// Phase 01 - Reconnaissance
Venue Scouting
Before any attack, the adversary identifies and evaluates locations with high concentrations of target behaviour - credential entry, payment processing, or screen-based work. The ideal venue combines proximity, cover, and predictable victim patterns.
-
Assess density: busy spaces reduce suspicion, too crowded limits sight lines
-
Map seating arrangements - bench rows, back-to-back chairs, or standing zones
-
Identify cover props: newspapers, menus, phone angled as if in use
-
Evaluate exit routes to avoid post-capture confrontation
-
Note lighting conditions - bright screens in dim rooms are highly visible
// Attacker Decision Matrix
High Value: Airport lounges, bank ATM vestibules, corporate cafΓ© concourses
Moderate Value: Public libraries, co-working spaces, fast food restaurants
Lower Value: Isolated venues with few targets and high staff attention
82%
of people never use privacy screens in public
30ft
max camera-assisted observation distance
// Phase 02 - Target Identification
Selecting the Mark
Not all targets are equal. Attackers perform rapid visual triage to identify individuals with high-value access signals - corporate laptops, premium devices, work-branded accessories, or visible corporate ID badges that suggest elevated system permissions.
-
Corporate laptops with company stickers or security tags signal business access
-
Visible ID badges or lanyards identify employer, often mapping to known systems
-
Professionals on video calls inadvertently display names, org charts, and dashboards
-
Individuals entering PINs at POS terminals are immediate financial targets
-
Users with multiple device logins suggest sysadmin or developer-level access
// High-Value Target Indicators
target_score: {
corp_laptop: +40pts,
visible_badge: +30pts,
work_call: +25pts,
multiple_auth: +35pts,
facing_crowd: β20pts,
privacy_screen: β80pts
}
54%
of workers use corporate devices in public weekly
3min
avg. attacker target assessment time
// Phase 03 - Positioning
Optimal Angle & Cover
Successful shoulder surfing depends on establishing a position with a clear sightline to the target's screen or keypad while maintaining a plausible, innocuous presence. The attacker minimizes movement and blends entirely into the environment.
-
Optimal angle: 30β60Β° behind and slightly elevated above the target
-
Cover behaviour: appear to be reading, on a call, or using their own device
-
Camera technique: phone held at waist height angled toward target screen
-
Mirrored sunglasses or reflective surfaces used for indirect observation
-
Patience - wait for the right moment of extended credential entry
// Sightline Geometry
β IDEAL 45Β° rear-elevation, 3β8ft
β GOOD Adjacent seat, slight angle
~ OK Directly behind, same level
β POOR Head-on / face-to-face angle
β FAIL Privacy filter installed
// Cover Props Used
π° Newspaper / magazine held upright
π± Own phone positioned as video camera
πΆ Reflective sunglasses for indirect view
π Smart glasses with built-in camera
π Open laptop angled toward target
// Phase 04 - Active Observation
Harvesting Credentials
With position established, the attacker actively captures credentials through direct observation or recording. This phase exploits distraction moments - phone notifications, conversation interruptions, or fatigue - when the victim's guard drops and credential entry is most likely.
-
Password fields: observe keystrokes not the masked characters on screen
-
PIN pads: watch finger travel pattern across the physical keypad layout
-
Pattern unlock: phone swipe patterns visible from 10+ feet away
-
MFA codes: 30-second window - attacker relays in real time via phone call
-
Credit card details: shoulder surf while victim types into checkout form
// What Can Be Captured
π΄ Critical: VPN passwords, SSO credentials, banking PINs
π‘ High: Email logins, MFA codes, unlock patterns
π΅ Medium: Card numbers, personal PINs, app passwords
91%
of people never scan surroundings before typing passwords
7sec
avg. time to observe and memorize a 6-char password
// Phase 05 - Data Recording
Logging Stolen Data
Captured credentials must be recorded before memory decay. Sophisticated attackers use covert recording tools; opportunistic attackers memorize or use subtle notation methods. Data is correlated with target identification details gathered earlier.
-
Video recording: phone or glasses footage reviewed in slow motion post-attack
-
Discreet notation: typing into a notes app appearing to send a message
-
Memory technique: chunked memorization (first 4 chars, pause, last 4)
-
Target context logged: employer, visible app names, device type
-
Rapid exfil via AirDrop or encrypted messaging to handler if team-based
// Covert Recording Tools
π± Smartphone camera - silent shutter, zoom lenses
π Smart glasses - Ray-Ban Meta, custom builds; imperceptible recording
π° Wearable cameras - disguised as watches, badge clips, pens
π₯ Screen capture apps - for insider threat scenarios at shared workstations
// Detection Risk at This Stage
Very Low - Recording appears identical to normal phone use. Without active CCTV review, covert cameras are rarely identified. Most victims never know they were observed.
// Phase 06 - Initial Access
Using Stolen Credentials
With credentials in hand, the attacker attempts immediate access - ideally before the victim's session expires or a password change is triggered. Speed is critical; attackers typically attempt access within minutes from a remote location to avoid physical association.
-
Immediate login attempt from separate device on different network
-
VPN credentials used to enter the corporate network directly
-
Banking PIN used alongside cloned or stolen card at nearby ATM
-
Email login grants access to password reset flows for linked accounts
-
SSO cascade: one credential unlocks Slack, GitHub, AWS, Salesforce simultaneously
// Access Timeline (Minutes)
[T+0:00] Credential observed + recorded
[T+0:03] Attacker exits venue / moves away
[T+0:08] Login attempt - VPN / email
[T+0:11] SUCCESS - session established
[T+0:15] Inbox rules modified, data copied
[T+1:00] Password reset links issued
[T+???] Victim unaware - no alert fired
<10m
median time from credential capture to first use
0%
of shoulder surfing attacks trigger IDS/IPS alerts
// Phase 07 - Escalation & Pivot
Deeper Network Access
A single observed credential is often just the entry point. Attackers leverage initial access to escalate privileges, pivot across systems using SSO and credential reuse, and establish durable persistence - transforming a brief moment of physical observation into a sustained breach.
-
SSO abuse: enterprise login unlocks dozens of SaaS platforms simultaneously
-
Credential stuffing: reuse observed password across other services
-
Password manager compromise: master password observed = all passwords exposed
-
Register persistent OAuth apps to survive future password resets
-
Internal phishing from compromised account to gain higher-privilege access
// Password Manager Attack
The single most dangerous shoulder surfing scenario: if an attacker observes a password manager master password, they gain access to every stored credential - email, banking, corporate VPN, cloud infrastructure - in a single cascade. One observation = total account takeover.
65%
of users reuse passwords across multiple accounts
197d
avg. dwell time before breach detected