Spear Phishing: From LinkedIn To Loggedin

hi everyone thank you very much for coming I appreciate attendance especially Freya last talk of the day so I'm going to be speaking to you about spear fishing and we'll be looking through a bit of a story and understanding how fishing attacks work and why they're so easy and why people would actually choose these over a more technical attack for an example so my name is Alex arc and arcs I work for pentest people as a senior consultant I specialize in web application and API technologies but I have a genuine interest in the psychology of hacking any sort of social engineering basically the fun bits I'm sure all the pen testers in the audience here love as

well so first of all I'm just going to be going through a few common vulnerabilities just to make sure that we're all on the same page for the non pen testers in the room so we're going to be having a look at software versions brute force multi-factor authentication and weak passwords so software versions are left on by default by many different software's and these versions are often seen as a low-hanging fruit for an attacker it's very simple once we find software versions we can go and look for pre-written publicly available exploits click and play them a lot of the time and there's very little effort required whatsoever and you can potentially get root system or any kind of exploitation

that you're looking for from it so here's an example of a server response header that has been caught from a web application using a talk about sweet on here we can see that there is Microsoft is 5.0 as I'm sure the pen testers will point out the incredibly ancient version with thousands of version but well a lot of vulnerabilities associated to it so I thought it would be a good good version for this so software versions are not only sent in server response headers and web applications you can also find these by running a port scan against the network layer by using tools such as nmap here's an example of an EM map scan that's been returned that is showing the

is web server 5.0 version and we can also see here just for jokes that four or five TCP is open which is the which is a service that was exploited during the NHS wanna cry attacks so as an attacker once we actually have a software version what is the next step how do we find the next way how do we find the exploit so CVE details contains thousands and thousands of published exploits you can search the software version on here and find anything to use against in this case the web application so as we can see these are just a few of the ones that have been found including buffer overflows and denial of service attacks

once we've looked on TV details and we found that there are exploits related to it we actually need the code to then compile and run and attack the target we're looking for exploit DB is a website that you don't have to sign up for it's publicly available very easy to use and it hosts code for exploits it also hosts the a lot of the time the vulnerable software alongside the exploit so if anyone does really want to try and have a little play around with some hacking go and exploit DB download the vulnerable software versions download the exploit fire them off yourself and just see how actually very easy it is so this is a little bit of a

snippet from the Microsoft is x-point and here we can see a snippet of the eternal blue code the gun was used in the NHS ransomware attacks so software versions are incredibly easy to hide so for example in your Apache config you can just turn service signatures off and your server tokens product so brute force and multi-factor authentication a brute force attack in a web application scenario will typically start off by trying to enumerate a list of valid user names this can be done through different functionality within the web application usually being the Forgotten password function or the registration function so when we go onto an application we will try and register an account and then

afterwards we'll try and re-register it with the same an address to see what the error message is if the error message returns to us as this account already exists then we have a different response and we can use automated tools online to build lists of thousands of user names or email combinations there are many word lists around this really isn't much work or much effort for any pen testers once we've got a list of valid user names we will then actually run brute force attacks against the login portal against the password sections try and get it again there are readily available automated tools online that are very easy to do this so multi-factor authentication is a second layer of

authentication after we've used our standard username and password this is often a screeners asking for some kind of code that usually comes through Google Authenticator or SMS messages multi-factor authentication code should be treated exactly like passwords are not shared with anyone recently I was doing an engagement for a pharmaceutical company and we spoof well we did we got their domain added - support on the end just a nice classic and registered it and then we sent an email to their company saying that we have an important security update to be pushed that will require everyone's have Outlook Web Access which is obviously rubbish the majority of us but a lot of people will fall for it so we had a keylogger on the

portal that we redirected them to from the email and we got to director-level accounts and pharmaceutical company however they had multi-factor authentication enabled so I thought I'd take a long shot and phone one of them and I was like hi I'm calling from IT support we've you know emailed you earlier we've asked you to log into this you come back to us and told us you're having problems would you be able to read the code that I'm about to text through to your phone to me please and they read it straight away so I decided why not try and see if I can get another method for them to give it to me like this so I sent a push notification

