Man
Professional
- Messages
- 3,087
- Reaction score
- 627
- Points
- 113
An invisible hacker turned an entire building into her training ground.
A female hacker broke into a large building in one of the metropolises to steal confidential data, hacking into both the physical space and the corporate Wi-Fi network. But the break-in, as it turned out, was not necessary - the doors and elevators were open.
Alet Denis, introducing herself as an employee, took the elevator to the desired floor without a pass. The door to the office was ajar, and the security guard sitting in place did not pay attention to her presence. Once in the conference room, she installed a pre-configured malicious device. The night before, Denis found the login and password for the Wi-Fi network in the dumpster of the building. By plugging the device in and hiding it behind the TV in the conference room, Denis was able to download the company's data through their own network for a week.
In this case, control of the device was in the hands of a security team hired by the building's owners to check security and cybersecurity. Hacker Alet Denis is a senior security consultant at Bishop Fox. Its main specialization is the assessment of physical security. But Aleth is better known as the winner of the social engineering competition at DEF CON, which earned her a place in the Black Badge Hall of Fame.
Denis is engaged in penetration testing and often uses social engineering methods. In her practice, Denis has many attacks carried out via phone or email, but most of all she likes "personal" contact. This helps her create convincing images and come up with complex excuses for cheating. Denis often impersonates former or current employees, as well as representatives of supplier companies, in order to fraudulently gain access to corporate networks.
In one of the tasks, Denis's team needed to get into the building of the software supplier. Specialists introduced themselves as contractors who were supposed to evaluate the operation of the video surveillance system. A fake company, phone numbers, and work orders were created. Everything went according to plan until a security manager appeared at the reception, who immediately suspected something was wrong and called a colleague - a security expert who had written a book on covert surveillance. As a result, the deception was exposed, and Denis's team was forced to leave the building.
Despite modern technologies such as artificial intelligence and deepfakes, the most effective ways of social engineering remain conversations with people – on the phone, in emails or in person. Denis notes that the methods of attackers are different from those often considered in security trainings. New AI-related tools don't always pay off, and some criminals are returning to traditional methods, such as voice phishing (vishing).
The main goal of a cybercriminal is to create an emotional reaction in the victim. Attackers often send emails that describe the company's policies. In fact, such emails contain malicious files. According to Denis, the key task of social engineering is to use a person's emotional response to gain access to their credentials.
Red teams (security testing teams) use the same techniques as hackers to circumvent phishing detection and prevention systems. Phone calls to maintain the legend are also common. For example, after sending an email with a malicious file, hackers can call the victim and convince them to open an email that is supposedly forgotten or not sent before. In order not to become a victim of such attacks, Denis recommends asking questions to confuse the scammer and stop hacking attempts.
Source
A female hacker broke into a large building in one of the metropolises to steal confidential data, hacking into both the physical space and the corporate Wi-Fi network. But the break-in, as it turned out, was not necessary - the doors and elevators were open.
Alet Denis, introducing herself as an employee, took the elevator to the desired floor without a pass. The door to the office was ajar, and the security guard sitting in place did not pay attention to her presence. Once in the conference room, she installed a pre-configured malicious device. The night before, Denis found the login and password for the Wi-Fi network in the dumpster of the building. By plugging the device in and hiding it behind the TV in the conference room, Denis was able to download the company's data through their own network for a week.
In this case, control of the device was in the hands of a security team hired by the building's owners to check security and cybersecurity. Hacker Alet Denis is a senior security consultant at Bishop Fox. Its main specialization is the assessment of physical security. But Aleth is better known as the winner of the social engineering competition at DEF CON, which earned her a place in the Black Badge Hall of Fame.
Denis is engaged in penetration testing and often uses social engineering methods. In her practice, Denis has many attacks carried out via phone or email, but most of all she likes "personal" contact. This helps her create convincing images and come up with complex excuses for cheating. Denis often impersonates former or current employees, as well as representatives of supplier companies, in order to fraudulently gain access to corporate networks.
In one of the tasks, Denis's team needed to get into the building of the software supplier. Specialists introduced themselves as contractors who were supposed to evaluate the operation of the video surveillance system. A fake company, phone numbers, and work orders were created. Everything went according to plan until a security manager appeared at the reception, who immediately suspected something was wrong and called a colleague - a security expert who had written a book on covert surveillance. As a result, the deception was exposed, and Denis's team was forced to leave the building.
Despite modern technologies such as artificial intelligence and deepfakes, the most effective ways of social engineering remain conversations with people – on the phone, in emails or in person. Denis notes that the methods of attackers are different from those often considered in security trainings. New AI-related tools don't always pay off, and some criminals are returning to traditional methods, such as voice phishing (vishing).
The main goal of a cybercriminal is to create an emotional reaction in the victim. Attackers often send emails that describe the company's policies. In fact, such emails contain malicious files. According to Denis, the key task of social engineering is to use a person's emotional response to gain access to their credentials.
Red teams (security testing teams) use the same techniques as hackers to circumvent phishing detection and prevention systems. Phone calls to maintain the legend are also common. For example, after sending an email with a malicious file, hackers can call the victim and convince them to open an email that is supposedly forgotten or not sent before. In order not to become a victim of such attacks, Denis recommends asking questions to confuse the scammer and stop hacking attempts.
Source
