At SECOM, we perform many forms of social engineering attacks, from phishing to vishing and smishing as well as impersonation. All of these attacks are used regularly by actual attackers and should be tested as part of a robust security assessment in every organization. Small and large businesses alike are vulnerable to these attacks. If you are currently training and testing your employees against phishing and vishing, as you should be, we encourage you, in 2019, to test impersonation attacks as well.
What Are Impersonation Attacks
The way SECOM describes an impersonation attack is the “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.” There are a number of pretexts that work for these attacks that we have used on real engagements. Examples are a delivery person, tech support staff member, vendor like pest control or janitorial staff member, construction worker, and even local journalists. The idea is to test your employees’ ability to vet whether a person who actually walks into a building or other facility is supposed to be there or have access to whatever they are asking for.
It is important to test this attack vector, regardless of company size, because if your information is valuable enough, an attacker may use this vector. If your employees are not trained to defend against it, you could lose that valuable information which could have a negative impact to the business and your customers.
What does an impersonation attack look like?
Story time. Here are a couple examples of impersonation attacks we have performed on real engagements, and what can be done to defend against them.
In a previous position, one of our penetration testers used a construction worker pretext to walk into a bank’s corporate office and drop a Raspberry Pi under a desk which allowed for remote access into the internal network. He was able to walk freely around the office without anyone even asking why he was there, or why he was crawling around on the floor messing with wires. This was all possible due to the frame that was built (reflective vest, hard hat, **clipboard**), and the inclination of the employees to not ask questions. Shells were had, and information was exfiltrated all in a relatively short period of time. While this type of attack is risky for the attacker, the ease at which this was done shows that just a few curious employees could have stopped the attack and possibly mitigated the entire breach of the network.
In another example, we were able to compromise a different bank using a pretext of PCI auditors. We were on-site for a surprise inspection utilizing only button up shirts with a logo, general knowledge of PCI related jargon, and a **clipboard**. No questions from anyone for about an hour on-site. In that time, we were crawling on the floor checking cables, putting “Approved” stickers on network jacks, and taking photos of the inside of ATMs in the testing room. We also managed to convince a user to login to the locked workstation next to them with their credentials (which we captured on convert video) and used a proof of concept USB attack on that machine and one other. At that point, we were approached by a concerned manager and were escorted out of the area but not the building.
These examples show that with the right look and the right tools, a stranger can walk into an office and wreak havoc on a business. This is not exclusive to large organizations either. Maybe you are in a small office of 20-40 people, do you know who your printer repair technician is by name? What about your package or food delivery person?
Why Test For Impersonation Attacks
When it comes to defending against social engineering attacks, the primary target and defense share something in common, the people. A fancy firewall or intrusion detection device will not defend against an attacker walking into the building and taking photos of the desks in the accounting department. People will be the primary line of defense. Training your employees to critically think about strangers in the office and ask questions, politely and assertively, is your best defense against impersonation attacks. Have policies and procedures in place to help your employees know what to do when presented with these situations, then test them to ensure your valuable data stays in the hands of those that should have it.
In 2019, include impersonation attacks as part of your security training program. When coupled with regular phishing and vishing tests, you will gain a more accurate picture of your real attack surface. Value your data and protect it with every resource you have, human and hardware.