We define impersonation as the “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.” Two common attack vectors we will discuss are impersonating as a delivery person or tech support.
NOTICE: Never use this information to perform illegal acts! We discuss these details to help organizations become offensive about possible social engineering attacks. Additionally, this information will help organizations to mitigate against these attacks.
USPS (United States Postal Service)
For example, someone dressed as a USPS employee is automatically trusted, since they are an employee for the US government. They can typically walk in and out of a building with few restrictions and sometimes are even allowed into secure areas to deliver packages with little to no questions asked. This is a perfect attack vector for a criminal to take since trust is already built into the uniform; however, it is also illegal to impersonate government employees so pentesters should not use this vector.
A few things need to be in place first to pull off impersonating a delivery person. Of course one of the biggest concerns is looking the part. It is important to be aware of what delivery people you can impersonate, what they wear, and what their route times are. Nothing could squash your social engineering faster than walking into a building dressed up as a delivery worker only to be greeted by the person who is actually doing the job.
So that begs the question, where can I obtain realistic and believable outfits?
How to Buy
There are many sites on the Internet which sell uniforms to impersonate a delivery person. An attacker can even locate postal uniforms online (but remember, that one is illegal). As of late, it has become almost impossible to locate a usable UPS or FedEx outfit without locating one on Craiglist or Ebay. Due to the rise in crimes committing while impersonating these delivery people it is getting harder to locate these uniforms.
Another option is to find the appropriately colored shirt (plain), find the logo online, print your own logo for the desired delivery company using special paper that transfers onto fabric, then simply iron the logo onto the shirt. You could potentially find a company that is willing to print up shirts with the needed logo but as this isn’t for legitimate business-use that might get you in some trouble. A last option is to check out thrift stores for used shirts and uniforms. The pants/short for most uniforms are generally plain so these tend to be easy to get.
Impersonate Other Delivery Personnel
Another vector is a flower delivery, cake delivery, or some other local delivery person that doesn’t necessarily have a standard uniform and can be easily copied. One service which is very active in larger cities is Bicycle Messengers or Couriers. Many times these messengers will be let right into a building to deliver their package. Pretexting as a pizza delivery person may at least get you in the front door. As the secretary goes to check who ordered the pizza, you might be left with their computer to plant a malicious USB key.
There are many other delivery personnel to impersonate so proper planning and research is needed. Searches like this can help you find what you may need. Unfortunately, these same methods have been used to commit crimes and this is why so many companies need to be aware of the ease with which attackers can use this vector.
Why a Social Engineer might use this vector
This technique is effective because when wearing one of these uniforms there is a certain amount of trust that is automatically given by your target. If you are doing a security audit and need to get a piece of equipment into a building, such as a jail-broken iPod® or some other device that can connect you to the internet, delivery is one of the best ways. It also gives the target peace-of-mind which lowers the risk of exposure because the target isn’t as likely to ask questions.
One of the drawbacks of using this vector, such as the USPS impersonation, is that it is illegal to impersonate a government worker or officer. According to Title 18 US Code sec. 912, “Whoever falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value, shall be fined under this title or imprisoned not more than three years, or both.”
Without the proper planning and information gathering, impersonating a delivery person can go bad quickly; however, with the proper research and timing this attack vector can level a company’s security in a matter of minutes.
A person who uses social engineering to impersonate a tech support worker can have devastating effects on a network. One of the reasons it is so effective is because it can give an attacker physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer who is posing as a technical support person is a USB thumb-drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done.
Gaining Physical Access
Gaining physical access to a computer through technical support is the best-case scenario for an attacker since it puts them right at the computer. This is a perfect opportunity to download an “anti-virus” program or some sort of scanner to “clean” the computer. Once the “helping” file is installed, it creates an opportunity for the attacker to infect the computer so they can gain further access to other computers or to the network. USB devices are small, easy to conceal, and also hold large amounts of data, including malicious code.
If the company has a policy that prevents the computer from accepting or reading USB drives, it is as simple as the attacker checking an email account or visiting a website in order to open a PDF or other document with a virus pre-loaded to infect the computer. Either way, gaining physical access to a computer is a very successful route of attack.
Billionaire Robbed Through Impersonation
In 2007, a person posed as a delivery person and robbed Ernest Rady, a billionaire who lives in San Diego. The person knocked at the door claiming to be a delivery person and Ernest’s wife opened the door for him.
Fake Delivery Man Beats and Robs 90 Year Old
On July 27th, 2009, a man posed as a UPS delivery driver and knocked on a woman’s door. He said he was from UPS with a delivery so she opened the door for him. He forced his way in and stole money from her.
Free seats at the SuperBowl
Two guys from Ireland walked right into the 2015 Superbowl along with some first-aid staff, completely getting around some supposedly very tight security. The trick to blending in was just to look like they belonged which meant acting confident enough that people hesitated to question them and “borrowing” on the trust given to the staff they walked in with.
Woman practices law for a decade
A rather extreme case of impersonation was that of Kimberly Kitchen, who managed to pass herself off as a lawyer, even making partner at the firm, before getting caught in 2015. She forged documents, licenses, emails, and a check in order to initially convince the firm to hire her. She was able to dress and talk the part enough to practice estate law until other local lawyers finally raised enough concerns about her to warrant an investigation.
Impersonating Law Enforcement or Government
We are also hearing reports more and more of criminals impersonating police and other government officials either on the phone or online, usually to scam money. One, now famous, example is hackers taking control of the St. Louis Federal Reserve Bank’s domain and rerouting traffic to websites which impersonated the bank. Ransomware can operate on this same notion of impersonating government or law enforcement.
NOTICE: It is illegal to impersonate government employees, such as USPS carriers, so reputable pentesters will not use this vector.