Social Engineering - Christopher Hadnagy [173]
“What day is your normal pickup?”
“We have two pickups per week; Set 1 is Wednesdays and Set 2 is Thursdays.”
“Thank you. I can prepare this quote and have it sent over by tomorrow afternoon. What e-mail should I use?”
“Send it to me personally at christie.smith@company.com.”
At this point a little friendly chitchat ensued and before you know it they were laughing and exchanging pleasantries.
“Thanks a lot. Hey, before we hang up can I ask you who you presently use? I like to do a comparative quote.”
“Well, you know…” she hesitated, but then said, “Sure, we use Wasters Management.”
“Thanks Christie, I will make sure you are happy with the quote. We will talk later.”
Armed with this information, Tim went to the website for the present waste management company and copied the logo to a JPG file. He then visited an online shirt printer and in 72 hours had a shirt with the logo in his hands. Knowing that the garbage is picked up on Wednesday and Thursday he wanted to go Tuesday night.
He then placed another call to the security department:
“Hello, this is John from Wasters Management, your dumpster disposal people. I was called by Christie Smith’s office stating that you have a damaged dumpster. I know the pickup is on Wednesday so I wanted to come out and check it tomorrow night. If there is a damaged unit I will have the truck bring out a new one. Is it okay if I come out Tuesday night?”
“Sure, let me check—yes, Joe is on tomorrow. When you pull up just stop in the security booth and he will give you a badge.”
“Thanks.”
The next day Tim wore his “company” polo shirt and had a clipboard. The pretext was genius because he knew the dates and internal names. Now, looking like a company employee, he approached the security booth.
“Joe, I’m John from Wasters and I called in yesterday.”
The guard interrupted with, “Yes, I see your name right here.” He handed him a badge and a paper map telling him how to get to the dumpsters. “Do you need one of us to tag along?”
“Nah, I do this all the time.”
Tim was buzzed in and drove over to the dumpsters.
Armed with a perfect pretext and a badge he had the time to do some digging. He knew that Set 2 holds the non-food garbage, so he started his digging there.
After just a little while he loaded a few hard drives, USB keys, some DVDs, and some clear bags full of paper in his trunk. After about an hour or so he drove back out, thanked the security guys, and assured them all is good. Back at the office he dug through the “garbage” and was greeted with some of the juiciest details he couldn’t have found in his wildest dreams.
Many times companies will dispose of hard drives and USB media by destroying them completely. They will erase all data and then send them to special disposal units. Every now and then, though, employees who don’t think through their disposal procedures will just throw away a USB key they say is broken or a hard drive that no longer boots. What they don’t realize is that there are many programs that can strip data off of even non-bootable drives and media. Even if the media has been formatted, data can still be recovered in many situations.
One of the bags contained what looked like the contents of an office. As he emptied the bag he noticed some papers that had not passed through the shredder. He sat down to read them and saw one was a contract for some IT services that went out for bid. The job was supposed to start in just a few days, but it looked like this particular copy was used to sop up some spilled coffee and then discarded.
This would be an great find, but he had so much more to search through. The DVDs were blank or unreadable, but surprisingly enough he located files on the USB keys. From this information he discovered the names and private lines of the CFO as well as some other key personnel.
The value of what he gathered was immense but I want to focus on what he did