called them and said we're sending a push notification to your phone just to confirm it to you before we asking you a few more questions they press the push notification without any argument whatsoever so we have to start treating multi-factor authentication tokens as passwords so as we can see brute-force attacks is simple to set up and execute it's only a matter of time and computing power until we actually get through unless there's some form of protection the protection is quite easy you can add a CAPTCHA you can use account lockout policies and ideally you should always have multi-factor authentication enabled on logins whilst this isn't always possible I think the more is an industry if we can really

start pressing the importance of multi-factor authentication then whether applications in general will become a lot more secure mitigates against password reuse in in in in essence because even if you log in through the first layer you're not going to get into the second so there are a lot of options now mainly being automation Google authentication Skater so weak passwords passwords have been talking topic of the security industry I guess since the first day and there are many myths surrounding it so take this as a bit of a pinch of salt because it's come from how secure is my password online so I don't know the full accuracy but it gives a bit of a rough idea on the

computational power that is actually required to crack passwords so here's your typical pass typical weak password of the word password which will be cracked instantly by by dictionary attacks and very quickly by any kind of true brute-force attacks so does using complexity on weak passwords make them stronger yes but not by that much you can add more complexity you can change things up but it really doesn't make it stronger much stronger so passphrases I'm sure everyone in here or most of the people here have now heard about passphrases at one point or another pass phrases are multiple words with spaces in between them and this is a lot easier for the human brain to actually remember

in a psychological point of view because remembering three words with spaces or dashes is a lot easier than remembering one word with seven hush tags for semicolons and a couple of commas involved it up a minimum length of ten characters should be in place for low privilege users and a minimum length of 16 characters should be in place for high privilege users so here's an example of a passphrase being used which has now gone from instantly to one minute to 454 billion years so the computational mathematics behind it shows that it will take a lot longer and even better yet add some complexity in there as well so now we can move on to the main part social media spearfishing

and how to protect yourself we're going to start off by having a little look at the threat landscape understanding what spearfishing is a bit of a motivation behind it some scary facts and statistics a case study and then how to protect against spearfishing we are going to be giving away some lockpick sets at the end of this talk to people that can answer questions about the top sight do you pay attention and don't fall asleep if you want free lockpick status so let's have a look at the threat landscape between October 2013 and May 2018 businesses inside and outside of the US lost over 12.5 billion dollars to email business compromised 2015 was really a massive year for

ransomware with over seven hundred and fifty two percent increase and ransomware families jumping from 29 to 247 ransomware is still increasing but rapidly what is the business email compromised so business email compromise is a form of fraud and it plays off natural human psychological urges so I would send Leggett so you to spook spoofer c-suite employs a chief executive officer or chief operating officer or or whatever officers are are these days and you'd email through to a financial director asking them to deposit X amount of money quickly before we lose a license for example so the average loss is a hundred and forty thousand dollars the owner AG lost forty four point six million dollars from one

point of business email compromised in 2006 in 2018 business email compromised rose by about forty six percent or reported email business compromised rose by about forty six percent what is ransomware so I ransomware payloads are usually delivered by email a user will click a link or download an attachment or some form of trickery involved and the ransomware will then encrypt all of the files on the computer and demand money usually in the payment form of Bitcoin or etherium or some form of cryptocurrency to actually unlock the files I saw quite a lot of cases where people actually did pay to get their files unlocked and never got given a key to unlock their files so what is

spearfishing spearfishing unlike regular fishing target's individuals and specific people it has the attacker will actually spend some time researching understanding the person that they're going to attack and building a profile you'll understand the family's needs their hobbies pretty much everything that they do anything that you can do to build an overall profile there are three main payloads and here technical payloads which is usually ransomware or some form of malware psychological payloads which is business email compromised or any other kind of do this now because someone's emailing you from a higher higher level accounts either or both which is just a spoof password reset or some form of key logger so what is the motivation behind spear fishing

