an identification card.
Many will not have the proper credentials though. The best way to prevent this attack from happening is to not allow a delivery person past the front desk unattended. If a delivery person must walk into your building, have an escort and do not leave them unattended. This will mitigate the chances they have for an attack. If you are still unsure if a person is who they say they are, call the company they work for. The company will be able to tell you if they are in fact an employee.
Using This As A Social Engineer
This technique is effective because when wearing one of these uniforms, there is a certain amount of trust that has been gained automatically. If you are doing a security audit and need to get a piece of equipment into a building, such as a jail broken iPod® or some other device that can connect you to the internet, delivery it is one of the best ways. It also puts a piece of mind into the victim, because they already have the trust of the delivery person.
One of the drawbacks of using some of these techniques, such as the USPS impersonation, is that it is illegal to impersonate a government worker or officer. According to Title 18 US Code sec. 912, "Whoever falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value, shall be fined under this title or imprisoned not more than three years, or both."
Without the proper planning and information gathering this vector can go badly quick. With the proper planning and thorough research this attack vector can level a company's security in a matter of minutes.
- ↑ http://en.wikipedia.org/wiki/Bicycle_messenger
- ↑ http://www.trademe.co.nz/Browse/Listing.aspx?id=136759322
- ↑ http://www.lasorsa.com/blog1/?p=21
- ↑ http://social-engineer.org/wiki/archives/DeliveryPerson/Robs90yo.html
- ↑ http://social-engineer.org/wiki/archives/DeliveryPerson/StolenMail.html
- ↑ http://social-engineer.org/wiki/archives/DeliveryPerson/law.html