The “Pizza” method – a social engineering Case Study

Press Release: November 25, 2019

  • Share This Article
  • Facebook
  • Twitter
  • Pintrest
  • LinkedIn
  • Mail

‘Eight pizza delivery boxes with 30% discount and a free gadget for the computer’. Hackers posing as pizza delivery carried on a successful social engineering attack on the Warsaw branch office of a well-known international corporation. In a few minutes, they hacked the IT system – effectively paralyzing the operations of the whole company.

In just Poland alone, every year about 20% of all Internet users face phishing attacks. The targets are, apart from banking and payment system users, Internet shop e-customers. This proves that the main target of the hackers is our money (the data by Kaspersky Lab). In any case, the hacker’s ‘business’ pays off, because according to Nest Bank information, as many as 30% of all Poles do not know what phishing is, while 32% feel that they know, even though they are not sure.

At the same time, the number of whaling attacks is still growing. ‘Whaling’ is more precise and sophisticated phishing that targets governmental institutions and large businesses. As the authors of the Verizon DBIR 2019 report state, today, high-ranking managers and company managers (that is the persons who have executive privileges and access to many reserved, sometimes critical IT infrastructure areas) are 12 times more exposed to attacks utilizing social engineering than only a year ago.

The most expensive pizza in history

Hackers use different methods to affect the theft of data important to them. This data includes, i.e., access data to bank accounts, PIN numbers or credit card CVC numbers, detailed personal data or – in the case of whaling – sensitive company data. Still the major, yet not the only vector of a cyberattack are e-mails, and one of the most popular forms are attacks using social engineering – that is attacks that are based on the human predisposition to unconsciously submit to outside influence. The directors and employees of a well-known, international corporation found this out when its Warsaw branch was attacked by hackers using the “pizza” method. Even though the company had a hardware and software security system of top world level, the cybercriminals managed to find a hole in it. How did the attack come about?

Information was sent to the e-mail addresses given on our internet site about the opening of a new pizza parlour in the vicinity and that there would be a 30% discount for the first few customers. Employees tempted by this offer quickly organized a “Pizza Day” and ordered eight boxes. The menu was on the www page of the pizza parlour, which later proved to be fake and had been created just to authenticate the existence of the new spot – ‘Adam’, the CEO of the attacked company ruefully admits (due to security reasons the name of the company is not disclosed).

What happened next?

After a few dozen minutes, a pizza deliveryman appeared with the pizza and a free gift in the form of USB plugged LED lamps that changed colours to the rhythm of the music. Nicely surprised with the gift, the employees immediately plugged them into their computers. They were unaware that in this way they gave the hackers remote access to the company’s computer infrastructure and they destabilised the operation of the whole system, and, consequently, of the entire company in just a few minutes.

How is it possible that a company featuring security at the top level could fall victim to the efforts of cybercriminals? The weakest, least predictable and at the same time most susceptible link failed, i.e. human beings – in this case, people unaware of the risk and incorrectly trained in cybersecurity – the employees of the company.

TestArmy CyberForces was behind the attack

Luckily for the employees, the “pizza” method attack proved to be a planned in advance, security system audit that was to reveal where the company was still at risk. As Szymon Chruścicki from TestArmy CyberForces, who on the order of the corporation had prepared the scenario of the attack and performed the social engineering test, states:

The attack scenario was based on a few simple steps. We started from creating a fake www site and then we ordered stickers with the name and logo of the pizza parlour. We used service e-mail addresses indicated on the web site of the attacked corporation. After receiving an order from the employees, our employee delivered pizzas bought from a local pizzeria, having stuck on the box containers, the logo of our fake one. We used the rule of reciprocity and sympathy to get the employees to undertake the planned action, in this case, it was connecting to their computers, lamps in which we had mounted prepared flash memory sticks containing malware. Outside the building, our specialist of cybersecurity waited, and as soon as he gained remote access to the hardware, he was able to encrypt all the data in the company system.

What was all this activity for? Let’s remember that the security system is as efficient as its weakest link, and for this reason alone, social engineering attacks are one of the most effective methods used by hackers. Simulations with the use of malware are necessary in order to fully understand the character of these hazards. On the one hand, they allow the discovery of holes in the security systems, and on the other hand, they train employees how not to become victims of the social engineering tricks used by cyber-crime hackers.
Famed examples from a few last months
There are multiple examples of effectively performed attacks using social engineering. To name just a few:

A few million Polish zlotych was lost by the Cenzin company, which belongs to the Polish Armaments Group after cyber-crime hackers posed as a weapon supplier from the Czech Republic. The employees did not verify the information sent by e-mail concerning changes of an account number to which Cenzin paid money for the purchased goods. Because of this, the financial transaction ended up in the hacker’s account.

Personal details of 20 thousand FBI employees and 9 thousand employees of the United States Department of Homeland Security were leaked after a hacker posing a new employee called the Justice Department asking to give him the access code to the restricted web pages of the institution. As a result, he received access to an internal network that included the mail addresses of government personnel and information concerning their credit card numbers.

One of the American banks suffered great corporate image loss after hackers broke into its mailing system. On being refused payment of a ransom, they commenced sending millions of spam mail. Due to this, the web service provider was forced to switch off the electronic mail service of the bank.

Hackers earned over 500 thousand dollars in 2018 using so-called “sextortion scams”, i.e. sending blackmail messages (usually from the address belonging to the victims) with a threat to make public, compromising films or photos of the victim that were allegedly in their possession, if the hacker did not receive the requested amount of money (the data by GlobalSign).
How to protect oneself against hackers? TOP 4 hints

1. Report and then remove all messages asking for personal details, logins and passwords. Mail like this is likely fraudulent.
2. Verify the e-mail senders before you send them the requested files or before you perform the requested activity. Do this not once, or twice but three times.
3. Set at high, the spam filters of your electronic mail.
4. Update your anti-virus software regularly and visit only safe web sites.
As Szymon Chruścicki, the cybersecurity expert of the TestArmy CyberForces sums up:

Let’s be watchful and cautious. Let’s invest in employee training and warn them continuously of opening unverified emails and attachments from unknown senders. If anything raises doubts, let’s report it to the company IT department. These are very simple actions that can protect the easiest thing that can be manipulated by hackers – human vigilance.

As the only plus that can be pointed out, we in Poland are not the main target of cyber-crime hackers. According to the data of Kaspersky Lab, the largest percentage of phishing attack victims live in Brazil, Australia, Spain and Portugal. Poland, at the level of 10.2%, is located more or less in the middle of the list.

  • Share This Article
  • Facebook
  • Twitter
  • Pintrest
  • LinkedIn
  • Mail