I recently had to visit the office of a customer just outside of Brussels. I knew approximatly where it was. Since I didn't get any GPS signal, I had to ask for directions and I stopped at a hotel near by my destination just to ask for final directions.
The hotel where I stopped is part of a big international chain. I walked up to the front desk where a lovely young lady called Marielle (Dutch accent, the ring on her left hand on the ring finger indicated that she is most probably married) according to her name tag greeted me. I explained my problem. She didn't knew where my customer was located so I social engineered her by simply asking if she had Internet access on her computer and if she had access to a website like Google maps. While she was typing I noticed that on every screen in the left corner there was a post-it with the magic words user: username, password: password.
Suddenly my mind started working in a different way and just for fun I asked if I could come behind the desk to have a look at the Google map and by looking at the screen I noticed that it was an Internet Explorer.
So lets have a look at what we got:
- a name for name dropping
- a target who is susceptible to social engineering
- a browser, which has a good track record of being vulnerable
- a user name and password for something which will be most probably the application for managing the rooms
To say it with the words of Louis Armstrong ... What a wonderful world.