She may have cheerfully strolled into your company’s reception area holding a gift basket and a USB drive with a special message from the sender. Or she may have sent you an email claiming she’s a college student interested in an internship program. Did you plug in that USB drive? Did you open her attached résumé?
If so, you’ve just been “snowed” by master-of-disguise Stephanie Carruthers, chief people hacker with the IBM X-Force Red offensive security services team. But don’t panic – she’s one of the good guys, and she’s here to help your company and employees learn from their security mistakes.
Carruthers, aka “Snow,” uses her keen social engineering skills and a background in special-effects make-up (she said she once even gave herself a fake pregnancy belly) to convincingly adopt fake personas, both physical and virtual ones. She may show up to your place of business posing as an auditor, for example, intimidating employees into giving up company information to a stranger.
Carruthers also searches social media postings for pictures that might reveal sensitive company information in the background or show an employee with a badge or nametag that she can duplicate. And she uses her recon work to craft targeted and authentic-looking phishing emails to test the security-savviness of their recipients.
Back in 2014, Carruthers earned her the coveted Black Badge award at DEF CON’s Social Engineering Capture the Flag Contest. Now, in this podcast, Carruthers shares with SC Media some of her tricks of the trade, as well as what phishing techniques tend to trick the most people, and the common mistakes employees often make at conferences and other public events that open themselves up to future attacks.