How to rob a bank: A social engineering walkthrough

A social engineer details the steps he takes to show clients that they're an easy target for a data breach

If a company hires us for a social engineering engagement, typically they want us to get in and get to their back-up tapes, or into the data in their document room.

Let's say I am posing as a fire inspector. The first thing I will have besides my badge and uniform is a walkie-talkie, like all firemen. Outside, we'll have our car guy. The guy that sits in the car, and basically his job in the beginning is to send chatter through to our walkie-talkies. We will have a recording of all that chatter you'll hear on walkie-talkies. He sits in the car and plays it and sends it through to our walkie-talkies.

[Jim Stickley explains his social engineering methods in Social engineering: My career as a professional bank robber

We walk into the facility and make sure that all the chatter is coming loudly into to the walkie-talkies as soon as we walk in their door so that we are immediately the center of attention. When I walk in, I want everyone to know that I mean business. My walkie-talkie is loud and everyone looks over as I apologize and turn it down.

Learn more about social engineering tricks and tactics

I show the person at the front desk my badge. They'll say "Hi, how's it going?" I'll say "Good, I'm here to do a fire inspection." They say "Great" and assign someone to us, like a teller. It's generally someone who's nice. I'll start talking with them, flirting with them, or whatever it takes. We'll start walking around.

While I'm talking with the person who has been assigned to us, my partner knows his job is to immediately wander away from us. So, my partner will immediately walk off. In most cases our escort will say "Can you come back here? I need to keep you guys together." We say "Sure, sorry." But really that means nothing to us. All it means is that we keep doing it until she gives up. My partner will wander off two or three times more times and get warned until she finally stops and gives up. She just thinks he's a fireman and thinks "Let's just let him do what he needs to do."

[Read about the latest scams in 5 more dirty tricks: Social engineers' latest pick-up lines

At that point, my partner's job is to start stealing everything he can steal and start putting it in his bag. And he also has to get under the desks of any employee he can find and start installing these little keyboard loggers. I stay with the person who is escorting me and my whole job now is keeping them entertained. I keep walking around rooms, giving them advice on keeping their facility fire safe, even though I really have no idea what I'm talking about. I make stuff up and probably give the worst advice ever. I'll pull out cords and say "This looks a little bit dangerous." I'll comment on space heaters. I'm completely winging it.

A few years ago I got a device at Home Depot. It's like a measuring tape, but not a regular measuring tape. It has a laser pointer and makes a clicking noise. This device is like the Tricorder on Star Trek for me. I can do any magical thing with it as far as I'm concerned. I'll put it up to a socket and say "This looks like it has too much current running through it." And they just believe it. It's amazing the stupid things I can do. It's the bells and whistles that count and people want to see that you have products.

In the meantime, my partner is going under desks. If the employees are there, he'll say "Hey, do you mind if I get under your desk for a minute? I'm just checking for any kind if fire danger." If the employee asks "What kind of danger could be under my desk?" He will say "You know that fan on the back of your computer? If it stops spinning that could be a fire hazard." This kind of explanation sounds reasonable.

My guy gets under the computer and in his bag he has a bunch of dongles. He easily installs one on the employee's computer and now all data is going through this device. Of course, while my partner is under the computer, the person can't see what they're doing and they usually just wander off.

At that point we usually meet back up and discuss with each other out loud all the places where we've already been. That way we really have a good idea of what's been accomplished and he can go back into places where I was unable to steal anything because of my escort. He'll say "I've hit all the desks." I'll say "Can do me a favor and go back and check in here again?" and mention some place where I may have seen something interesting and I want him to go back and take care of it.

On our way out, we don't want them to know we're done. We want to be able to come back another time. This is where our guy in the car will make a fake call to the walkie-talkie and tell us they need us to respond to a call. I look at my escort and say "Hey, sorry, we'll be back."

We show back up in the next few days, do a quick recheck, go back in and get the dongles we've installed on the computers. We'll do another quick run through, claiming we've lost our original inspection form. Since we've already taken everything already, the second visit is quick. We them tell them we're all set and will send a report in the mail.

By the time it's over, we've stolen stuff, and gotten access to log-ins and passwords because we've been recording that information with the key logging devices, whether it be online sites or local accounts on their system. Weve been on their wireless network and have been able to hack into that as well.

When we've done everything we need to do, the last thing we will do is a dumpster dive. Its miserable, but it's crazy how lucrative it is. We show up with rubber gloves and start ripping bags open. It's amazing how much confidential information ends up in the trash. [Also see A real dumpster dive: Bank tosses personal data, checks, laptops.]

When we show up after the engagement to present what we found, there is often a total look of shock on the employees' faces. But it's a learning experience we hope they will all learn from. It's stuff they never thought would happen. If you talked to them a week earlier, they never thought they'd fall for some of the stuff we pulled. But now they see it can happen, and it can happen to them.

-- as told to Joan Goodchild by Jim Stickley of TraceSecurity

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about eSecurityetworkHome DepotTrek

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jim Stickley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts