Paid Advertising
web application security lab
« Inverse Waterfalls As a Security Tactic
Alexa Fallacy - As if Anyone Thought Otherwise »

Industrial Espionage Tactics

I had an interesting conversation with a co-worker today. It was actually not security related initially but a side tangent really caught my attention. A friend of a friend does industrial espionage for a living (what a weird job, huh?). One of the tactics that he employs is to pretend he is an executive recruiter trying to hire away someone from the target in question. So he calls the person up, claiming to have a great job with a good company, and he basically sits, asks questions and listens. The people spill their guts. It makes you sick doesn’t it? Social engineering at it’s finest.

But it occurred to me, there is really nothing stopping any social engineer from doing the same thing. Outside of the scope of industrial espionage, of course. There’s no reason I couldn’t call an employee of some big company and claim I am some hotshot recruiter, giving them just enough information to get them enticed and ask exactly the types of questions I need to know. Thus providing me enough, as an attacker, to penetrate the system given the known vulnerabilities that the employee has given me information into. Verrrrrry interesting. Makes you think back to all those recruiter’s phone calls you’ve taken, huh?

This entry was posted on Wednesday, January 17th, 2007 at 5:16 pm and is filed under Random Security. You can leave a response as well.

8 Responses to “Industrial Espionage Tactics”

  1. Luny Says:
    January 17th, 2007 at 7:46 pm

    You and I both know social engineers have already begun the explotation of the common standing citizen to misgain his trust and get info. Sometimes for a intersting explotation, someone would query on certain subjects from company individuals who pertain to gain info on not so worty subjects.

    To gain knowledge is one thing, but to missuse that knowledge is another. Seriously, what can we do to discourage these types of people from communicating? It seems our efforts our inevititable.

  2. id Says:
    January 17th, 2007 at 10:51 pm

    It all started with Seymor Butts…

  3. chlog.net » Industriespionage Says:
    January 18th, 2007 at 12:43 am

    […] RSnake schreibt in seinem Blog ha.cker.org diesmal über Industriespionage. In seinem Beitrag berichtet er über jemanden, der Hauptberuflich Industriespion ist. Interessanter Job wie ich finde. […]

  4. Hep_yalan_dolan Says:
    January 18th, 2007 at 1:56 am

    That proves the motto “Trust the Trusted”.
    And you must reveal your CV with full of confidential info to only trusted big companies,not a hotshot recruiter.
    Also as a basic rule,do not answer the phone.

  5. Adam Says:
    January 18th, 2007 at 6:48 am

    Do not answer the phone… probably not very practicle really is it?

  6. nEUrOO Says:
    January 18th, 2007 at 7:57 am

    This makes me scary with my CV online, working at NIST…

    “I’m currently waiting for your call…”

  7. Jungsonn Says:
    January 18th, 2007 at 8:23 am

    Haha id… you always seem to top it off ^^

    Interesting viewpoint RSnake!

  8. Niels T. Says:
    October 29th, 2007 at 2:18 pm

    How about the company worker carrying his cellphone like everyone ells
    http://www.c-h-a-o-s.com/2007/10/18/the-spyphone-and-remote-recording/

    It’s scary what tools can be used for spying

    - Niels

Respond here or Discuss On the Forums