My social engineering adventure

I really like hacking. I like breaking into places where I’m not supposed to be, and while digital hacking is extremely fun and rewarding, physical and social hacking are on another level.

This means that whenever I get the chance to practice these skills, I do. Sometimes I’m an urban explorer, and I climb rooftops or investigate abandoned buildings, and sometimes I talk my way into places. Here’s a story from one social engineering training event I attended (some details omitted).

There’s a sugar refinery in a town in a pretty European country. The refinery includes several buildings, of which one is an administrative building, and there are production facilities as well. On this particular training, the task for our group was to get in the refinery, take all the photos that we can, get into all the buildings, and get as much intel as possible - especially the locations of cameras, guard houses etc. If this was a physical pentest, it would probably have included a bag of Raspberry Pis and leaving USBs with malware littered around. However, our task was just to get info.

The usual practice is what’s called a “spiral” approach. Essentially, you don’t barge straight into the front door. Instead, you collect data first from the outside, from social media - basically, OSINT. Then, you slowly close in on the actual physical location, like a spiral. First from a great distance, where you can’t be seen. Then you maybe pass with your car and take some videos. Then you come a bit closer, pretending you’re someone who’s supposed to be there, observing and getting information. As this spiral goes inward, you slowly get more and more info, your picture of the target is clearer, and only in the end do you end up in the center of the spiral - at the target location itself.

That’s how it’s supposed to go. However, we barged straight in.

To be fair, we had a unique opportunity to do so. We did start with collecting OSINT data, but the team lead for our little group took initiative and just called them up. Turns out that they had a tour organized that very day - in fact in two hours they had a group of students coming in. “Well can you squeeze us in as well?” “Sure, no problem, come along.”

So we did. We’re all in our twenties or thirties, so we can pass for students pretty well. We get into the car, drive to the location, get out on the parking lot, and look pretty clueless and semi-bored, exactly how a student group led by a teacher would look like. We go up to the gate, introduce ourselves to the guard, he calls to check and informs us that we’re late - the presentation already started without us. But no worries, he’ll get us in. We get into this big hall - sort of a restaurant - and there’s a bunch of presumably real students sitting, listening to the presentation, and eating cake. Eating cake! “Here’s your cake,” a kind lady shows us. “Would you like some coffee or tea as well?”

At this point, I’m torn between feeling sorry for deceiving these wholesome people and celebrating such an immediate win. We eat the cake, listen to the presentation, receive our hardhats and go on the tour. The other students ask about us, who we are, which university are we studying at, and so on. There’s many signs that expressly prohibit taking pictures, but I play blind and take as many pictures as I can with my phone. Some of the actual students are trying to strike a conversation with me, and I’m really focused on my surroundings and how everything looks, trying to remember where the gates and cameras are. I look at their faces, and they probably have very normal expressions, but I feel found out. Every look they give me looks to me like they figured me out, they know I’m the impostor. It’s… a weird feeling. When you know, you feel like everyone else around you knows as well. And if you’re on a mission like this, nerves play their part, and you see suspicion everywhere. “They don’t actually know,” I remind myself.

So we do the tour. We walk through every single important hallway, pass tons and tons (literally) of machinery, and manage to get pictures and videos. The tour is over, and we’ve been to a good 40% of this entire complex. Great! Are we done? Not yet.

See, we didn’t go near the admin building, and that’s where all the offices are. We are escorted back to the parking lot and talk it out. “I think we can do it,” someone says, “Let’s just go straight in and pretend we’re lost and we’re trying to find the rest of the tour.”

“But isn’t that going to be a little weird? I mean, they know that the tour is over and that we’re the odd ones anyway, and that-”

“No, they don’t necessarily know it. People doing the tours are in the other building. This is office staff who maybe have no clue about when the tours are and who is going on them.”

Three of our 5-person group decide to stay waiting in the car and observe the comings and goings, so that we get a bit of that spiral approach we originally missed. My “teacher” and I, we decide that our story is that I lost my ID during the tour, and we go to the office building, which is just outside of the view of the guard house for the complex, and we just… walk in.

This building has a central staircase, an elevator, and offices arranged along a single long hallway on every floor. I keep taking videos with my phone while we’re walking the staircase, but nobody sees us, nobody knows we’re there. So we decide to risk it even more and we go into one of the long, long hallways.

People have their doors opened, and they look at you, and you feel so exposed. You know, with absolute certainty, that you’ve been found out. And then they look back to their screen and keep working. We walk a couple of these floors, peer into some of the offices, taking good video material of all of it (I’m recording all the time, trying to keep my phone as natural as possible).

“Hey, can I help you?” a lady from one of the offices asks us. My heart sinks. “Hi, so we were just on this tour, and he lost his ID, so we were looking for someone to talk to about that,” my teacher responds. “Oh,” the lady is surprised, “that’s unfortunate. Let me see what I can do.” She leaves us waiting in the hallway, and goes to make a phone call. We briefly consider just getting out through the staircase, but as we’re discussing, the lady’s back: “Unfortunately, nobody of the tour staff saw anything. What did you say your name was?” she asks me. I remember the following seconds in excruciating, slow-mo detail because I totally failed in this part. My teacher looks at me, I look at her, and she responds and says my real full name. My last name is a bit unusual, so two thought threads are going through my mind at the same time - if they look me up, they’ll find me for sure, I have a pretty unique name. If they ever find out that we were social engineering them, they’ll know about me, and this might be a problem in the future. But then I think - hey, we didn’t do anything illegal, we don’t need to hide. All this is happening while the nice lady is asking me to write my name down, and she’s watching me slowly write out my first name as I’m deciding, in real time, if I’m going to write my fairly identifying last name or not. As I’m very slowly writing my last name down, probably looking at least a little illiterate, I decide, mid-name, to change it into something that sounds kinda similar to what my teacher said, but isn’t exactly that. I omit a letter from the middle of the name, hoping that if they do in fact look me up on the internet, they won’t have the exact sequence of characters, and they won’t find me. I give the nice lady the piece of paper, leave a FAKE PHONE NUMBER as a point of contact, and flee the scene of the crime.

The next day, my “teacher” tells me they called her on her phone, saying that they took another look throughout the complex and couldn’t find my ID. They tried to call me on the phone I provided, but couldn’t reach me. So they asked the person my teacher originally contacted, who then gave her number to the nice lady. My teacher told the nice lady that I managed to find the ID, and thanked her for the effort. “Great to hear, it was no problem at all,” the nice lady said.

Feeling like a bit of an asshole because I put them through unnecessary work, I realized the following things:

  1. Just because you know you’re the impostor, it doesn’t mean that people around you know.
  2. You should always know what your name is and what your phone is, and other people on your team should know what name you’re going to use.
  3. Always “close”. By asking around for my ID, we opened a task item for people, and this was an active task that remained open in the background of their minds. Don’t linger in people’s minds. Close their task. Telling the lady that we found my ID was precisely that. Task closed, no need to worry any longer. I doubt she remembers me anymore.

It was a very valuable learning experience for me, and I’m very grateful for being invited to participate in that event. I don’t think we caused them too much trouble in the end, so I don’t feel guilty about it. Mostly thankful. Thank you, sugar refinery. So long, and thanks for all the cake!