Social Engineering
​? true story...

• Today I want to share with you an interesting story from a #Red_Team specialist from IBM. The text is quite long, but interesting. Let's go..

• A large New York investment company, one of the first hundred largest companies in the world, hired us as a Red Team team. The slow and low style was chosen, that is, we had six months for all the work. This does not mean that the pentest will be held every day for six months, it means that during these six months we were going to do separate approaches. After compromising the goal, we would build a timeline and use it to find out how the Blue Team reacted during this time.

• Only the company's management knew about what was being tested. As for scope, it was possible to test any networks, engage in physical penetration — anything. In the early stages, my team decided to do a little reconnaissance and try to get into the head office. They even found backpacks with the logo of this company in an online store to look more like employees.

• And they also took with them a device capable of disrupting the operation of the badge reader, and made fake badges. According to their theory, on Monday morning, most likely, it would be enough to disable the reader, and then show the badge so that you would be allowed to pass (the guards would not dare to close the passage to the building). They were right and easily climbed to the floor occupied by the company's management.

• On the way to the office, they bought a box of donuts. What for? The fact is that people tend to trust those who bring gifts. They put a box of donuts outside the room where the meeting was taking place, went inside and announced: "Sorry for the inconvenience! This is an urgent IT audit, you have to leave the premises! You can take a doughnut out of the box as compensation at the exit." As a result, everyone left and no one reported the incident.

• The first thing the team did when they got inside was to connect to the local network and attack the reservation system of the meeting room. All entries for the next week have been moved to another time. This added credibility: everyone saw that their meetings had been moved to another floor, and decided that these guys were definitely their own, since they were doing something like that.

• The next step they attacked the badge scanner, and on the second day they already had real badges. While they were doing this, they found a bunch of data on the SharePoint server, including administrative account data from the SWIFT money transfer system. He gave the opportunity to dispose of about 30 billion dollars.

• Usually, when we work in slow and low mode, we wait for the end of the period to find out if the client has detected suspicious activity, but if we manage to find a critical problem, we have to stop and announce it.

• By the end of the week, I called the CIO of this company and said that I would like to meet. "How about a meeting room on the top floor of the New York office?" I asked. To which he replied to me that he would be glad, but there is an IT audit going on, and it is not available!

? I hope you liked this story, if so, then you can find educational material on social engineering and other topics by the corresponding hashtags: #SI #Pentest #Hacking. Your S.E.