Lebanese Kush: Analysis of a Real Bank Break-In Case

24 January 2025 9 minutes Author: Cyber Witcher

The article tells the story of a real-life bank break-in, conducted by penetration tester Jason E. Street to test security and educate employees. You will learn how social engineering techniques such as fake IDs and code-running devices are used, as well as what mistakes can lead to serious consequences. The article emphasizes the importance of training, awareness, and education of staff to protect against such threats.

What happened there?

This article is about the story of a physical break-in at a bank in Lebanon. Although the details are based on the expert’s personal accounts, it’s easy to believe them, as the story has gained a lot of publicity 🙂

If you’re curious about how social engineering was used to test the physical security of a bank, we invite you to delve into the details below!

What kind of projects are these?

Projects of physical penetration into the territory of the customer are some of the most interesting and exciting tasks! The author of these lines has experience in performing such tasks, so he speaks from his own practice. Jason E. Street, without exaggeration, is one of the most famous experts in this field, because he has dozens of such projects on his account.

The main goal of such operations is usually to gain access to computers in the customer’s office or to set up a remote connection to the corporate network. For this purpose, a hidden mini-computer, for example, a Raspberry Pi with a modem and a SIM card, is often used.

  1. Do not show any documents.

  2. Do not resist the security. Usually there is always a work contract or a letter of authorization (LOA). The letter/contract states that the person is doing legal work and there is no need to beat/turn them over to the police, but you need to contact the management of the customer’s company.

Our main character operated under similar conditions. However, his goal was slightly different – ​​not to check the possibility of gaining access, but to train employees! Therefore, he expected to be caught by the end of the project.

First project

Lebanon. This country, which is not out of the news now, but at the time of the project was much calmer and quieter. Jason had already done one project there in a bank and then he:

  • He pretended to be an employee of the head office and calmly walked around three branches.

  • In one branch, he got the manager’s personal login and password, and also took all the documents he wanted.

  • In two, he executed “malicious” code on the machines of the managers and one supervisor.

  • From the third, he even took the computer!

Then no one stopped the hacker.

Very fast start

This project took place a few years later, in 2021, in another bank in Beirut. Jason successfully “hacked” the first branch of this bank in the morning, but one of the managers, offended by the failure of the security system, decided to act at his own peril and risk. He personally called all the large branches of the bank, warning of a possible “hack”. Of course, this move was not entirely sporting, but Jason quickly adapted to the situation – he decided to choose a small branch where he was not expected. And he was not mistaken!

Since most of the inscriptions in Beirut are made in Arabic and French, which Jason did not know, he was provided with an escort. This person spoke three languages ​​​​excellently, showed the way and, most importantly, served as a guarantee of the legality of the project, so that in case of anything the hacker would not be arrested. But that day Jason was in a big hurry, because before the task he drank a one and a half liter bottle of Diet Pepsi! The attendant pointed him in the direction and said, “The bank is at the end of the street, I’ll be there in a few minutes.”

While looking for a toilet on the way to the bank, Jason couldn’t make out most of the signs and didn’t see the familiar WC sign. Already at the limit of patience, he ran to the nearest bank office at the end of the street, went up to the second floor and finally found a toilet. After that, he looked around the room from above and began to plan his demonstration attack.

Documents can’t be used, but fake letters? Badges? You can! These are not de jure documents. So Jason got out his fake Microsoft badge. His goals were threefold:

  • Run any code on the employees’ machines and show them.

  • Take the computer out of the office.

  • If he is detained, see if they will believe his fake “authorization letter” and let him go.

For the first task, he used Rubber Duck, a well-known tool for legal hackers that looks like a flash drive but executes code. manager’s view.

All Jason’s Rubber Duck code did was print the message: “Hey, that wasn’t supposed to happen!” Jason would show the result to the manager and move on to the next computer, although one hacked PC would have been enough to pass the test.

Suspicions began to arise on the third computer. Employees asked who he was and where he was from. Jason, according to his legend, introduced himself as a Microsoft representative and pointed to his badge. He explained that he was conducting an audit in connection with the merger of companies, but the information was still confidential. To increase credibility, he showed a fake letter on the iPad, supposedly from the bank’s CFO, who was also the daughter of the owner of the institution. The letter looked very convincing, because reading text from a tablet usually inspires more trust than from paper. But, despite all his efforts, he was not believed and was invited to see the manager. What went wrong?

In the manager’s office, Jason decided to move on to his third task – escape. He tried to convince the manager, using a forged letter, to let him go. When that failed, he said that he needed the documents from the car, and left the bank, never to return.

However, there was also a theoretical scenario of failure. If the manager did not agree to let him go for the “documents”, then the escort would come into play, who would explain the situation and protect Jason. In this case, the manager would be praised for his vigilance. But the question remains: where was the escort this time?

The wrong door

Jason could not even imagine that such a turn of events awaited him. The bank manager, having carefully studied the “documents”, said with a sad but stern intonation: “Everything is clear, but this is a letter for the neighboring bank. And what have you been doing with our computers?!”

As it turned out, the two banks in the building used the same corporate colors. Jason, accustomed to ignoring signs that were mostly not in English, simply entered the wrong door. In his haste and inattention, he had entered a bank that was not even the subject of the test. And now, faced with a question he didn’t know how to answer, Jason could only say: “That’s sad.”

The manager invited the hacker into his office, where he was seated in a chair. Six employees gathered around him, speaking Arabic with great emotion, and the situation became increasingly tense. In an attempt to somehow justify himself, Jason decided to show what he had been doing. He connected the Rubber Duck to the manager’s computer, and a familiar message appeared on the screen. However, instead of relieving the situation, this only made things worse, because in this way he had just “hacked” another computer, which only added fuel to the fire. The expressions on the faces of those present became even more severe. In desperation, Jason declared: “Google me, I’m known for doing things like this!” But it seems that his words went unnoticed.

The attendant was at the neighboring bank at that time, believing that Jason was already discussing everything with the manager. When he realized that the hacker was not there, he went in search and found him in the midst of a conflict. Even the attendant’s arguments did not make much of an impression. In the end, the bank employees suggested that everyone go to the main office to clarify the situation, which was a better option than calling the police.

Jason was saved by the fact that the code on his Rubber Duck was completely harmless, so there was no crime. And, fortunately, he didn’t have time to take the computer out of the department, which could have significantly complicated the situation.

All his violations were:

  1. Penetration into a closed area.

  2. Lying to bank employees.

Jason explained the whole situation to the security chief again in detail: he told what exactly he had done, why he had succeeded, what mistakes the bank employees had made, and patiently answered many questions, trying to look as friendly as possible.

After four hours spent in the security chief’s office, the managers of both banks came to an agreement – they decided to share the costs between themselves to resolve the conflict. For security reasons, immediately after Jason left, all the computers of the managers and the manager of the accidentally “hacked” branch were wiped clean. In the world of banking, where competition is very high, this seemed logical. But the main thing is that Jason did not have to “test” the security of the Lebanese prisons.

Other related articles
News
Read more
The attackers’ attack resulted in the shutdown of 300 Indian banks
The Reserve Bank of India has isolated more than 300 small banks due to a hacker attack on C-Edge Technologies that caused payment systems to go down. Affected banks make up only 0.5% of the volume of the Indian payment system. NPCI is conducting an audit to prevent the attack from spreading. Indian banks have been warned about possible cyber attacks.
544
Found an error?
If you find an error, take a screenshot and send it to the bot.