2024 State of Vishing Report
Hi. I’m a noob. I have no idea how a GPS clock works. No clue. I do know what the control box for one looks like. More importantly, I know that the license, for the clocks this particular client uses, expires this year. And that’s enough. I just asked where I could find the control box for the GPS clocks. That’s how I found myself standing in a server closet in this building’s network operations center (NOC), with an official employee escort. That was one of the highlights of my first social engineering onsite infiltration job. Was it that easy? Yes and no. Let me tell you the story.
A few weeks ago, I was able to be part of a social engineering (SE) team during a series of onsite infiltration engagements. Our assignment was to break into nine approved buildings over the course of three days and two nights. This was my first time on an onsite infiltration engagement, here are a few takeaways that surprised me the most.
The first day as a new member of a social engineering team was the slowest. But, it was also the day that we did some of our most important work. Through Open Source Intelligence (OSINT), we came in knowing things about our target sites but were still unsure about the best way to get into the buildings. So, we split into two teams. One team reviewed the OSINT and developed our most promising pretexts. The other team (my team) went to the physical site to see what we could learn from not-so-random interactions with employees arriving early in the morning.
These interactions were our initial small successes that were instrumental to our larger successes later. Because of these, we were able to learn the protocol for getting into the buildings as a guest, and we got a name to drop. At another building, we saw their guest badge kiosks, and we got a decent picture of an employee badge. Later in the afternoon, a very nice security guard walked me through using the kiosks. He even let me “call” my own “contact” (I faked it, my phone camera was even still recording). A badge had been printed on the security guard’s side but since “my contact” wasn’t in the building (didn’t exist) it just got thrown out. Employee badges and the guest kiosks would be utilized in several of our infiltrations over the next few days. I used a “my badge isn’t working” ploy to get into at least three of the nine buildings, using a fake badge we created from earlier pictures we took while onsite.
Armed with a decent pretext (a field technician checking GPS clocks for license renewal), we had a good reason to be walking around in the building looking for things. But to my delight, when someone asked me what we were doing, it also got us an escort whose badge had access to more restricted areas than the ones we could tailgate into. This is how I was able to get into the NOC on our second highest priority building. Our pretext also got me into a server closet in the NOC, a different high-level IT office, and the restricted access hallway right outside of the building’s data center.
Prior to the engagement, I thought that being escorted by a target employee would make things more difficult for us. I was surprised to find that having an escort gave us access to areas and people that we would not have been able to get to on our own. Getting the escort, and the subsequent access, was just a matter of having a good pretext and playing to my strengths – being distracting, playing dumb, and asking questions.
Fun fact, I don’t feel anxiety. As a person, I come with a lot of loud noises, distractions, and chaos, but my internal life is fairly placid. So, I was more than a little shocked to feel an unsettling buzzing sensation in my ribcage on the second day. While I was sitting in my hotel room taking a break, it started to happen. My first internal thought was “WHAT IS HAPPENING?” My second (semi-useful) thought was “Oh wow, how do people operate like this?”
It turns out the lack of rest and repeated adrenaline surges that come with breaking into buildings can leave a person with some extra emotions during the down time. Who knew? What I found helped me get over it was taking a nap, getting some decent food into me, and surprisingly, going out and breaking into another building that night.
My mentor from my acting days would tell his students “it’s fine to feel fear and anxiety. What’s not OK is to allow that fear or that anxiety to shut you down.” Having my unfamiliar pangs of anxiety cured by getting into another target building reminded me of that. Our nighttime break in was the same location I had been to earlier that morning. When we left to go to the site, I was still feeling some adrenal fatigue. I just let myself be aware of what was going on with me internally and thought “can’t let it shut you down”. That phrase has become a way for me to reframe a situation and remind myself that once I get into the work, I will be able to be fully present for it.
On our final day of the social engineering onsite infiltration, I ended up meeting our main point of contact while stuffing the world’s most delicious cornbread into my face. Let me explain.
A lot of our entries were products of opportunism. Which is great for me! I am, by nature, an opportunist. On the team’s final day, as we were waiting for a tailgating opportunity at an outdoor lunch area, a BBQ food truck pulled up. I saw a great opportunity to help us fit in, so I went and ordered some cornbread (it 100% wasn’t because I love eating snacks). At that exact moment one of my teammates gained access to the building. So, I ended up doing that entire engagement carrying a to go box. As it turned out, this was the perfect distraction. It gave me something to chat people up about while my partner took pictures of the documents on their desks. The only downfall was, we got caught at this location. So, when our main point of contact was called, I had a face full of delicious fluffy honey cornbread as I shook his hand.
That being said, not every opportunity is a good one. I am usually very willing to try risky things just for the sake of seeing if I can. I have found that there are two questions that I need to ask to keep myself on track. The first is “am I getting greedy?” I will ask myself this if I have achieved a compromise but am deciding to go for more. It will help me decide how wise of a choice I am making. The second question is “does this advance the job in any meaningful way?” If the answer is no, then I probably wouldn’t go do whatever that idea was. Usually. But on the first day I did something (who knows what) to get our project manager to say, “you are a dumb, dumb, dumb, man.” Which was AWESOME and really funny. But, you know, there are no SE refunds. So, being thoughtful about an idea enhances the project much more than just trying things for the sake of trying things.
This is also when having teammates who balance out my more chaotic nature comes in handy. Like on the first day when my question was “should I jump the turnstile?” The answer, the logical correct answer, was “maybe not on day 1”. That was the best advice possible, I was in plain view of 3 cameras. We got in through a different opportunistic means – we followed some contractors through a loading dock door. Another time, a teammate wisely separated from me because it looked like I was about to get caught and she wanted to make sure one of us could stay in the building. That was a great choice, I came really close to being discovered!
Remember to have a good exit strategy. Don’t get stuck in a social engineering onsite infiltration job for far more time than is good for you. Let’s take right now for instance; I’m about to tell you that “I have to stop writing so I can finally go Google what a GPS clock does” (def not googling that). Hopefully, some of my thoughts and experiences as a break in noob were helpful, or at least validating.
To sum up the big lessons I learned on this engagement:
Take care of yourselves, get some rest, plan your pretexts, and don’t dismiss your small successes! Hopefully, I’ll get to write more on this topic later, but for now I have to stop writing… so I can finally go google what a GPS clock does.
Written by: Curt Klump
Sources:
https://www.social-engineer.com/social-engineer-pentesting/
https://www.social-engineer.org/newsletter/what-is-your-favorite-osint-tool/
In the rapidly evolving digital landscape, no entity is immune to the pervasive threat of cyberattacks. The security breach at MGM Resorts highlights the vulnerability of even massive organizations. As
SMiShing Attacks in the News In February 2024, 19.2 billion spam texts bombarded U.S citizens according to a recent report. As annoying as spam texts are, they are not always