spear phishing is incredibly easy to set up and execute it doesn't take up much time and the rewards can be absolutely massive we'll talk about case study a little bit later you'll be able to see some of the real effects of spearfishing and how much money it can actually make so why spearfishing really so we've all received normal maths phishing emails that are clearly sent out to thousands of people that are written in poorly they're in poorly written English probably trying to sell you some kind of penis extension medication or or something that is you know something terrible along those lines maybe similar Russian mail brides as well so the difference between these emails are they

are not obvious they are well-made they look authentic in their correct and crafted the URL sorry the email address that it's coming from will not look fake it will no longer be their valued customer and there are a couple of other mistakes in there that I'm sure people would notice like regard bottom so how can we actually start building better emails that people are more likely to fall for and more likely to understand so an example that I like to use is AC suite employee goes on holiday and post a picture of them on the beach and they have their hotel name in the background so we've got on Twitter and we found this we found the hotel name and we know that

they were there during certain dates I'll then send an email to the hotel asking them a very generic question like do you have gym facilities or what time is your bar closed or the usual important questions and when they reply to you will then analyze the language and the way the being mail response is written to us grab the email footer and any information that we can actually grab from the email returned to us and then send an email to the c-suite employee that has tweeted picture of another hotel we'll be exploiting a trust relationship here because they've been there before they know the hotel they don't understand why people know they were in the hotel so our email will say we found

some high value goods in your room please either click on this link or download this to have a look at them and if they are yours then we'll return to you very quickly people naturally will click on that they're scared that they've lost something maybe even they're a bad person they're thinking can I steal something here can I say that something was mine in which case and it's a good thing that we are fishing them so let's have a look at some fairly scary facts and statistics two-thirds of all malware arrives by email attachments sophisticated phishing emails facilitate 90% of successful attacks 97% of people cannot differentiate an authentic email from a well-crafted fake one this is a

statistic that I'm focusing on the most for this presentation whilst the other one show the effect of it and a powerful of Ness of it this is showing that actually if you write things in good English and it looks genuine then people probably are going to click on it so 50% 56% of email recipients and 40% of Facebook users clicked on a link from an unknown sender because of curiosity they didn't know what was on there but they wanted to know so they still clicked on it even knowing the risks so let's have a little bit of look at a case study a very famous hacking group called carbon AK who have been around for a little

while and they have stolen billions and billions of dollars now in total and I believe one person has been arrested but I don't think anyone's ever actually been charged so if we compare this to jewelry heists of 30 million where everyone well the majority of the tying their courts in comparison to our hacker stealing billions and never being caught we can really see why spearfishing is so good so the carbonate group attack banking institutions and they started with spear phishing emails once they were on the network that run some form of manual reconnaissance recording everything that was tied by staffs and video footage CCTV footage webcams that kind of thing to ensure that they can

actually understand how everything's working and how everything inside is actually operating so they can try and impersonate Euan member of staff large sums of money were transferred through ATM to Swift Network and creating high value bank accounts but here's a slide that I've liberated from Kaspersky they were actually the company that investigated this attack if you add me on Twitter at the end or go to my Twitter at the end I posted an interview with the guy that investigated the carbon arc attacks really really interesting stuff really interesting so we start off at the beginning where carbon arc is sent is a backdoor email attachment to a bank employee previously they've discovered that this Bank is running an old version

of Microsoft Word internally by using standard forms of Osen tools such as a Bluto or a few others that will scrape the metadata from files online and they've been uploaded by people from that company so the backdoor attachment would exploit a vulnerability in the Microsoft Word version that would give system access so the employees downloaded this and they've got system access on one computer they've sent it to quite a few other people and they've got a load of computers but at this point there is no administrative credentials to get on to the domain controller so they used one of the compromised computers to send an email to the IT administrators complaining that one of the computers that had been

infected was very slow and they wanted them to come and have a look at it the IT administrators came and had a look and there was a key logger on the login portal so they now have administrative access and they've got complete control of the data that they've got control of the domain controller they own the infrastructure that can pretty much do whatever they want from this time so now that you're inside a bank how'd you get the money out without being caught or without being caught quickly and giving you enough time to actually be able to get out a decent sum of money so there are four different methods that were used by paavana online banking so

