Ghosts in the Bank

John Skipper, Senior Consultant, Coalfire Labs

It was a dark night. A car pulled up in the parking space next to me and quickly extinguished his lights. I looked out the my window and saw the driver. He gave me a quick nod and we exited our cars. Opening the trunk I pulled out my tools for the night. A backpack full of trash bags, a flash light, gloves, a tarp and oily rags taken from the garage. We walked in the warm summer air up a hill and to the street corner where the target was finally in view. There was the bank. Tonight was just recon, getting a lay of the land and some dumpster diving. We approached the bank and made a quick walk around the block identifying windows, entries and exits and connecting the dots of what I found on Google Maps. By the cover of trees we started down an embankment towards the dumpster, but we spotted a police car. Trying not to cause any suspicion, we quickly made our way back to the sidewalk and walked away from the bank. My heart was racing. I didn't want to fail even before we started. After walked a half block we circled back and hurried down the embankment again. Entering the dumpster enclosure I could relax. No one would be able to see us from here. We brought out our flashlights and opened the dumpster lid -- just two bags of trash.

"Let’s just take the bags," my co-worker said.

Each of us grabbed a bag and made our way back to our vehicles. Once again I could feel my heart rate shoot up. Here I was carrying an oozing bag down the street by a bank. We encountered no issues though. We loaded the bags on top of the tarp in the back of the car and headed home.

On the back porch we gutted the bags, sifting through bloody Kleenex, half drunk venti mocha Frappuccino’s and who knows what else.

"Jackpot! Take a look at this, " I said.

Peering into the dark night lit only by flashlights we saw the nightmare of any trusting customer: a photo copied check with the account number routing number, signature, names of the account and the address of the account holder; everything needed to take over accounts, withdraw money from the accounts or steal an identity.

We continued to exhume the contents of the bank's dregs and found usernames, passwords, account numbers, delivery notifications, all information that could be used for social engineering attacks on the bank or its account holders.

Two nights later I returned. A similar scene repeated. A car parked next to mine some distance away from the bank. I looked over at the driver but instead of a nod it was a smile -- an evil grin for what was about to happen. We were going to break in. We confidently strode to the main entry. My colleague pulled out his lock picks and began to probe the internals of the door lock. Within minutes the door was unlocked. We quickly went over our ghoulish plan. Having done recon previously, I knew the quickest path to an office where we could deploy a device that phones home giving us remote internal access. We opened the door and ran to the next, in one fell swoop it was shimmed and now had entered the belly of the best. Time was not on our side, we thought. Quickly deploying our device I started to take pictures of passwords on sticky notes to applications used by employees. Pushing our luck my cohort proceeded to unlock bins of documents marked for shredding and office doors with loan and mortgage documents in plain sight. I noticed users had login credentials taped to docking stations. Knowing time was running out, I logged in. My accomplice returned and remarked at the time. We had now been there around 15 minutes. But we couldn't leave, as if possessed by some demon we needed more! We left the office and proceeded to the teller's area. We climbed over the teller's counter; the adrenaline was flowing freely now! We bought our picks and were about to open some lock boxes when I heard a creek and a thud.

"Someone is here," I said.

We made our way out of the teller's area. I knew at any moment a Frankenstein of a police officer would be upon us and it would be game over. To my surprise a man wearing a wrinkled polo with the bank's logo appeared instead.

"What's going on?" he demanded.

Reaching in my pocket to retrieve my authorization letter my confidant replied, "Just finishing up cleaning."

The shocked look on the employee's face gave me time to get back into the game.

"Cleaning? You're finished cleaning?"

We nodded our heads.

"There are alarms going off, do you not have alarm codes?"

"Sorry," I said, "We are subbing tonight. We didn't have alarm codes. A lot of financial institutions we work for delay the alarms for an hour or two giving us enough time to clean and when we leave the alarms are then armed. We are doing out normal route plus this one and we are behind. We're very sorry, but we are done."

"You can walk us out if you would like," added my co-worker.

"Who do you work for?" The puzzled bank employee asked.

Without skipping a beat I said, "Cleaning Pros."

My companion emphasized again we were done and he could walk us out. The guard concurred! He lead us to the door and into the vacant parking lot and like apparitions, we disappeared from the scene.

John Skipper


John Skipper — Senior Consultant, Coalfire Labs

Recent Posts

Post Topics