The impersonation of a delivery person can be a powerful weapon in a criminal’s arsenal because not much acting is required. Usually, the most difficult thing about impersonation is looking the part and having the necessary credentials, papers, and “deliveries” in order.
Impersonating a Delivery Person
The impersonation of a delivery person is effective for two basic reasons. First, not much acting is involved. Second, wearing a uniform or some type of company logo engenders trust.
Impersonating a USPS mail carrier is a perfect attack vector for a criminal to take since trust is already built into the uniform. A USPS mail carrier can typically walk in and out of buildings with few restrictions. At times they are even allowed into secure areas to deliver packages with little or no questions asked.
The flower or pizza delivery person will not necessarily have a standard uniform, making impersonation easy to perpetrate in a social engineering attack. In larger cities, bicycle messengers or couriers are a common service. Often these messengers will be allowed right into a building. While the receptionist is busy confirming the order/delivery; the attacker might be left alone with access to a computer to plant a malicious USB key.
Impersonating a United States Postal Servant is illegal. According to Title 18 US Code sec. 912, “Whoever falsely assumes or pretends to be an officer or employee acting under the authority of the United States or any department, agency or officer thereof, and acts as such, or in such pretended character demands or obtains any money, paper, document, or thing of value, shall be fined under this title or imprisoned not more than three years, or both.”
Because USPS impersonation is illegal, a professional pen tester should never use this vector.
Examples of Impersonation
Man Impersonates Pest Control Worker to Access Commercial Building
In December 2016, a man wearing a hazmat suit and carrying an ‘Ortho’ identification card signs in at the security desk of a commercial building. A guard later found him on the third floor of the building disconnecting a laptop computer. The investigation is ongoing.
Man Poses as Delivery Driver, Steals Beer and Soda
An Alabama man is captured on surveillance posing as a delivery man and casually loading up carts of beer and soda. Multiple stores in the Prattville, Alabama area have fallen victim to his impersonation.
Job Seeker Impersonates Postmates Delivery Person
In October 2016, Lukas Yla, posing as a Postmates delivery person, infiltrated some of the largest Bay Area tech and advertising companies Although there was no malicious intent with this impersonation, it illustrates how easy it is to gain entry to buildings, simply by looking the part.
Man in Construction Hat Steals $15K in Laptops at Memorial Sloan Kettering
Wearing a hardhat and t-shirt a man posing as a construction worker walks off with $15,000 in laptop computers.
How Can You Protect Your Organization?
With education and training these attacks can be avoided. One of the best ways to protect your organization is to know who your regular delivery person is. Typically, it will be the same person for a given area. If it is not your regular delivery person, ask for credentials. For USPS employees, they must carry identification with them. Keep in mind though, that with proper planning, an attacker can even fake an identification card.
The best way to prevent this attack from happening is to not allow a delivery person past the front desk unattended. If a delivery person must enter your building, make sure they are escorted and do not leave them unattended. This will mitigate the chances they have for an attack. If you are still unsure if a person is who they say they are, call the company they work for. The company will be able to tell you if they are in fact an employee.
Impersonation and Pentesting
To see how impersonation can be utilized in a professional pentesting engagement, please see this article.