How Would I Breach Your Company - #2

(if I was a cyber criminal)

I am always amazed at how readily people will print out a word doc for me when I turn up to train, when they have no idea who I am. It obviously makes a great discussion topic for the awareness session, Thank you for making this so easy, it's fantastic!

The Method

I find a company that I want to target. Not a big company, small to medium sized probably because less likely to have access to staff calendars at reception. This company will have lots of valuable data that I can sell, or encrypt. Gatekeepers of data are good. It could be health, accounting, legal, MSP maybe. The world is my oyster.

I find the names of a few Executives on LinkedIn. I wait outside the building to make sure one of them turns up for work. Here comes Bob from Marketing. Give it half an hour or so. Then I go to reception.

"Hi, I'm here to meet with Bob"

"Hi, I'll give him a call for you, what's your name?"

I provide a fake name.

"Just before you call him, can you please print something out for me? My printer died this morning, it's something I needed to present to him, he's going to be very excited about it!"

"OK sure thing"

I hand over a USB key. Receptionist plugs it in. Thank you, you're breached. (yes, all it takes is to plug in a USB key with a malicious payload.

Time to get out of there and get my USB key back. I pretend to take a phone call on silent mode. I've been called back to the office urgently, we have an issue with a major account. I make my apologies, ask for the USB back. Say that I'll call Bob while I'm driving in a few minutes to reschedule (that way hopefully the receptionist won't talk to him about me).

I am out of there.

Now I'm in the system. I've got on average just over 6 months before the breach is discovered. That gives me plenty of time to get my tentacles throughout your systems. Ooh look, here's a database I can try and breach now!

Get in Touch

Contact Details