Social Engineering - Christopher Hadnagy [21]
True, you would expect that, but I stopped that bag from just being chucked into the nearest can, and I said, “Let me just look at that really quick.” As I opened the bag and pushed aside the Taco Bell wrappers, what was lying in plain sight was a shock to me—half of a ripped-up check. I quickly dumped out the bag and found a bank receipt and the other half of the check. The check was written out for a couple thousand dollars, then just ripped up—not into tiny little pieces, but just into four large chunks, then thrown into a small bag with a Taco Bell wrapper. Taping it back together revealed this person’s name, company name, address, phone number, bank account number, and bank routing number. Together with the bank receipt I now had the balance of his account. Thankfully for him I am not a malicious person because only a couple more steps are needed to commit identity theft.
This story personifies how people view their valuable information. This guy rented the car before me and then because he threw the check away he felt it was gone, disposed of safely. Or so he thought; but this is not an isolated case. At this URL you can find a recent story about very valuable things people just threw away or sold for next to nothing at a garage sale: www.social-engineer.org/wiki/archives/BlogPosts/LookWhatIFound.html.
Things like:
A painting that a museum bought for $1.2 million
1937 Bugatti Type 57S Atalante with a mere 24,000 miles sold for $3 million
A copy of the Declaration of Independence
If people throw away a painting with a hidden copy of the Declaration of Independence in it, then throwing away bills, medical records, old invoices, or credit card statements probably isn’t such a huge deal.
How you interact with people in public can have devastating effects. In the following scenario I was asked to audit a company and before I could proceed I needed to gather some data. Take a look at how simple, seemingly meaningless information can lead to a breach.
Simply following one of the higher ups of the target company for a day or two showed me that he stopped for coffee every morning at the same time. Since I was aware of his 7:30 a.m. coffee stop at the local coffee shop I could plan a “meeting.” He would sit for 30–35 minutes, read the paper, and drink a medium cafe latte. I enter the shop about 3–5 minutes after he sits down. I order the same drink as him and sit down next to him in the shop. I look over as he places one section of the paper down and ask whether I can read the paper he is done with. Having already picked up a paper on the way I knew that page three contained an article about a recent murder in the area. After acting as if I just read it, I say out loud, “Even in these small towns things are scary nowadays. You live around here?”
Now at this point the target can blow me off, or if I played my cards right, my body language, vocal tone, and appearance will put him at ease. He says, “Yeah, I moved in a few years back for a job. I like small towns, but you hear this more and more.”
I continue, “I am just traveling through the area. I sell high-end business consulting services to large companies and always enjoy traveling through the smaller towns but I seem to hear more and more of these stories even in the rural areas.” Then in a very joking tone I say, “You don’t happen to be a bigwig in a large company that needs some consulting do you?”
He laughs it off and then as if I just challenged him to prove his worth says, “Well I am a VP of finance at XYZ Corp. here locally, but I don’t handle that department.”
“Hey, look, I am not trying to sell you something, just enjoy coffee, but if you think I can stop by and leave you some information tomorrow or Wednesday?”
This is where the story gets