Beware of Criminals Posing As “Fellow Employees”

The most dangerous social engineers are those who can invent a lie so believable that they are able to successfully impersonate a legitimate employee without ever raising any suspicion.

This tactic is particularly harmful because if real employees can be tricked into believing the criminal is actually a coworker or a member of upper management, it is not very difficult for a charismatic social engineer to manipulate the employee into divulging extremely sensitive information, or even worse, unwittingly grant the impersonator unfettered access to the network.

As improbable as this technique seems, it is actually a favorite weapon in the social engineer’s arsenal, and it has a frighteningly high rate of success!  The primary reasons for the technique’s popularity are (1) the information necessary to construct a credible pre-text is readily available, (2) there is almost no chance of being identified or caught, and (3) it is much easier to compromise a human being than it is to bypass technological countermeasures.

This type of low-tech method of attack is predicated on the social engineer’s ability to establish credibility and trust with an employee of the targeted company.  To accomplish this, he must devise a believable story – or a “pre-text” – based on as much factual information as possible.  Given that most companies and their staff members post volumes of information and data about the organization, its employees and its practices throughout various online sources, forming a detailed pre-text is often the easiest part of the process.  

The “fellow employee” pre-text usually centers on a new employee, an off-site worker, or even a manager from a non-descript department who needs technical assistance, such as resetting credentials, creating a new account or reconnecting to the network from a different location.  In these scenarios, the social engineer must conduct a bit of research about the company and its practices, then collect enough verifiable information about the persona he will be assuming so that the elaborate lie can withstand at least a minimal amount of scrutiny.  

The con artist may begin weaving the pre-text by gathering basic information, such as locations, services and corporate structure.  This can be done simply by reading the targeted company’s website or downloading archived newsletters, press releases and annual reports.  A quick visit to the company’s LinkedIn page or Jigsaw listing will help determine the corporate hierarchy along with each person’s job title.  These sites are designed to aggregate all of the staff members related to a particular company onto a single page, plus display all their relevant contact information like personal and business email addresses, direct phone numbers, social networking connections, and more.  This even helps the criminal narrow down the list of staff members that would make good targets for impersonation.  For example, employees having area codes different than the business’ primary number may indicate they work from a satellite office and probably do not have close contact with their coworkers at headquarters. After a “short list” of potential employees has been compiled, their individual social media sites may be data-mined for personal details which could add another layer of credibility to the pre-text.

Prior to attempting an attack on the targeted company, a social engineer will usually employ additional tactics to further sell their believability.  A common approach involves sending the employee(s) they intend to contact a phishing email that is carefully formatted to resemble other legitimate corporate email correspondence.  These messages are intended to set up the attacker’s pre-text by outlining the reasons why they need assistance, or in some cases, makes a direct request for the desired information.  Of course, the reply-to email address would be spoofed, as would the contact information contained in the email signature and footer.  Another clever trick social engineers use prior to initiating the phone call attack is to spoof their caller ID to match a department within the targeted company…a surprisingly easy and non-technical method for which the equipment can be legally purchased.  When these techniques are combined with a convincing pre-text, there is little reason for an employee to doubt that the attacker is anything but a legitimate coworker.  

And, voila…trust is established and the hook is set.  It is now relatively easy to persuade or manipulate the real employee into changing passwords, divulging sensitive corporate information, or – in a worst case scenario – activating malware sent in a follow-up email which allows the attacker to gain access to the entire network.

The best defense against the “fellow employee” tactic, as well as virtually every social engineering threat, continues to be having a staff trained to recognize and react to malicious techniques, comprehensive policies and procedures, frequent security awareness training, and periodic social engineering testing that verifies the effectiveness of policies, training and other controls.

More News