In the summer of 2023, a man dressed as a Walmart worker stole around $7,000 in items from one of the company’s stores. This man was able to enter the store and steal 173 items out from under the noses of real Walmart employees. This story has a good ending. The authorities caught the man in question and recovered the stolen items. This kind of attack, which we at Social-Engineer, LLC (SECOM) refer to as an “impersonation attack,” has been on the rise in recent years. And unfortunately, not all such attacks have such happy results. Impersonation attacks can exhibit themselves in many ways. From online impersonation emails to phone calls or on-site attacks like the one above. Today, let’s go behind the scenes and delve into an on-site impersonation attack that SECOM employees were hired to perform. By doing so we’ll learn how companies can guard against such attacks.
SECOM employees were hired to gain access to two facilities. These were not Walmart-esque facilities, they were facilities that could potentially cause loss of life if malicious attackers breached them. So, the stakes were high. The goal of on-site impersonation attacks by good actors is to test the security of a building and see where improvements can be made.
With that goal in mind, the team launched into the planning phase. During this phase of the engagement, the team performed hours of Open-Source Intelligence (OSINT). In this time, the team discovered the facilities Internet Service Provider (ISP). It was on this discovery that our pretext became based. We decided to impersonate the ISP and see how far it could get us.
Upon arriving at the location, we made some prop runs that would help aid us in looking the part of our pretext. We bought polos that were the color of the target company we were impersonating, clipboards, and printed badges with our aliases. Armed with these props, we made our approaches.
We approached the first building by walking up to a group of people standing outside and gave them our pretext. They were kind enough to point us to the office building without checking our badges or ID’s. The employees inside the office were even nicer, allowing us to plug in USB devices to their computers to run “speed checks.”
The second building was trickier. It had a gate and security checkpoint where you would call in for access. We pulled up, gave our pretext, and before we even showed our badges, we were buzzed in. Five minutes later, we were standing in their computer control room, unsupervised, collecting evidence.
There were great takeaways for this client. What were they, and how can we learn from them? First, we must ensure that all employees are familiar with the proper procedures for verifying unknown people. It is also important that employees feel empowered to check ID’s, badges, and enact any other processes your company has in place. It should be impressed upon employees that verification MUST take place even if the person claims and appears to be from a familiar company or vendor.
Hand-in-hand with verification, it is vital to encourage employees to ask questions of people even if those people have already made it past security. On a previous occasion, SECOM employees made it through security only to be caught by another office employee. This was a great example of someone following proper procedures!
How to Better Secure Your Company
These takeaways are great jumping off points to begin better securing your company. However, real, hands-on training is the best way for you and others to gain the experience needed to protect your company properly. All of the employees we spoke to on this engagement now have interactions they can look back on to see areas for self-improvement, along with training tailored to them individually. This type of training is the best way to ensure that you’re taking the necessary steps to secure your assets.
For a detailed list of our services and how we can help you achieve your information/cybersecurity goals please visit:
Written by: Shelby Dacko