sending money outside of the outside of the countries to maybe Caymans or any kind of tax haven places payment systems inflating bank balances but my personal favorite controlling ATMs so they lay a bit of malware damn that would go into the ATMs and that hired a load of thugs to go to banks with special cards that would trigger the malware and spit all of the money out of the ATMs after reading about this I ended up researching ATM hacking a little bit more and apparently it's quite easy you can a lot of ATMs you can buy a generic default key online that allows you to unlock them and once you unlock them you've got a USB port not that I'm

encouraging anyone to go around hacking ATMs but I'm just saying it's probably easier than we think so they would go and collect this money and then drop the money off to whoever was controlling them and yeah they took over a billion dollars on this Bank I believe this one was it was it was a billion dollars worth of rubies or ripples that they ended up stealing so how do we protect against spear phishing don't share personal information online try and keep as much it's easier said than done we all want to put things on facebook every now and then I'm sure off that we're on holiday for example but you try and be considerate and try and really think if someone saw

this on my social media could they use this to exploit some form of trust relationship that I have with maybe a third party or maybe a something that I'm interested in report any suspicious emails contact the sender before you download anything and contact the sender before you click on any links so now's the fun bit see who is actually listening and we will be giving out some lock picks for this so can anyone tell me how often is malware sent as an attachment yes [Music]

so yeah according to Verizon two-thirds of all malware arrives by email attachments what percentage of sophisticated cyber attacks start with the phishing email knighted correct how many people from the carbonic group have been charged one have been charged one was at risk but no one's been charged yet what should the minimum password length be for a low privileged user account of course anyone want to answer way like sorry ten characters obviously this recommendation may vary depending on companies company but ten characters usually your standard for very low privilege user accounts that don't have easy access to really doing any damage to either an application or infrastructure why should the maximum password length be here yeah

so has anyone got any questions for me about the presentation pardon they'll be given out some of the questions yep

[Music]

ya know if you can research a person you can understand then yes but we recommend to use password lockers which will be randomly generating pass phrases for you that's a really good point absolutely they use pass phrases because it's all its dictionary based but a lot of the time the password lockers will choose your passphrase but they'll throw some random complexity into there and some random bits too to break up words so that they're not necessarily untrue words at that point it's very question yes this housands of people so we'll we'll start off by going through their LinkedIn and we'll run some tools it'll bring sort of all the employees back on LinkedIn and we'll start with the

obvious we get rid of the IT department get rid of anyone technical and then we'll try and break it down usually to focus on employees that have been there for less than three months or less than two months as they likely wouldn't have had any security awareness or fishing training at that point but it's a matter of just filtering and filtering and filtering until you get down to the five maybe ten people you'd actually choose or then then you'll research them individually as a person so if I chosen to focus on you for a spear phishing attack I'd go to your Facebook your Twitter your LinkedIn read your local newspaper see if you've ever fit in

there for example if you if you have interested in football that I know that's potential exploit point I can go into and yeah just researching the person is a specific individual to understand them

non financially motivated um yeah so yeah in in terms of complete in terms of actual research that I've read I'm not aware of any but I could see how it could be used so usually when there's no monetary value involved in a tap there has to be something else involved in it it could be an attacker that has a massive ego that's just doing it for fun but it would most likely in that case be either a competitor or someone that would have that would benefit in some way of actually either knocking down your infrastructure or getting into your your email accounts no I'm not aware of any research specifically yeah yeah yeah almost aw yeah absolutely

yeah absolutely I think the only way that we're ever going to be able to really tackle spear phishing is security awareness training definitely you could potentially but the codes reset every 60 seconds if you're using Google Authenticator

yeah I'm not entirely sure I wouldn't know how to go about approaching that once we Afghanistan yeah evil jinx yep

