Phishy Little Liars - Pretexts That Kill

welcome this is Elise Dennis she is a black badge winner at the SCC CTF she's also the founder of dragonfly and she's got an awesome talk for you please give her your respect and a round of applause

thank you all for being here I really appreciate you taking time out of your happy hour to come join me to talk a little bit about pretexting we're gonna jump right in because I think that this day has been long enough for everyone and I want to give you the most bang for your buck so this is me my name is Elise and I'm kind of breaking the format of the show by telling you who a is from the start but today we're going to be talking about developing pretexts using intelligence that we gather from open source sources on the interwebs and using that data to build a pretext that is custom to your target quickly so the

first thing that we're gonna do is look at the anatomy of a pretext then we're also going to look at pretext points of failure and oesn't and sock mint social in social media intelligence gathering for pretext and then finally we're going to build a pretext using the information that we found so what this talk is not really quick it has been modified from it's a vision original version and format to run in the allocated time so I am in a speed suit through some stuff just so that we can reach the end of the talk without eliminating the meet of this talk so the views and opinions that I expressed today do not reflect that of

my employers past previant previous past present or future this is not also a deep or extensive dive into oesn't or building rapport and of course this is not for malicious use and/or legal advice so what is a pretext a pretext is something that you are something that you do something you have and then something that you need the pretext is really built from what you need and a combination of what you have and that's what we discovered during the ocean part is what you can have to substantiate the pretext that you need in order to gain access to the information that you want so how do pretext fail honestly the number one thing I think is confidence if you don't

have confidence and you are not prepared to overcome objections of your target or if you sound a little bit anxious and you're trying to carry an authority pretext you're gonna give your target the opportunity to give you objections and to question the validity of your pretext so secondly after confidence would really be simplicity the more things that you throw at your target to try to substantiate your pretext the more information they're gonna have to work through in their brain and you may actually limit your ability to elicit the types of information that you want to get from them so keep it simple and lead them to give you the information that you want with a pretty direct line

of thought rather than overwhelming them with facts about who you are why you're calling that kind of stuff and then to go along with your simplest simplicity and your confidence you really need to have the knowledge to back up what you're saying and that is really where the OSINT comes in and learning about your targets organizations culture and what makes them tick their biases how they feel about life in general all those things are going to help you to become a member of their tribe and then have the knowledge to overcome the objections that they may or may not give you if you do a really good job they're probably not going to challenge you when

I start Olson for a specific organization the first place that I go is Glassdoor and then from there I'll go into the brand profiles for LinkedIn and from there I would move into who are their employees and started like thoroughly investigating the employee profile and stuff that's specific to the individuals that work at the company from there you can use things like google dorks and Ozan tools other websites to kind of fill in the gaps in what you're trying to prepare to elicit from the target these are a list or these are some sites that I recommend checking out just keep in mind that Glassdoor is not the be-all end-all if you can't find it on Glassdoor maybe

it's on indeed also companies don't always take ownership so the profiles on the lesser sites so they're not monitoring them and there may be some really inflammatory comments or reviews some really scary stuff out there as far as the c-suite would be concerned in that company on some of the lesser-known corporate review websites speaking of corporate review websites you always want to dig into the photos not necessarily dude sitting there in his costume but what's behind him what is around him what else is in this photo that's going to help us pretend if we're using an internal pretext that we've been in that office before that we know where to go get a cup of coffee or a

bottle of water and from here we can see actually physical access controls we can see their break room the types of hardware that they're using and in that one photo we have the employee's badge business cards letterhead their computer oakland applications all from one photo don't forget video my last year's target for se CTF uploaded a video three days before my report was due and that video included all these wonderful images along with a bunch more that really gave me the foundation and the proof first things that I had already suspected but now we're in plain sight companies are really really going out of their way to try to create positive perception of their brand for new and

perspective talent people that they want to hire that are applying for jobs so they're really going out of their way right now to have a positive presence on social media and that's really good for us so from this certain target they had a corporate video like the ones I was discussing where they had named their employees and gave their job titles and from that I was able to dig into their employees social media their personal social media LinkedIn Facebook Twitter Instagram geotagged Instagram pictures by the way are my most favorite thing in the universe and these people that over share on social media can actually be a detriment to the rest of their team too

