Before we get started, this post was inspired by Episode 6 of Darknet Diaries, ‘The Beirut Bank Job’.   The research comes from this episode and some interviews with Jayson Street.  Check out the episode at https://darknetdiaries.com/episode/6/

Have you ever had one of those calls from someone who says they’re from a big, recognisable company such as Sky, or BT?  These calls start off innocent enough, and the person might be quite warm and chatty, but then the questions start to get a bit shady - maybe they ask you to confirm your card number or account password.  You feel uncomfortable and decide to hang up because it doesn’t sit right.  Those kinds of calls are attempts at social engineering.

What is Social Engineering?

Social Engineering is when someone manipulates their target into doing something they wouldn’t usually do.  This can be anything from giving them access to an account, giving out passwords, or transferring money.  It’s becoming increasingly easier for criminals to prey on people’s trust rather than try to hack into networks and put out malware.  To highlight social engineering at its finest, let’s look more at Jayson Street.

First, let’s explain Jayson’s job.  He is a pentester, this means he performs penetration tests on a company to see how their security holds up.  Penetration tests can be performed physically (e.g., getting access into a building), or from outside of the company, e.g., through a phishing email.  He’s mastered using human psychology to achieve his objectives.  Jayson gets hired by huge companies to ensure that they are minimally vulnerable to blackhat (unethical) hackers.

One of his most notable jobs was his pentesting in Beirut banks.  The technique of compromising* their PCs and network is a perfect example of social engineering.  When Jayson first enters the bank, he makes his way to the manager’s office.  But he doesn’t go in.  Instead, he lingers outside like he’s meeting with the manager.  He goes to an employee at the bank and informs her he’s doing an audit.  She’s just seen Jayson leave the manager’s office, so assumes he’s been vetted.  This employee allows him onto her machine, Jayson compromises it, and moves on.

Jayson then makes his way back to the front of the bank.  He finds another employee, compromises her machine, and then she walks Jayson behind the teller line!  Jayson is now entering their domain from the trusted side of the bank, instead of the outside.  He makes his way through the tellers’ machines, and continues his “audit”.  At one point, the bank manager comes to talk to the tellers.  He sees Jayson, but doesn’t question his being there as the manager thinks the tellers have vetted him.  The tellers also don’t ask any questions, as they think their manager has vetted him.  After he’s finished, he’ll gather everyone together and explain what he’s done.  Jayson likes to educate the people he goes in to test, so they can learn and be more cautious and attentive in the future

*When we say “compromise”, Jayson uses a tool called a rubber ducky.  It’s a USB, that when plugged into a PC, it makes the PC think that it (the rubber ducky) is a keyboard.    The rubber ducky then executes a series of pre-loaded computer commands to the computer telling it to do anything – even set up a remote connection into the computer!  This can allow a hacker to connect in from another location.  Jayson doesn’t do this though, he just has his rubber ducky open the Notepad application, and type ‘hello’.  He takes a picture for proof, and uses this as a record of who has been compromised.