yep yes interesting follows this is the last one giving up yeah a comfortable amount of data to gather is until you are personally comfortable you know that person well enough that if you would have a conversation with them persons person for example you'd know ways to be able to lead the conversations be able to trick them and steer them it's a little bit how long is a piece of string in that sense because you might come across a really really vulnerable target a really easy target but you might end up someone that's posted really obvious information about themselves online that you can use to exploit sometimes it's a little bit more difficult it's usually down to whether the company is doing

security awareness training or not yeah so if if people are not reusing passwords and I can definitely understand the less rotation what if you're using a 25 character password you're only using in one place you're 100% sure it's being stored in an encrypted format then yes potentially but the reality is that most people reuse passwords websites don't always store your data and clear encrypted and I'm sure most of people this room have used have I been poned on one of their old email accounts and found at least one or two weeks that they've been in so in a perfect scenario yes but I just think unfortunately the human element makes it a little bit more difficult

than just doing that to buy password history do you mean so you don't have to attend class I mean I guess it means that it really depends on the company specifically I think how their employees are how well the any security awareness training is affected them and how the kind of setup is I think it should be looked at on more of an individual case to case basis as opposed to just deciding straight away but I think rotating passwords does have its merit but that is usually because of password reuse attacks that have been coming out of clear text leaks and that kind of thing so if people aren't using their password in multiple places and they're

not reusing then yeah you can get rid of the yeah yeah I mean they also used to say that um complexity was more important than length in terms of computational power so I think everything needs taken with a little bit of a pinch of soul I personally my personal view is the password should be rolled over and they should be changed and they should be a policy that is forcing people to reset their password every maybe six months to a year I know three months was thrown around for a while at one point but I think it's being increased quite a lot now by most companies but I don't see why reinforcing users change a password

can actually be a negative thing if they're using a password blocker yeah in what sense not really I mean on a typical penetration testing engagement where we're doing phishing campaigns will ask to be white listed on a web application test when we're testing will ask to be white listed this isn't this is in a standard penetration test as opposed to red teaming this is because we're looking to test the vulnerabilities the code itself or the humans themselves if they're gonna click on it as opposed to testing someone's defenses or anything that they've got in place over there yeah spam filters are great they should always be used but there's no guarantee that well I've seen from our experience

will usually ask to be whitelist engagement through through any spam filters but I've I've seen recently the people have been putting JPEGs or PNG s pasted into emails and as opposed to having it just in normal text it's actually an image that's insider and I think that's one of the ways of people are trying to bypass different spam filters at the moment personally not to my knowledge but if they've done it well enough and I won't know anyone else I am NOT I mean I'm definitely getting social engineered a bit by the partner at the moment so it's probably me yes no no typically if a company's never had a fishing engagement or any security

awareness training you'll get plus 50% click rate and that'll get lower and lower with the amount that it goes down but I mean it does depend on the company so that's not an exact statistic but from my previous experience it's usually roughly 50 yeah yeah I don't yeah do that okay yeah oh they'll be really interesting I'll definitely have a look at that awesome cool anyone else secure it security awareness training is the only way to really tackle it funny and we should try and ensure that the languages used in emails are coming through to us so often when you're at work for example if you're emailing a friend you'll use slightly different language it's analyzing and looking for

these kinds of things but the only real thing to prevent spear phishing is to have a real staff awareness security awareness training program and regular fishing campaigns it's definitely paying off so when when we've typically been doing a fishing engagement for a company will will be three or four maybe five and we see significant changes between each one yeah that we're doing the fishing engagements against so the one the one I use an example a big pharmaceutical company so massive it can really vary from from small media from small businesses small mediums to large financial institutions last question if there is one yes please so one of the things that we recommend is if you have a phishing assessment done

you watch is sure those users you don't shame and there's no need to share not use except if seven under training then there's no point in fighting with fire basically so the best thing to do one is to show them what their actions lighter so if we fished a you CEO say and there are no efficient training I thought is that you know the bare minimum show him because of your options you know this malicious target managed to steal on your passport number your credit card information the company the crown jewels basically if the company and they make some think a bit more and then they start to apply a lot mentality so their own personal emails because you

know that's why it's going to kick in the most really yep thank you very much thank you very much guys