Real World Examples

By presenting real world examples you will get a better understanding of the threat social engineering plays in everyday life.

Playing the Part

Many ask, “What do you do for a living?” This naturally leads to a discussion about social engineering. For many it seems impossible to gain physical access to a facility. However, most people don’t realize how easy it is to gain physical access to most facilities. Usually all it requires to to ‘play the part’ or ‘look as though you belong’.

In this framework, we examine how a social engineer  investigates their target and obtains information such as:

  • What time employees show up for work.
  • Dress attire the employees wear.
  • Physical controls such as badge access, cipher locks, or keys to control entry doors.

In addition, the social engineer, may look through windows to find empty offices and research floor plans. They may also  conduct recon activities through publicly available entrances. They may do this by asking to use the restrooms available at the target’s facilities.

Once this information is gathered, the social engineer may show up when employees arrive for work. The social engineer will dress in similar attire as the employees. He or she will make a similar visitor tag. Or they may use ‘blank’ access cards to mimic the activities of authorized employees or visitors. The social engineer will follow an employee up to the door and ‘piggy-back’ their way into the facility. They can now use this open office as a ‘base’ to conduct other operations. For example, setting up a wireless router or connecting a laptop to an open network port. Once the perimeter has been broken, employees passing by will not normally question the social engineer. It is assumed that the physical control did its job and the social engineer is an authenticated individual.

 

Cover Story

If the social engineer does a good job in ‘playing the part’, in most cases, the employees will not confront or ask the social engineer anything when letting them into the building. If an employee does question the social engineer, the social engineer can utilize the name of the employee gathered earlier in a cover story such as being a ‘temp’ employee working with the <named employee> or being an authoritative figure (such as an auditor) if the previous information gathering activity lends itself to such a cover story. The social engineer can use the made up ‘visitor tag’ or ‘blank badge’ as props to assist in their cover story. This usually works well in the middle of the week since the social engineer can tell the employee that <named employee> gave him/her these props the day before and to use them for the present day to gain access to the facility.

In the case of a badge or fob, the cover story can be that there must be something ‘broken’ with the system when the badge or fob doesn’t work. The social engineer will have to get this fixed as soon as possible. Normally the employee will attempt to help by using their own badge or fob to allow the social engineer into the facility.

Opposite Sex

As a special note, it is usually the case that a social engineer may have better luck with ‘piggy-backing’ an employee of the opposite sex. There could be numerous reasons for this, but it seems that it is less likely that the employees will confront or question a social engineer that looks like they belong or are ‘playing the part’ especially if they are of the opposite sex. Seppo Heikkinen states in his article “Social engineering in the world of emerging communication technologies”:

“We tend to like people who like us or, as the saying goes, “it never hurts to be friendly”. Expressing liking or similar interests might be enough to view the other person favorably and feel sympathy. This can then blur the judgment of the victim and open an avenue for social engineering attacks. A bit of flattery will further increase the possibility of the victim taking a mental shortcut especially if this is coming from a person of opposite sex. Similarly, a worker might feel that if the password is not shared with a supposed colleague within some reasonable request, they would be giving a statement of mistrust, which might be viewed as insulting, thus compromising the social relationships. The same could happen even with the token based authentication mechanisms.”

Advantages

This knowledge is a powerful tool that can help protect your business from the methods employed by social engineers who are trying to gain physical access to your facility. In the following sections we discuss some of the avenues a social engineer may take to play the part.