Beware of Criminals Posing As 'Fellow Employees'

Impersonation is a favorite weapon in the social engineer’s arsenal.

May 9, 2012

The most dangerous social engineers are those who can invent a lie so believable that they are able to successfully impersonate a legitimate employee without ever raising suspicion.

This tactic is particularly harmful if real employees can be tricked into believing the criminal is actually a coworker or a member of upper management.

From that point, it is not very difficult for a charismatic social engineer to manipulate the employee into divulging extremely sensitive information–or even worse, granting the impersonator unfettered access to the network.

As improbable as this technique seems, it is actually a favorite weapon in the social engineer’s arsenal. And it has a frighteningly high rate of success.

The primary reasons for the technique’s popularity are:

  1. The information necessary to construct a credible pre-text is readily available;
  2. There's almost no chance of being identified or caught; and
  3. It's much easier to compromise a human being than it is to bypass technological countermeasures.

Establishing pretext

This type of low-tech method of attack is predicated on the social engineer’s ability to establish credibility and trust with an employee of the targeted company.

To accomplish this, he or she must devise a believable story–or a “pretext”–based on as much factual information as possible. Given that most companies and their staff members post volumes of information about the organization online, forming a detailed pretext is often the easiest part of the process.

Subscribe to Credit Union MagazineThe “fellow employee” pretext usually centers on a new employee, an off-site worker, or even a manager from a nondescript department who needs technical assistance, such as resetting credentials, creating a new account or reconnecting to the network from a different location.

In these scenarios, the social engineer must conduct a bit of research about the company and its practices. Next, they collect enough verifiable information about the persona he or she will be assuming so that the elaborate lie can withstand at least a minimal amount of scrutiny.

The con artist may begin weaving the pretext by gathering basic information, such as locations, services and corporate structure. This can be done simply by reading the targeted company’s website or downloading archived newsletters, press releases, and annual reports.

A quick visit to the company’s LinkedIn page or Jigsaw listing will help determine the corporate hierarchy along with each person’s job title.

NEXT: Finding a target

Finding a target

These sites are designed to aggregate all of the staff members related to a particular company onto a single page. They display relevant contact information like personal and business email addresses, direct phone numbers, social networking connections, and more.

This can help a criminal narrow down the list of staff members that would make good targets for impersonation.

For example, employees having area codes different than the business’ primary number may indicate they work from a satellite office and probably do not have close contact with their coworkers at headquarters.

After a “short list” of potential employees has been compiled, their individual social media sites may be data-mined for personal details which could add another layer of credibility to the pretext.

Additional tactics

Prior to attempting an attack on the targeted company, a social engineer will usually employ additional tactics to further sell their believability.

A common approach involves sending the employee(s) they intend to contact a phishing email that is carefully formatted to resemble other legitimate corporate email correspondence.

These messages are intended to set up the attacker’s pre-text by outlining the reasons why they need assistance, or in some cases, makes a direct request for the desired information. Of course, the reply-to email address would be spoofed, as would the contact information contained in the email signature and footer.

Another clever trick con artists use prior to initiating the phone call attack is to spoof their caller ID to match a department within the targeted company–the necessary equipment can be legally purchased and is surprisingly easy and nontechnical to use.

When these techniques are combined with a convincing pretext, there is little reason for an employee to doubt that the attacker is not a legitimate coworker. And, voila, trust is established and the hook is set.

The best defense

From that point it is relatively easy to persuade or manipulate the real employee into changing passwords, divulging sensitive corporate information, or–in a worst case scenario–activating malware sent in a follow-up email that allows the attacker to gain access to the company network.

The best defense against the “fellow employee” tactic, as well as virtually every con artist threat, continues to include the following:

  • Staff trained to recognize and react to malicious techniques;
  • Comprehensive policies and procedures;
  • Frequent security awareness training; and
  • Periodic social engineering testing that verifies the effectiveness of policies, training, and other controls.

DAVID BLAZIER is marketing manager for TraceSecurity, a CUNA Strategic Services alliance provider Contact him at 225-612-2121, ext. 31062.