The impersonation of a delivery person can be a powerful weapon in a criminal’s arsenal because not much acting is required. Usually, the most difficult thing about impersonation is looking the part and having the necessary credentials, papers, and “deliveries” in order.
Impersonating a USPS mail carrier is a perfect attack vector for a criminal to take since trust is already built into the uniform. A USPS mail carrier can typically walk in and out of buildings with few restrictions. At times they are even allowed into secure areas to deliver packages with little or no questions asked.
The flower or pizza delivery person will not necessarily have a standard uniform, making impersonation easy to perpetrate in a social engineering attack. In larger cities, bicycle messengers or couriers are a common service. Often these messengers will be allowed right into a building. While the receptionist is busy confirming the order/delivery; the attacker might be left alone with access to a computer to plant a malicious USB key.
Examples of Impersonation
Man Impersonates Pest Control Worker to Access Commercial Building
In December 2016, a man wearing a hazmat suit and carrying an ‘Ortho’ identification card signs in at the security desk of a commercial building. A guard later found him on the third floor of the building disconnecting a laptop computer. The investigation is ongoing.
Job Seeker Impersonates Postmates Delivery Person
In October 2016, Lukas Yla, posing as a Postmates delivery person, infiltrated some of the largest Bay Area tech and advertising companies Although there was no malicious intent with this impersonation, it illustrates how easy it is to gain entry to buildings, simply by looking the part.
Man in Construction Hat Steals $15K in Laptops at Memorial Sloan Kettering
Wearing a hardhat and t-shirt a man posing as a construction worker walks off with $15,000 in laptop computers.
Man Poses as Delivery Driver, Steals Beer and Soda
An Alabama man is captured on surveillance posing as a delivery man and casually loading up carts of beer and soda. Multiple stores in the Prattville, Alabama area have fallen victim to his impersonation.
How Can You Protect Your Organization?
With education and training these attacks can be avoided. One of the best ways to protect your organization is to know who your regular delivery person is. Typically, it will be the same person for a given area. If it is not your regular delivery person, ask for credentials. For USPS employees, they must carry identification with them. Keep in mind though, that with proper planning, an attacker can even fake an identification card.
The best way to prevent this attack from happening is to not allow a delivery person past the front desk unattended. If a delivery person must enter your building, make sure they are escorted and do not leave them unattended. This will mitigate the chances they have for an attack. If you are still unsure if a person is who they say they are, call the company they work for. The company will be able to tell you if they are in fact an employee.
Impersonation and Pentesting
To see how impersonation can be utilized in a professional pentesting engagement, please see this article.