It’s a normal Friday afternoon in work. It’s been raining all day, but it’s the weekend soon, only another half hour to go. Geoff is sat working at the reception of a large software company. He’s been working there for years and has never thought twice about Social Engineering. If asked, he’d probably think it was something for HR or IT to deal with, some kind of joint venture thing between departments.

Through the door comes a very sodden motorcycle courier. He takes his helmet off and removes his boots at the door. Geoff recognises the guy as he’s been in a few times before, dropping off and collecting parcels. But the poor guy is drenched. He talks to Geoff for a while, but pulls out some really soaked papers that need signing; they’re useless now. He – we’ll call him Simon – asks Geoff if he can use the phone to call the office to find out what to do. Geoff thinks nothing of it, he’s helping the guy out.

The call doesn’t take long and it turns out the standard procedure is to get another copy printed out from a pen drive they carry on them, with all the dispatch notes for the day. As Simon puts the phone down, he asks Geoff where the nearest newsagents is so he can get them printed out again. Geoff says that he should have a word with the Reprographics team down the hall, save him getting soaked again; the weather outside is only getting worse!

Down the hall, Simon meets Amanda and he regales to her the story, including showing her the sodden papers and handing her the pen drive. She phones through to reception and Geoff answers, confirming Simon’s story and telling her to put it on his account if needs be. Amanda chuckles and says “Ok, just making sure, you can’t be too certain”. She goes to her desk, loads up the invoce PDF and prints it out. She notes that it is the last delivery of the day, according to the files and mentions to Simon “I bet you’re glad of that, it was nice and sunny a couple of hours ago, now look at it!”.

Simon thanks her and takes the papers back to Geoff. He signs them and files everything as normal, the parcel is handed over and Simon thanks Geoff for all the help he’s been. As he gears up to head back outside he looks back and says “Tell… Amanda, was it? Tell her thank you as well”.

—–

So what just happened? Just a basic daily operation, right? Well, no. Simon wasn’t a courier at all. He’d been casing the place for a while. He’s been interested in some of the software that the company is making. He was actually turned down for a job there a year or so ago. But a year was long enough to grow his heair and beard so he wasn’t recognised, and hair dye is cheap enough to give a solid disguise while he cased the place out. He’d seen the way Geoff was with people, that sympathetic ear. He’d seen how cautious Amanda was.

The planning took weeks and he had his heart in his mouth as he walked through the door. He’d stood under a leaky gutter to get the full drowned rat look and made sure the papers were nice and good and soaked, with the ink running everywhere. When Geoff recognised him, he breathed a sigh of relief. He’d come delivering fake parcels before a few times just to cement his identity, but only ever when Geoff was working.

Simon wanted to hurt the company as well as find out what their code was all about. Not getting that job had set him back a good couple of years at least. As he picked up the phone and dialled the premium rate number he’d set up, he was worried that he’d get caught having a one sided conversation so he moved away from Geoff slightly for some privacy. During the call, he placed a thin dowel onto the reciever so when he placed it back down, it wouldn’t hang up. If left running over the weekend while the office is closed, that could rack up a £20,000+ phone call at £5 p/m, all tracable back to the credit card of some random person that was used to set up the service.

With that in place, Simon could now focus on the main task at hand. Geoff had another purpose to serve. He’d need a credible introduction to Amanda, she was too cautious of strangers to talk to him directly; Geoff would be the gatekeeper.

The pen drive was ingenious. From the outside it looks just like a normal USB Pen Drive, and indeed it acts exactly the same as well. All the files were on there, all meticulously laid out. But, the Pen Drive held a secret. It was in fact a “USB Rubber Ducky”, or a “USB-RD”, which the computer interprets as a USB keyboard as well as a pen drive. On the drive itself a script file was executed as soon as the pen drive was placed into the USB Port. Within 5 seconds, the computer had been infiltrated. No warnings, no UAC, no antivirus, no alerts. Just a slight flicker of the screen as the script was run. Keyboard strokes being typed at rapid speed. The script first launched a command prompt in the background and wrote another script file to the computer that would run whenever the computer was turned on. It then created a reverse shell, giving remote, backdoor access to the computer. It then uploaded all internet browser profiles, documents, images, videos, music and important files to an FTP server for further analysis. The upload would run until Amanda went home, which by the look of the backlog in the in-tray on her desk wouldn’t be for a few hours yet!

Simon walked out of the office in full knowledge that he had what he came in for. Shortly before 8pm, Simon logged into Amanda’s computer from home and scheduled the computer to turn itself on at 11pm. After 11pm on Friday, Simon had full access to the company network through Amanda’s computer until Monday morning. He had all the passwords she saved on her browsers, full access to her email account and so much more besides. Simon cost the company millions of pounds that night and the only thing they knew is that Geoff let some courier guy cost the company a few thousand… which was of course paid back by the bank after it had been investigated.

—–

Social Engineering… are your staff aware?