Logo Intuity

Impersonation: when the cyber attack becomes physical and related countermeasures

Share article

The Social Engineering technique called Impersonation is used to illegally access a system, network or company information, in order to commit fraud, industrial espionage or damage image.

It involves using a false identity with the aim of deceiving one’s victim to the point of convincing her to allow access in total confidence to reserved areas or premises, to private information or to corporate information systems.

The technique of Impersonation as well as all the tactics of Social Engineering start from a thorough search of the victim (company or group of people). By patiently putting together all the info found in the web you can realize a perfect combination of details such as to make as convincing as possible a false identity, a phishing email or a USB stick with malicious content. This research at the base of all Social Engineering-type cyber attacks is called OSINT (Open Source intellingence).

OSINT (Open Source intellingence)

In designing a false identity, the attackers spend a lot of time studying their goal. He looks for information not only about the company itself but especially about its staff, its habits, interests, roles, etc. All information easily available from Social Networks, corporate websites or just listening to employee conversations on the phone, bus or train.

The Impersonation attack technique can exploit many psychological persuasion tactics of an anthropological nature, such as tailgating or piggybacking. The first refers to the action of trying to enter a reserved area, perhaps from a second access, following and stalking an authorized person. Thus, giving the impression to any people present that they are legitimately accompanied, also join a group of fake employees.

Tailgating implies therefore an access without consent while the Piggybacking, although very similar, involves an entry informally authorized because it relies on another factor of social nature: an unauthorized person tries to access an area off-limits showing up at the entrance with a parcel or other in your hands showing difficulty in showing any authorization or badget.

Recreating this social situation is to trigger a licensed person a sense of moral duty in helping a person in distress, keeping the door open or using their badge to allow entry.

Once you enter private areas, it may be easy to access the corporate network or sensitive information by walking through the corridors and doing what we have called the Anthropological Walk in INTUITY. A careful observation and listening action within a work environment to obtain information, passwords pinned and hung in view on monitors, appointments or other annotations that could serve to realize a well-studied cyber attack.

Another tactic used in Social Engineering is Shoulder Surfing. Spying on what is typed on a keyboard or is said simply putting yourself behind someone’s back.

It is natural to ask at this point what relationship can there be between cyber attack and Impersonation:

What damage could a Social Engineering technique of this type really entail to the company?

The answer comes directly from Kevin Mitnik. A hacker who with his skills of Social Engineering has resulted in countless cyber attacks against large corporations and the government of the United States.

Taken from the documentary «Lo and Behold, Internet: the future is today» by Werner Herzog, USA 2016, the story of Kevin Mitnik and how he managed to successfully carry out a cyber attack on Motorola thanks to Impersonation.

How can we protect ourselves?

Following some common sense rules and spreading an appropriate Safety Culture in the company also towards these issues, you can defend yourself from these attacks. You better protect yourself, your company and the information of your customers.

Here are some suggestions:

  • Never communicate your passwords. Technical support personnel do not need passwords or other information about accessing their system.
  • Be aware of our surroundings. Make sure you know who is within listening range of your conversation or work
  • Avoid talking about confidential information in crowded or public places.
  • Ensure the physical security of business premises always asking: “who is that and why is here?”.
  • If you are unsure of a person’s authorisation or access authorisation, report the situation to the appropriate staff.
  • Protect paper documents. Do not leave documents around. Use a shredder to discard unwanted documents.
  • Adopt a good dose of skepticism for anything out of the ordinary, especially for strangers who care about us.

Contact us here