Social Engineering, the USB Way
Social Engineering is an art that is almost a must have for would-be black hat types. It is the single most important way of obtaining insider information. Is it really any wonder that USB jump drives can be used as a social engineering tool?
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch the employees show up for work. Surveillance of the facility was worth the time involved. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.
I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him. I would have loved to be on the inside of the building watching as people started plugging the USB drives in, scouring through the planted image files, then unknowingly running our piece of software.
As the cliche goes, curiosity killed the cat. For some reason, when most people find a CD or USB drive laying around they assume that it is benign. Unfortunately, that could not be further from the truth in most instances.
The lesson learned here is this: when you see garbage, like a CD or USB drive, laying around your office, especially unattended, leave it be!