OP 03 October, 2024 - 11:45 PM
A stealth hacker turned an entire building into her training ground.
A female hacker broke into a large building in one of the metropolitan areas to steal confidential data by hacking both the physical space and the corporate Wi-Fi network. But hacking, as it turned out, was not necessary - the doors and elevators were open.
Alet Denis, posing as an employee, took the elevator to the desired floor without a pass. The door to the office was slightly open, and the security guard sitting in place did not pay attention to her presence. Once in the conference room, she installed a pre-configured malicious device. The previous evening, Denis found the login and password for the Wi-Fi network in the building's trash can. By connecting the device to the network and hiding it behind a TV in the conference room, Denis was able to upload company data through their own network for a week.
In this case, control of the device was in the hands of the security team hired by the building owners to check the security and cybersecurity. Hacker Alet Denis is a senior security consultant at Bishop Fox. Her primary specialty is physical security assessment. But Alet is better known as the winner of the social engineering competition at DEF CON, which earned her a place in the Black Badge Hall of Fame.
Denis is a penetration tester and often uses social engineering methods. Denis's practice includes many attacks carried out via phone and email, but she enjoys "personal" contact the most. This helps her create convincing personas and come up with complex pretexts for deception. Denis often impersonates former or current employees, as well as representatives of vendor companies, in order to fraudulently gain access to corporate networks.
In one of the tasks, Denis's team needed to get into the building of a software vendor. The specialists introduced themselves as contractors who were supposed to evaluate the work of the video surveillance system. A fake company, phone numbers, and work orders were created. Everything was going according to plan until a security manager showed up at the reception desk, immediately became suspicious and called a colleague, a security expert who had written a book on covert surveillance. As a result, the deception was exposed, and Denis’s team was forced to leave the building.
Despite modern technologies such as artificial intelligence and deepfakes, the most effective methods of social engineering remain conversations with people — on the phone, in emails, or in person. Denis notes that the methods of attackers differ from those often discussed in security training. New AI-related tools do not always pay off, and some criminals return to traditional methods, such as voice phishing (vishing).
The main goal of a cybercriminal is to create an emotional response in the victim. Attackers often send emails that describe the company's policies. In reality, such emails contain malicious files. According to Denis, the key goal of social engineering is to use a person's emotional response to gain access to their credentials.
Red teams (security testing groups) use the same methods as hackers to bypass detection and prevention systems for phishing. Phone calls to maintain the legend are also common. For example, after sending an email with a malicious file, hackers can call the victim and convince them to open an email that they supposedly forgot or did not send earlier. To avoid becoming a victim of such attacks, Denis recommends asking questions to baffle the scammer and stop the hacking attempts.
A female hacker broke into a large building in one of the metropolitan areas to steal confidential data by hacking both the physical space and the corporate Wi-Fi network. But hacking, as it turned out, was not necessary - the doors and elevators were open.
Alet Denis, posing as an employee, took the elevator to the desired floor without a pass. The door to the office was slightly open, and the security guard sitting in place did not pay attention to her presence. Once in the conference room, she installed a pre-configured malicious device. The previous evening, Denis found the login and password for the Wi-Fi network in the building's trash can. By connecting the device to the network and hiding it behind a TV in the conference room, Denis was able to upload company data through their own network for a week.
In this case, control of the device was in the hands of the security team hired by the building owners to check the security and cybersecurity. Hacker Alet Denis is a senior security consultant at Bishop Fox. Her primary specialty is physical security assessment. But Alet is better known as the winner of the social engineering competition at DEF CON, which earned her a place in the Black Badge Hall of Fame.
Denis is a penetration tester and often uses social engineering methods. Denis's practice includes many attacks carried out via phone and email, but she enjoys "personal" contact the most. This helps her create convincing personas and come up with complex pretexts for deception. Denis often impersonates former or current employees, as well as representatives of vendor companies, in order to fraudulently gain access to corporate networks.
In one of the tasks, Denis's team needed to get into the building of a software vendor. The specialists introduced themselves as contractors who were supposed to evaluate the work of the video surveillance system. A fake company, phone numbers, and work orders were created. Everything was going according to plan until a security manager showed up at the reception desk, immediately became suspicious and called a colleague, a security expert who had written a book on covert surveillance. As a result, the deception was exposed, and Denis’s team was forced to leave the building.
Despite modern technologies such as artificial intelligence and deepfakes, the most effective methods of social engineering remain conversations with people — on the phone, in emails, or in person. Denis notes that the methods of attackers differ from those often discussed in security training. New AI-related tools do not always pay off, and some criminals return to traditional methods, such as voice phishing (vishing).
The main goal of a cybercriminal is to create an emotional response in the victim. Attackers often send emails that describe the company's policies. In reality, such emails contain malicious files. According to Denis, the key goal of social engineering is to use a person's emotional response to gain access to their credentials.
Red teams (security testing groups) use the same methods as hackers to bypass detection and prevention systems for phishing. Phone calls to maintain the legend are also common. For example, after sending an email with a malicious file, hackers can call the victim and convince them to open an email that they supposedly forgot or did not send earlier. To avoid becoming a victim of such attacks, Denis recommends asking questions to baffle the scammer and stop the hacking attempts.
![[Image: Nuttela-Signature.gif]](https://i.ibb.co/VT79K5v/Nuttela-Signature.gif)
![[Image: PeAsULK.gif]](https://i.imgur.com/PeAsULK.gif)