How a #professional thief used #LinkedIn to gain #access to a #secure facility

SOPHIE Daniel might look kind enough, but she is a “professional thief” with a troubling account that will make you re-evaluate how you use LinkedIn.

SHE has a number of fake LinkedIn profiles that you could already be connected to.

Her plan is to find information on people to cross-reference against other social media sites.

It didn’t take long before she found her target — an assistant at a manufacturing facility only known as Mary.

A quick search revealed Mary’s Facebook was public and offered information on where she went to school, her mother’s maiden name and the names of her pets.

It also gave information on where Mary worked, where her kids went to school and a plethora of other personal information.

“This is not an advanced investigation. I’m not a private investigator and I don’t have the resources of the NSA. But I can do a lot of damage with simple methods,” the woman told Motherboard.

The lady in question is Sophie Daniel — a physical penetration tester and information security consultant that specialises in social engineering.

She had been hired by an employee to evaluate the security of their facility.

Sophie had already studied the area and discovered at every entrance the facility had armed guards, badge readers, biometric security controls and turnstiles.

So this is where LinkedIn had come into play. One of the things Sophie had noticed when studying Mary was her passion for children — something she would use against her. 

“I called the front desk of the manufacturing facility and was transferred to Mary. ‘Hi Mary!’ I said, ‘My name is Barbara.’ I am a project co-ordinator with facilities management. We are renovating a few of our facilities. We are sending an interior designer out to you tomorrow so she can put together proposals to update your space,’” she explained.

Mary was growing suspicious and questioned why there was such short notice for the visit.

Sophie replied saying she forgot to call sooner because she had been stressed with work and had a baby due in six weeks. Mary agreed to help and asked questions about the baby.

“Mary took down the name of the ‘designer’ who was coming by the next day and we said our goodbyes,” she explained.

Sophie arrived at the location the next day as “Claire” — a designer from a fictional architecture firm she had made business cards and a website for.

“When I arrived, Mary and her boss were waiting for me with smiles. I shook hands all around and handed them the business card I printed out the night before. I was given a visitor badge and the red carpet was rolled out,” she said.

She gained rapport with the staff there by asking them what they wanted in an office and was given complete and unaccompanied access to the facility.

For several hours she picked her way through cheap locks and stole several thousands of dollars in physical primitives.

She then returned to Mary and asked where she could find the office centre. Mary offered to take her there, but suggested she join her and other team members for lunch. They had tacos.

Back in the facility, Sophie tracked down the office of the man who hired her.

She knocked on his door and introduced herself as Sophie from Sincerely Security. The man was shocked by the fact she was able to navigate around the security to enter his office. 
“We stayed in his office and talked for a long time. I went over exactly the steps that could have prevented my success. First of all, the desire to help others is human and natural. We don’t want to discourage that,” she said.

“Second, I’m sure they did have some sort of policy that required visitors to check in showing government issued identification, but they weren’t following it.”

Sophie has now been doing this job for a couple years and said almost every job is a variant of this story — something that should act as a cautionary tale.


Leave a Reply