because you have co-workers who are commenting on their posts who don't necessarily share things on social media but now you've identified them in as an employee and you can actually check out their feeds as well and kind of link those things together when you do that you have the ability to find their side hustles side hustle pages and groups hobbies all of the comments on their default pictures cover pictures all those things are public and most people don't really keep that in mind even if their Facebook is locked down pretty well check out their likes their reviews of local businesses and try to get a flavor of their personality and who you think might be a soft target with this

particular individual I identified that the company had a corporate Giving Manager this person was really prolific on social media with sharing their causes thoughts beliefs opinions and I learned that she was a parent that she had several social media profiles as well as a creative writing career as a consultant I also found that the company had published their press releases giving the numbers for their giving campaigns for the last few years and I was going to take this information and use that to substantiate the fact that I was potentially with the charity did I know what the numbers were for the year before that I have a good understanding of their participation in that campaign

so what did the facts do that we found they really substantiate and give your pre-tax credibility the facts are what builds the story essentially we're creating the story from the information we have rather than trying to pick a pretext and then support that pretext using information we may or may not be able find yes it's a Foursquare if you have ever worked in sales especially automotive sales you're probably shuttering but this is great because it's really an easy way to keep track of the information that you need to have handy when you're either putting together your pretext or actually executing your vision calls or setting up your phishing campaigns so who are they what do you need and then from

there what information do you have and what pretext can you build to become who you have to be today here's a sample pretext format we're gonna start by deciding the basics are you internal are you external are you authority based pretexting or is it going to be an empathetic pretext align your biases with the person that you've decided as your target and figure out how you can emulate their culture and I'm not just speaking about you know ethnic culture but just the culture of their them as an employee and how they conduct themselves make sure you have the jargon and the key words that are used within this corporate environment and then pick your pretext theme so

first we're gonna take notes of what information we want to elicit from this target we're thinking really hard and then we're going to put in who we've decided as our target put their name their number all their contact information this is going to help you have a handy when you're talking to them so you can stay on track and not fumble anything then you need to figure out who you are if you're somebody from a vendor and maybe you're not gonna pretext to somebody internal make sure that you have your name done euro sent on the second company figured out what numbers you need to spoof what your title is who you are and what gives you a reason to

ask for the information that you're going to try to elicit finally figure out what your motivations are who are you as a person what are your biases what's your culture and how is that going to make you part of the tribe of the person that you're trying to elicit the information from so using what you have you're going to have the goal in mind that you want to build rapport quickly link ideas together from one item to the next as far as the elements that you're trying to elicit memorize your flags so to speak the information that you want try to fit them into a natural conversation and be prepared to segue or come back to a

point if your conversation goes off track try not to script yourself too much and then always be prepared to pivot if it turns out that this target is a lot softer than maybe you expected and you have the ability to elicit more information that what you came for pivot into another line of conversation and see if you can extract that as well so we're using the data to create a custom pretext and not picking a pretext based on the data now you've got your full pretext on this little Foursquare and this is actually what I took with me into the booth at DEFCON for the SE CTF that's the only page that I had I didn't

bring a computer or any gimmicks or props or anything it was just these and they really helped me to figure out how I was going to approach the conversation and then if I got sidetracked or nervous or intimidated I could always bring it back using just a quick reminder from these pages with this particular employee I figured out some of the things that we mentioned before so I'm going to click through these really quick but I called and I said that I'd sent her a PDF the week before and had she received my email of course I hadn't sent her an email so no she didn't get it and at this point she's feeling emotionally like she's

letting me down so this is gonna give me a really good foundation for using an empathy pretext because she already feels indebted to me so I confirmed using an erroneous email that I had sent it to the wrong place and so she gave me her correct email and then committed to follow up and complete the PDF form and absolutely open it when she received it so I have her buy-in to do that which is fantastic she also shared some other information with me and I was able to elicit you know elements of soft we're hardware and other things about her business from that point she did begin to kind of question why I needed all of this information and she she

started to get suspicious because I asked for the same thing twice and I immediately apologized and just you know said I'm so flustered I'm so sorry I'm working from home today remotely with a sick kid and immediately because she was a parent she dropped all of her suspicions so that's how to build a pretext using the information that you find through OSINT and using open sources to create custom pretext in order to really elicit the information that you want using things that are going to make your targets want to tell you I am I am so happy that you all came today and I appreciate you for your time and also a big thank you to be side San

Francisco to him for inviting me to speak to you today if there's any questions or anything that you would like I'm going to open the floor right now for questions I can run the mic up to anybody

well first off congratulations on well this is really lat congratulations on the black badge success winning se CTF thank you putting putting on more of a defensive hat I've heard a lot of reports about the media platforms cracking down on fabricated accounts and also trying to protect users privacy more mm-hmm do you do you think that is a step in the right direction for protecting employees or is it more just going to shift the field for the offensive side well I will tell you that all of my sock puppets are alive and well and I would say that even though there are a lot of you know measures being taken to do that that it's absolutely essential that we teach

our people how to identify these types of threats and really lean into training and awareness to avoid these things rather than counting on third parties to you know eliminate fake accounts or try to stop those kind of things from happening on platforms good answer thank you there is one thing I did forget to mention in my talk and that is that we want to avoid having people get that little gut feeling that something's wrong and it's kind of like when you're driving in a car you have you know people following you but it seems like you only notice the car behind you when it's already too close and that's because your subconscious is continually scanning your environment but it only

alerts your conscious to ask for help when somebody has breached that you know bubble of security and so what we're doing with the pretexting is we're actually trying to get as close to that person's rear end without having the subconscious alert them that something might be wrong and that's why these custom pretexts are really important my my questions were of like a story question okay what is one of the most creative or interesting pretext that you've used successfully I would say that probably this charitable giving one then I had another one where I discovered that the target had a cafeteria I posed as an employee of the cafeteria vendor the foodservice vendor and I said that I was coming on site to

train the employees of the cafeteria for security awareness training and that I had some questions about how I was going to get on site that they have badges who's my point of contact is IT on site so that they can set up my projector for me and all those kind of things and that was probably one of the most fun the pretext that I used for su CTF this last year was just your hey we noticed you hadn't connected to the VPN in a while and we're getting ready to ship out new computers we wanted to make sure that we've got all the right software on the computer for you before we ship it out

and so it wasn't like super interesting or fun but just very effective sit down

so how might you translate this into like a fishing training sort of exercise if we want to send just emails versus the very email fish yeah oh yeah absolutely so if you find that your target is really into model trains or they're an avid Fisher person or they like to hike or play video games all those kind of things you can use to put together a profile of that person to create a fishing campaign spearfishing campaign that would definitely get a result I've heard of companies that have been compromised by a single email for a coin collecting scam basically

about how much time do you say put into prepping for any particular one of your pretext you have a census it like an hours at 20 hours it's too cool the goal really with the way that I've set it up an outlined it here is that you can do it really quickly it shouldn't take you more than a few hours preparing for sec TF I spent over a hundred hours compiling all the information into the report that I submitted for the contest but realistically in a real life fishing scenario you don't have that kind of time you've got maybe hours and so if you can dig into the brands presence online and then kind of get a feel for

what their employees are like or how they feel about the company within about an hour - you should have a feel for things that you can use to elicit empathy or to become part of the tribe of that company's employees like oh man the break room is crap and those kind of comments are going to help you kind of empathize with them so yeah I mean within a within a couple of hours you should really be able to build something that that will float yes I'll repeat the question

do I have any good free resources to help employees recognize these types of attacks there is a ton of free information on the interwebs I would say the first thing that comes to my mind for a company that shares information for free would be probably know before but then of course social dassit - engineer Chris had Nike shop they do share a lot about recognizing these kind of threats and attacks online for free at YouTube like Google social engineering and there's a ton of resources when I started actually attempting to compete in SC CTF a couple years back I really struggled to find information on how to build a pretext and I was like how the heck am I going

to do this I don't know who I'm supposed to be or how I'm to be that person and that's really the reason why I've put this talk together to help people that do assessments but also that can be really translated in to training employees how to protect themselves like stop commenting with private information on your default and your cover pictures stop letting your images on Instagram you geo-located to your company you're just making it too easy for people to find out these kind of things about you and about where you work that it for questions looks like okay thank you so much thank you very much everyone I appreciate it [Applause]