Please Pick Up: Crafting and Executing Successful Vishing Attacks

now join me in welcoming Jason our guest

speaker thank you okay thanks everyone for coming out welcome to please pick up crafting and executing successful vising attacks I'm Jason and I'm here to talk to you about social engineering and Vishing uh Vishing if you haven't heard of it is voice fishing so if you're familiar with email fishing think of it as calling people and seeing what they can tell us over the phone often you see scams and things out in the wild but there are some fun things we could do with it to raise awareness about security and Tred on our own companies before we get too much into that a little about me I'm primarily an application security engineer not a social engineer but I'm very passionate

about human security and all things related so security culture awareness ethics um I've had a lot of fun running security Champions programs also Buck Bounty programs I think they're a really interesting opportunity for us professionals inside companies to build strong relationships with external researchers and keep them working with us in a fair way and keep them coming back and happy and overall I would say I'm driven by challenge so a few years ago I knew nothing about social engineering and I've learned a lot in a short amount of time I stumbled into the social engineering Village at Defcon a few years ago and saw this competition where people would sit in a booth making phone calls and seeing what they could

get Target companies and people to tell them over the phone anything from what VPN software and what antivirus you're using to what your badges look like and how you check in visitors to your building and to me it looked like magic just calling people and without any sort of Authority or authentication without any sort of technical hacking means getting real legitimate information I know I wanted to try it out again I had no clue what I was doing but I did sign up for the competition in 2022 I wrote over 100 pages of reports on open source intelligence and pretexting and came in second place and last year I tried it again and came in

first place so I'm really just excited to share some of the knowledge I've gained through those experiences and raise awareness starting off with open source intelligence which is really the key to a lot of social engineering and vising osen is all about free data so it's things you often don't need any sort of account for it's information we can all find online pretty easily and it's tools we're familiar with like search engines and social media people love to overshare information on social media and we can take advantage of that to learn about targets whether they're companies or people and gather things like email addresses phone numbers uh real information we can use to carry out

vising attacks and even corporate websites are full of interesting files a lot of times you might get marketing materials but you might find employee handbooks and similar benefit information on things uh public data Brokers are another fun one if you've ever searched up your name or a family member or friend on Google you'll see these websites trying to sell you that person's phone number or email address or physical address and often they want you buy the data so they'll give you like the first three digits of the phone number but then maybe another website gives you the second half of the phone number and then you've got the whole thing so I have used this to piece

together information from different data Brokers all for free without paying for anything and it's kind of funny search engines are our best friend with open source intelligence we can do a lot just building breadcrumbs and taking searches and expanding on them when we find new information so a lot of the times you can start by narrowing a query to a specific site like example.com or whatever your target company is and then I always search for PDFs with the file type parameter or you can search for word docs but a lot of times immediately like I said this will give you not only marketing data but it also give you other interesting internal documents often that aren't properly

locked down and somehow got indexed by the search engine and as you start to find interesting things through your searches maybe you see URL paths that are common and repeating across documents you find so you can use inurl to narrow down queries looking specifically for those you might also find documents with common headers and Footers and use in text to search for those keywords specifically this will look for things in the document or web page bodies themselves and it really is about building upon searches it's not just adding query filter after filter after filter but seeing what you find in one search and trying different queries trying different websites and keywords and branching out from

there Google is really useful for finding contact information itself for the people we're trying to get in touch with whether it's for fishing or Vishing you can find a lot of email addresses and phone numbers through some of these specific queries Google doesn't always handle special characters well so it might drop the at symbol if you're searching for email addresses but often you will get web pages and documents with legitimate URLs and email addresses and area codes are another one that's obvious in hindsight to search for but if you look up where a company's headquarters you can start to search for that area code and similar ones in that area and you'll often find employee

contact information that way when we're doing Vishing it's interesting to consider different time zones and the people we're calling so area codes also help give us that sort of information and building upon just uh Google searches social media like I said people love to overshare some of my favorite uh information to find are Day in the Life videos or office tours on YouTube these can come from companies themselves showing off new offices they built uh or they can come from employees who are really excited about their first day of work and we'll go through showing you their desk and their office spaces and you'll often see computer screens with software open on them you might see

reception desks and badge reader systems access man management things uh if you've ever seen black rectangles that s of doors with red bars on top of them they're probably hid badge readers those are very common and just little pieces of info like that you can see things and immediately recognize the kind of Technologies a company is working with again looking for social media posts about first days or events companies will often tell employees not to post their bad is on social media but a lot of times no one is scrutinizing group photos and event photos uh and it's one of the best ways to find them so you'll see a bunch of people sitting or standing together and some of them

