Cybersecurity

Hack attack: social engineering at the airport

January 11, 2024 - 6 minutes reading time
Article by Serena De Pater

An important business deal, an unsuspecting account manager, and a determined adversary. When the stakes are high enough, hackers will use every available trick to get what they want. Read this fictitious, but all too realistic account of a social engineering attack to get a feel for how quickly things can go from bad to worse by disregarding a few basic security essentials.

It is Monday morning, and account manager Frank de Wit has just arrived at the airport. Today is a big day. He is flying over to meet the people at Oogle, an important client, to close a major business deal he has been preparing for months.

After ordering a coffee, Frank settles down at a cozy coffee table and opens his laptop. The IT people at work have warned everyone over and over not to use public Wi-Fi networks, so he disables Wi-Fi and opens a document that is saved offline. Once he reconnects to the company network later, the file will automatically update.

Scrolling through the business proposal, Frank goes over the final details. Such a big opportunity! He looks at the people around him and smiles. If only they knew what a successful businessman he is.

Slowly, the coffee shop fills with people. Then a young man walks over and takes a seat right next to him at the same table. Carrying two large backpacks and a coffee, he squeezes himself into the tiny chair. He appears clumsy, but Frank wants to be polite and not stare at him. Suddenly, as the guy lets one bag slide off his shoulder, he accidentally spills his coffee all over the table. A large splash hits the keyboard and screen of Franks laptop.

“I am so sorry, Sir!” the guy exclaims.

Frank jumps up quickly. His laptop! And is there coffee on his suit? “I have to get paper towels!” he says hastily. “Please mind my belongings, will you?” Before turning away, Frank quickly locks his screen – another important security advice from internal IT. Where to find paper towels? It’s crowded and there is a long line of people at the counter. Since his screen is locked, at least he has some time to find the nearest bathroom.

A few minutes later, Frank is wiping the coffee off his screen, while listening to the man incessantly apologising for his mishap. After one last sorry, the clumsy guy picks up his luggage and walks off. Fortunately, his laptop is still intact, and he puts it in his bag. It is time to proceed to the gate. Oof, that could have ended much worse!

A few hours later, Frank’s plane has landed at its destination. While waiting for the doors to open, he disables his phone's flight mode to see if there are any new messages. To his surprise, his sales manager has tried to call him ten times over the past three hours. That must be something urgent! A little worried, he calls him back. What could be wrong?

“Hi Frank”, the sales manager says. “I am not sure what happened, but Oogle just called to let us know that they cancelled the deal. They are very upset and do not want to meet with you. What did you do?”

Confused, Frank grabs his laptop from under his seat, and attempts to log on. But each time he enters his password, it shows the message ‘password incorrect, try again’. Even more confused, Frank calls the IT Servicedesk at his office. “Hi, it’s Frank de Wit. Can you please reset my password? It appears as if I have misspelled it three times and now my device is locked.”

The Servicedesk employee pauses for a moment, and then replies that she will now reset his password.

“Thank you”, Frank says. “I got a prompt to create a new password, it’s working!”

Before ending the call, his colleague at the servicedesk says, a bit grumpy: “Make sure you don’t forget your password a third time today, okay?”

Wait…what? A third time?

What really happened?

Ah, there he is at that coffee table, Frank de Wit. Perfect. I have been tracking him online for weeks now. Others describe my line of work as crime, I call it business. For my client, a competitor of Mr. De Wit’s employer, it is very important that the deal he is about to close will not happen.

Fortunately for me, Mr. De Wit has shared quite a few personal details on LinkedIn, X and Facebook. His travel plans, for example, as well as certifications and degrees which contain personal information like his date of birth and middle name. Finding him wasn’t hard. He often posts about his trips online, so it’s easy to find a pattern.

Let’s have a seat right next to him. I have brought a few large bags, but there is nothing in them, really. It is just for distraction. I will look clumsy, which makes my actions explainable. Let’s wait until this place is really crowded, and then…

After I apologise for spilling my coffee over his laptop, Mr. De Wit rushes to get paper towels. So far, all is going according to plan. Now I must get into his laptop. As expected, his screen is locked. But I prepared for that. I call the IT helpdesk of his company and make sure I sound distressed: “Hi, I am so sorry, my name is Frank de Wit. I am about to board a plane, but I have misspelled my password three times. I am really in a hurry! Could you quickly reset my password for me?”

The Servicedesk employee responds: “Of course Frank, what is your date of birth, just to check?” I reply with his date of birth. I always have the answers ready to most standard security questions. It’s simple hacking 101.

“Alright, I have reset your password”, the helpful girl says. “You will now be prompted to change your password after the first logon with the following password (…).”

I reply with a – well-meant – “Thank you!” and hang up the phone.

After connecting to the airport Wi-Fi from the lock screen, I log on with the temporary password that his helpdesk colleague has just given me. I create a random new password, and then I’m in. The first thing I see is the business proposal. I open his email and send all related documents to an anonymous email address, as my client requested.

I look around, no sign of Mr. De Wit yet. Great! Quickly, I draft a highly inappropriate email and send it to the business partner he is supposed to meet today. They will certainly no longer like him after this. That Oogle deal is over. Then, I press Window + L to lock the screen again.

When Mr. De Wit returns with the paper towels, I pretend to look for tissues in my own bag… “I am so sorry, Sir.”

My client will be very, very pleased today.

What went wrong?

⭐ Do not leave your laptop unattended, even when locked.
⭐ Be careful about sharing sensitive information online concerning work or customers.
⭐ Make sure your security policy includes multi-factor authentication (MFA) for password resetting.
⭐ Do not share personal identifiable information about yourself online, especially not information that is often used in questions to verify your identity. Examples are: date and place of birth, your mothers’ maiden name, social security number, driver's license number.

Contributor(s)

As a security consultant, Serena de Pater specialises in vulnerability scans to identify security risks in computer systems and software. Organizations use her recommendations to help enhance their cybersecurity posture. Through writing and blogging, Serena aims to make complex security topics accessible to a wide audience.

Topics
Cybersecurity
Related articles
How to outsmart ransomware
Cybersecurity
In the event of a ransomware attack, the consequences for an organization are often incalculable. Read th ...
No magic bullet to prevent data breaches – but check out these tips
Digital transformation Retail Finance Public Logistic
The number of reported data breaches in the Netherlands is increasing. That's not surprising: being a hig ...
City of light Eindhoven uses smart lighting
Digital transformation Public
In Eindhoven, Dutch City of Light, the brightest minds work together for a good cause. Together with TU D ...

Insights on technology