Anatomy of a Successful Social Engineering Attack (and Antwerp diamond thieves arrested… all 31 of them)

Students in computer security class decide to launch a social engineering attack against their adversaries, as part of an in-class adversaries.

Outside the classrom before / after class, they set up a fake recruiting table from a well-known prestigious security firm, offering “summer internships.” Further back-stopping came from suitably Photoshopped posters pasted up in the hallway.

After getting a few contacts on the opposing team, they start an email conversation with one of them and lead the guy into giving out the source code to his team’s software. (the software that the social engineers are trying to crack)

That’s not all. Come “demo day,” the social engineers manage to get their “recruiter” behind the defending team with their contact’s consent, filming them typing in passwords during the exercise.

Defensive points the targets here missed:
a) Checking out the recruiter to see if he’s legit (e.g calling the publicly posted phone number from the known official company’s web page and asking to be transferred to the guy)
b) Feeling out the dynamics of the conversation with the “recruiter,” are they consistent with a real company — or is the guy steering in directions that don’t make sense?
c) Designing a secure system that couldn’t be compromised just by access to the source code

b) in this case is not obvious. Looking at the email exchange there aren’t any red flags, though in this sort of thing the red flags can be subtle and invisible to a 3rd party reader.

Complicating the matter is the inherent nature of the recruiter / would-be intern relationship making it hard to learn about the guy’s character.

Remember the >$50 million Antwerp diamond heist 2.0? The authorities have arrested a total of 31 people in connection with the thing. (,0,1030723.story)

This seems like a lot. Perhaps the economic trouble has reduced the going rate for criminal conspirators to the point that the cheapness of labor outweighed the risk.

“First we cross referenced the list of emails on the defense team against the Penn Directory Database. Once we gained full names and school, we cross referenced this against publicly available data using a combination data mining tools and lookups on social networks such as Facebook and LinkedIn. These were used to build profiles, including photos of potential targets. In our attack proposal we also listed social engineering to warn them of it.[…]

The next phase of the social engineering attack involved multiple steps. The plan was to place a mole outside the classroom in the engineering building posing as a recruiter from a prestigious company, offering summer internships! First up was obtaining a domain name and email address for use in the attack. We picked X (name redacted) to be the company we would replicate as they are known for being secretive and security focused. We thus registered and had the address forward to for authentic looks, while using emails registered to that domain for our purposes….”

%d bloggers like this: