Remember the earlier pre-texting call? This is the follow up attack. With the information Bad Guy Dave got earlier, he knew the name of the IT consultant, and was able to create fake letterhead "authorizing" his presence.
As you can see, Ryan the Receptionist has just given Dave the Bad Guy physical access to the system. If asked, Dave could easily have gotten a password or two, maybe even the Administrator password. All with a three minute phone call and a fake letter on some letterhead.
This particular attack might also be called "Quid Pro Quo" or "Something for Something". In which attackers often gain access or are given information because they offer something else in return. In this case, Dave would have likely done some legitimate tech support in exchange for the passwords or other access on the network. In other situations, the attacker may even bring in coffee and doughnuts for the staff.
Now let's see how it should have been handled:
Why it Works
People are easily persuaded by confidence and the appearance of authority. The suit, the letter, and Dave's demeanor all told Ryan the Receptionist that he belonged there. In the second video, Ryan even challenged Dave by asking the name of his boss. Dave's prior research told him that the correct answer was Lloyd, showing even more confidence.
In the second video, Ryan did not just accept the letter. He made a 30 second phone call to verify that Dave was supposed to be there. Had it been legitimate, Dave would have simply said "No Problem", but knowing that Ryan wasn't falling for the fake permission letter, he had no choice but to run. This counter-measure is quick and easy and will work no matter who the intruder is pretending to be. Even a police officer will wait a few seconds so you can verify his identity. But always call a known person, never call a number the intruder gives you.
No comments:
Post a Comment