From Trash to Treasure: How a Hacker Exploited Discarded Wi-Fi Credentials

A female hacker infiltrated a large building in one of the megacities to steal confidential data, bypass both physical barriers and the corporate Wi-Fi network. However, hacking proved unnecessary — the doors and elevators were left unlocked.

Alethe Denis, posing as an employee, ascended to the desired floor without a pass. The office door was ajar, and the guard at his post paid no attention to her presence. Once inside the conference room, she deployed a pre-configured malicious device. The previous evening, Denis had discovered the login credentials for the Wi-Fi network in the building’s trash bin. After connecting the device to the network and concealing it behind a television in the conference room, Denis was able to extract company data for a full week through their own network.

In this instance, the device was under the control of a security team hired by the building’s owners to assess the efficacy of their physical and cybersecurity measures. The hacker, Alethe Denis, is a senior security consultant at Bishop Fox, specializing in physical security assessments. Denis is also widely recognized as a winner of the Social Engineering Contest at DEF CON, which earned her a place in the Black Badge Hall of Fame.

Denis is an expert in penetration testing, often utilizing social engineering tactics. While many of her attacks are conducted via phone or email, she most enjoys in-person interactions. This allows her to create convincing personas and invent complex pretexts to deceive her targets. Denis frequently impersonates former or current employees, as well as vendor representatives, to gain access to corporate networks.

On one assignment, Denis’ team needed to infiltrate a software vendor’s building. They posed as contractors tasked with evaluating the surveillance system. A fake company was created, along with phone numbers and work orders. Everything proceeded as planned until the security manager at the reception desk became suspicious and called in a colleague — a security expert who had written a book on covert surveillance. As a result, the ruse was uncovered, and Denis’ team was forced to leave the premises.

Despite modern technologies like artificial intelligence and deepfakes, the most effective social engineering techniques remain direct conversations — by phone, email, or in person. Denis notes that the tactics used by malicious actors differ significantly from those typically covered in security training sessions. New AI-related tools do not always pay off, and some criminals revert to traditional methods like voice phishing (vishing).

The primary goal of a cybercriminal is to provoke an emotional response in the victim. Attackers often send emails that seem to outline company policies, but in reality, these messages contain malicious files. According to Denis, the key objective of social engineering is to exploit a person’s emotional reaction to gain access to their login credentials.

In red team operations (security testing groups), the same methods used by hackers are employed to bypass phishing detection systems. Phone calls are also commonly used to support the cover story. For instance, after sending an email with a malicious attachment, hackers may follow up with a call to persuade the victim to open the email, claiming it was forgotten or not sent earlier. To avoid falling victim to such attacks, Denis advises asking questions to confuse the attacker and thwart their hacking attempts.