8.4. Hadnagy Case Study 2: The Theme Park Scandal
The theme park scandal case was interesting to me because it involved some onsite testing. I used many of the social engineering skills mentioned throughout this book and thoroughly tested them during this case.
It was also interesting because of the nature of the business and the potential for a successful scam. If successful, the social engineer could potentially have access to thousands of credit card numbers.
8.4.1. The Target
The target was a theme park that was concerned about having one of its ticketing systems compromised. Where patrons checked in, each computer contained a link to the servers, client information, and financial records. The park wanted to see whether the possibility existed for an attacker to use malicious methods to get an employee to take an action that could lead to a compromise.
The goal wasn't to get an employee in trouble, but rather to see what damage would result from an employee check-in computer being compromised. In addition, the goal was not to compromise the computers through hacking but through purely social engineering efforts.
If such a compromise could occur, what were the ramifications? What data could be found and what servers could be compromised? They didn't want to go deep, just really find out whether the first stage, a social engineering compromise, could work.
To figure out whether a successful SE attack was possible, I had to understand the theme park's processes and methods ...
Get Social Engineering: The Art of Human Hacking now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
