Researcher claims thousands of identities stolen during Social Engineering pentests

Kelly Jackson Higgins of Dark Reading, reported on research conducted by Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, who has been performing social engineering exploits for numerous clients in the past year and has apparently stolen thousands of identities with a 100 percent success rate.

The Dark Reading article goes on, quoting Perrymon as saying:

Organizations typically are focused on online identity theft from their data resources, and don’t think about how the same data can literally walk out the door with a criminal posing as an auditor or a computer repairman. He once walked out of a client site carrying their U.S. mail tray with 500 customer statements inside it, he says.

“This is the forgotten and overlooked” security risk for identity theft, Perrymon says. “That’s why the first time we show [our clients] what we can do, it blows them away." But with the Federal Trade Commission’s (FTC) new identity theft regulations requiring banks, mortgage firms, credit unions, automobile dealerships, and other companies that provide credit to assess identity theft risks as well as add policies and procedures to pinpoint any “red flags” as of this November, Perrymon and his team are in hot demand to perform undercover social engineering exploits for banks and other firms to test their ID theft vulnerabilities.

Read on below...

The Dark Reading article also describes Perrymon's process used to carry out these attacks:

During one recent social engineering caper for a large credit union with 15 locations, Perrymon and his team posed as federal investigators for the FDIC. They used their fake ID-making machine that spits out phony drivers’ licenses and official-looking badges and after two days of reconnaissance, they donned suits and their forged FDIC badges and went on-site at one of the credit union locations during its busiest and most hectic time of day, lunchtime. “I walked in with a camera around my neck that looks like a digital 35 millimeter, but the whole time it’s recording video, and with a clipboard. We walked right in, posing as federal auditors,” Perrymon recalls. “Ninety-eight percent of the time someone asks if I need anything or any help... At that point I sit them down and ask them thirty questions about their internal security procedures – dye bags, sound alarms, etc.”

This really got me thinking... it sounds like this guy is doing some pretty elaborate social engineering engagements to be talking about stealing people's sensitive data.  He's talking about a pretty elaborate scheme to get in and get data, then describes asking about dye bags, sound alarms, etc.  It's all pretty cool stuff, but what's even more staggering is that I can also tell great stories about social engineering assessments that have had ridiculous results from simply posing as an employee or a contractor.  No need to get so elaborate, unless you are actually trying to loot a bank in the process or something, but in most cases, you can simply walk into a corporate headquarters and get to some very sensitive data.  It's truly appalling.

The article continues:

Another time, he posed by the door with a large vendor equipment box, and a helpful data center worker held the door for him and let him in. “I walked right in, opened the box and plugged right into the backbone of a big ISP,” he says.

And while Perrymon and his team have “drivers' licenses” and other phony IDs, they are rarely asked to present them. They even try to make the IDs somewhat inconsistent with legitimate ones to see if anyone notices -- typically no one does, he says. “What we want to see is if an employee says ‘that’s not a real badge,’” he says. “So we try not to make the IDs perfect... so they can pick up on [it]. But nine times out of ten, they’re really not going to question you.”

“Over the past five years, we have [had] a 100 percent success ratio of walking out of each engagement with at least five complete identities,” he says.

I would say that we're seeing the same things where I work, and it is truly concerning.  It's far past time that we get to the point where people are educated enough to combat these attacks, but it simply is not happening.  Companies need to start stepping up to the plate and realize that simple education of employees is not sufficient.  Better physical controls need to be put into place and more importantly a defense-in-depth approach needs to be taken.

Here's the kicker to it all, it's not like I can suggest biometrics to everyone (not that they don't have their problems as well) as a reasonable security professional, but consider this, if they get in the front door it is probably too late.  There's so many attack vectors once you are inside that it's going to be really tough to lock that all down, as an example:

• Installation of rogue devices (find one Intranet jack, plug in a wireless router, leave and hack from the parking lot)
• "Free USB Day" (drop off free USB sticks which deliver a malicious payload)
• Targeted USB Sticks (drop a USB stick marked "Payroll Data" in a break room, or in the parking lot of a facility).
• Theft of hard-copy data

This is also just considering physical social engineering attacks, and isn't taking in to consideration calling the help desk, etc.

-Nate