Attack Vectors – Pt. 2 (Active)
As I prepared to write this week’s article, I realized that this section is really an introduction to a very powerful yet often unknown art known as social engineering. Social engineering is the science and practice of exploiting human psychology for a purpose unknown to the target. Think “con man”. Although you rarely hear about these forms of attacks in regards to a data or network breach, you can be assured that these tools were used in most if not all of them. One sentiment that I always go back to when discussing this subject is:
You don’t have to have a high level of technical expertise if you can be physically in front of the server or if someone will tell you their password.
In this post I will be briefly touching on various methods of social engineering. One of the best things you can do to protect your company is educating yourself and your employees. Periodic training and auditing is essential to introduce these protective skill sets to your users. A lot of times just having a basic awareness is enough to alert your people to a potential threat. The following descriptions are very brief and basic and are only the tip of the iceberg.
I also included some amazing resources at the end of this article for much more information on this subject.
This attack takes advantage of the tendency we all have to assume that if someone looks the part, knows the lingo or has some internal information, that they should be trusted. Pretexting is when an attacker creates a scenario or persona(usually both) using as much factual information as possible to make the target assume they are legitimate. Pretexting can be complex, with attackers doing vast amounts of research and information gathering so they can be prepared to respond to any questions or suspicions from their targets. These operations could include getting a phone call from a trusted third-party, a new co-worker needing assistance from another branch, or it could also be as simple as wearing a delivery uniform. Business casual attire, an ID tag and a clipboard is often all it takes to get absent-mindedly admitted to a secure area. If that doesn’t work, maybe say the receptionist needs to step out side to sign for the delivery before it can be unloaded. Then their partner can slip in without anyone seeing.
Quid Pro Quo
Quid pro quo is one of the most commonly utilized social engineering attacks and can be seen as a subset of pretexting. A popular variant of this exploit is the fake tech support or help desk call. This vector is less sophisticated than others because it relies on chance more than finesse. The attacker knows that if they make enough calls, they will eventually find someone who is truly waiting for a callback from the help desk or tech support. When the attacker is “helping” you, they get you to unwittingly open further access to your computer or network.
Another basic form of pretexting, this is another highly used tool in the field. This is most successful with large organizations with a lot of employees and with buildings that require scanning a proximity card to open the door. Attackers will do basic reconnaissance to see the baseline dress, behaviors and sometimes even forge ID badges of the general users. They might join a group in the smoking or break areas outside. Then when a few people head back inside, the attacker will join them and walk in without scanning an ID badge. Even though most companies with electronic key access doors will always train employees to not let people in without everyone scanning their ID badge, most people would rather avoid feeling like they’re being rude and not insist others scanning also. Another popular tactic is follow a group in while holding a large box and rely on human kindness and a polite employee to hold the door for you. That can be all that you need to distract from the necessity of scanning your proximity card.
It should be noted that multiple layers of security should be always be employed. If I was performing a penetration test on a large company that only relied on external proximity doors, I’d take the time necessary to forge an ID badge and even have a proximity card on my lanyard. In my left sleeve near my wrist there would be a piezo beeper. This is the hand I hold my ID badge in when scanning in. I’d tailgate in with a group of smokers and as I passed the fake proximity card next to the scanner, a momentary switch in my right hand activates the piezo and completes the illusion.
Using email to get private information, access to systems or to scam victims is something we should all be familiar with these days. These attacks can be broad and massive “shotgun” approaches targeting whole organizations or they can be surgical and specialized “spear phishing” emails tailored to appeal to specific targets.
The methods of leveraging access to data and information using phishing can come in a few different forms:
- Links: You get an email that looks like a request from a financial institution or trusted company for you to login and update your personal information. Attackers craft fake sites that look and operate identically to real sites. Some just return errors when submitting user names and passwords to get users to enter other passwords they use. Some more complicated variants actually log your user name and password and pass you along to the real site so you don’t have any idea anything happened.
- Attachments: You might get an email from someone with a file they want you to open. Commonly a PDF, exploit payloads can be added to a variety of file types. Accessing these files grant system access to the attackers on a variety of levels.
- Images: If you’ve ever wondered why many webmail and email clients are increasing blocking images, included embedded, from displaying unless the sender is in your whitelist or contacts is because of what they can do. Spammers use this technique see when the embedded image is downloaded from their server and verify your email address is active. Attackers also use the log data on those servers to see what IP address requested the download and in some cases gather other details about your system. There are also viruses known to activate through an image loading: JPEG Vulnerability: A day in the life of the JPEG Vulnerability
Vishing, in my opinion, takes two forms: active and passive. Both involve manipulating interactive voice response (IVR) systems or voice mail systems.
Advanced active threats take the form of rogue IVR systems that mimic legitimate companies and make outbound calls to targets. You could also receive a phishing email with a number to call for assistance that connects you to a rogue IVR. Attackers setup full IVR phone trees and systems that react exactly like ones you’re used to. You could be prompted to enter account numbers and PINS to “verify” your identity and this information will be logged for future nefarious use. Some can even connect targets to attackers impersonating tech support or customer service to escalate the scam.
Passive vishing, which in my definition includes voicemail hacking is definite area of concern. Almost all voicemail systems, including the ones used by cellphones and office telephone systems, allow remote retrieval of messages and management using a user defined PIN. Attackers can explore IVR systems or corporate directories and attempt to guess or brute force the PIN. Usually all someone has to do to guess the PIN is employ open source information gathering. Make sure you PIN isn’t something someone could easily deduce such as dates or default settings. Never use: 0000, 1111, 1234, etc.
SMiShing is using text messages instead of emails to accomplish the same goals as phishing:
Also called “baiting”, attackers will leave USB thumb drives, CDs/DVDs, or other media in parking lots, break rooms, or common areas. Relying on our natural human curiosity, most people can’t resist seeing what might be stored on these devices. When they are used on an internal system a payload installs an exploit that allows further access into the target computer or network.
A commonly discussed tactic is to leave a CD with something like “Executive Salary Summary 2015” written on it. I’ve heard many speakers state that this particular tactic has a 90% success rate. Device payloads can also work in a “spear phishing” type approach, in the form of an anonymous gift or prize using the knowledge gained by open source information gathering. If your target loves sports, send them a personalized USB thumb drive that has their favorite teams logo on it.
If you’d like to learn more, the best resources I’ve found for education and training in this area are:
- Security Through Education
- Social-Engineer, Inc
- The Social Engineering Framework
- The Social-Engineer Podcast
If you have any specific questions or ideas for future posts, please send your ideas to firstname.lastname@example.org Thanks for reading. Stay safe.