We Aren't Really Expanding the Building!

By Kevin Ivy, Director of Security Services


Social engineering can be defined as any malicious activity accomplished through human interaction. When you think of social engineering, you probably think of fake emails (phishing), phone calls (vishing), or even SMS phishing (smishing). What about the physical aspect? What about posing as an employee and walking in like you own the place? What about posing as the internet provider and needing to troubleshoot the internet router? The OSE Diaries will contain real-life stories (sensitive information redacted, of course!) and the most common things you should be looking for to keep your place of business secure. As part of our Onsite Social Engineering engagements at TraceSecurity, we collaborate with clients to develop the best possible scenarios to test their employees' adherence to visitor access and escort policies.

The Story

For this engagement, the client and I decided to go with a local contractor/construction worker under the premise of expanding the building. To come up with the best disguise, I searched Yelp, Facebook, and Google Maps for the most popular construction company in the area and found one with many positive reviews. That meant two things: locals probably know the company, and they would let me access the building with simple props. Off to the races!

I went to the target company's website to extract its logo, slogans, and critical information. Then, I printed the company's logo on a fresh white polo (I chose a white polo because a Google image search showed someone wearing a similar setup) using some photo editing software and a vinyl printer. I then used that same photo editing software to develop a company badge with its logo and a photo of myself. Now that I look "the part" cosmetically, I just needed a few more items to sell the story. A quick stop at the local hardware store netted me a tape measure and clipboard. A clipboard wouldn't be "official" without a work order…right? I used Google to find a work order template and modified it in Microsoft Word to include details about the company I was posing as.

For the next step, I grabbed what seemed to be the contact details for office managers at each location and the IT manager from LinkedIn. Afterward, I purchased a domain name similar to the client I was working with, but had a slight difference; for example, tracesecurity.com (correct), tracesecuritty.com (not correct). Now it's time to put all the prep and reconnaissance work to the test!

On the morning of the testing, I created an email account using the spoofed domain I purchased and the first and last name of the IT Manager. With that newly created account, I emailed each branch manager to inform them to expect a contractor throughout the day for building expansion. Then, I threw on the fabricated polo shirt, grabbed my badge and clipboard, and hit the road.

I arrived at the first location and walked up to the teller station. I gave the story that I was there to take a few measurements for building expansion and wouldn't take too long. The teller immediately asked me to wait while they checked with the office manager for validation. After a few minutes, they said the office manager received the email about the visitation, and access was granted. I was required to sign a visitor log before being escorted throughout the facility. I measured room heights, counted electrical outlets, verbally mentioned the ceiling type, counted potential AC vents, and everything I could to bore this employee into leaving me unsupervised.

It worked! I bored the employee to death, and they told me to get them if I needed anything. I was able to go into sensitive areas (records storage and telecommunications closet) and inspect everything closely without being escorted. At one point in time, I was tracing ethernet cables for critical equipment and taking photos. If this visit wasn't a test, and I were a bad actor, I would have been able to plug in a malicious device or compromise the environment's integrity. However, with unsupervised access to critical systems and equipment, I decided to end the engagement. The worst part about the engagement was sitting next to the IT Manager after testing completed and hearing them explain that the office wasn't expanding, and people weren't getting larger offices.

Our Recommendations

There are a few things that this organization and its personnel could have done to prevent this test.

First, an email was sent from a spoofed domain. What could have been done?

  • IT personnel could implement an email security solution that flags or blocks emails from similar or spoofed domains.
  • Security awareness training could focus on identify phishing attempts
    • Check email domains
    • Look for funny-sounding sentences
    • If it sounds too good to be true, it probably isn't
    • Look for weird punctuation

Second, the visitor's identity was not verified.

  • Verify the identity of visitors
    • Forget the company badge! Ask for government-issued identification!
    • Use that government-issued identification to verify accurate entry in the visitor log
    • If the visitor drops a name, contact that person regarding the visit

Lastly, follow your company's visitor escort policy. If you don't have one, create one!

  • Regardless of the situation or how bored you get, never leave a visitor unsupervised, especially in critical areas!
  • If you don't have a visitor escort policy, create one and use it as a topic during security awareness training.