inevitably have a badge visible and you might not be able to glean exactly what technology that badge is using but you can probably get a general format and start to create a counterfeit uh look alike if you wanted to and finally people get a lot of use through Linkedin just post posting their job descriptions and what they do which is great I do that but people like to overshare there as well and we'll post specific Technologies and vendors and tools they're using and as we start to gather these breadcrumbs and pieces of information it informs our social engineering attacks later on both who we're pretending to be and what we know about the company so dropping hints and

dropping names of software inventors and tools throughout a phone call conversation ation establishes trust and really adds some context to who you're pretending to be and I think ENT is my favorite use of LinkedIn because I think it's the only productive use most of the time another fun thing to look at is Maps themselves so if you go on Google or Bing you can pull up satellite images and street view look around for entrances and loading docks to buildings again look for readers and maybe you can see where reception desks might be located where security guards might be posted we can actually find vendor information this way too maybe you look around a parking lot and see vehicles or

Vans with logos or company names on them from external vendors and if you don't see them on your first try a lot of these services will let you go back and look at previous captures of that satellite image data or street view data so you can go back in time and maybe a few prior you do find um vehicles and other interesting images finally for open source intelligence we can lean on more technical sources W go is a really fun one this is a physical location based Wi-Fi search engine so you put in a location and it'll give you Wi-Fi networks in that area it is completely Community Driven so people will go around with their phones and laptops and

scan for Networks trib data and wo will want you to do that as well but you do have some free credits to work with before they start limiting you super fun to look at DNS dumpster is another one where you can put in a website and it will pull up DNS records for that website give you subdomains and other interesting places and information to look at and that is most useful to build our Google searches and really narrow down from there for more or uh searching on social media too and finally Showdown is a more broad web search it'll take a keyword and look in uh server responses and web pages and things so this is another tool that

might turn up domains you didn't know about previously or hidden content that isn't normally indexed by Google and whatnot so with all these pieces in place and information we have about our targets and uh who we want to pretend to be we can start to think about developing pretexts and my top advice for pretexts is actually to keep it simple we want to really minimize opportunities for doubt or confusion when we're talking to people we don't want to waste time going on and on and on explaining who who we are or answering questions really the longer story and the more complicated story we try to create the more room we're leaving for people to question us

and hang up and that's the opposite of what we want so we can think about working in the details we've found through open source intelligence without making it a really complicated pretext often there are only a few things we want to start off a pretext and get it going strong from the beginning and keep it going first of all establishing Trust of who we're claiming to be in the first place so this could be using a job title or it could be a specific person's name that we're pretending to be we found on LinkedIn you might want to be careful with that if you're talking to someone who knows that person it's very very tricky um but

job titles can be a good one we want to establish urgency pretty quickly a reason for the person to talk to us now instead of saying just email me or call me back later or something um people will establish urgency often through background noises you might play a sound of a crying baby or something but we can also do it through narrative I've used this story that I'm trying to complete a rapport and I just need this person to help me for a few minutes and that works really well and finally momentum which is keep keeping the call going and overall keeping the person we're talking to happy uh so they don't question us or want to hang up and some

of the best way to do this is just Express gratitude and be friendly with the person uh people ultimately want to help and that's what we're abusing a lot of the time for better or worse in Social Engineering it is people's good nature and desire to be friendly so the more we can lean into that the better which is often exactly the opposite of what we see in real life unfortunately real attackers do abuse fear and threats to get information out of targets but at this point the social engineering goes from pretending to be someone in authority to just trying to scam people outright and steal information or blackmail people and this is not something we have to do as professionals

and it's something we should not do because it hurts our goal to demonstrate ethical hacking it hurts us raising awareness and getting people interested in the work we do and overall it hurts our mission in the security Community this pretext is the one I've used pretty much exactly the past two years at Defcon in that competition you'll see I didn't really add any extra details here I didn't name drop any Technologies or even companies really I established that initial trust by claiming I was from corporate it I established urgency by saying I was just trying to wrap up this week's report and again I kept it simple no complicated details one of my favorite Parts about

this one was talking about negative feedback on cyber security initiatives and as someone working in the field I I think we all know a lot better than most just how annoying the slideshow trainings are and how annoying the antivirus on our computers are and the VPN software none of us really like all that crft and people love to complain and bond over complaints so even just starting out this pretext by sharing that sympathy about you know asking for feedback is really helpful and went a long way for me so I do want to see if we can show off some of these open source intelligence techniques um some companies are really great about locking down the stuff they have online some

aren't so this might go well it might not but if someone wants to shout out a like medium large siiz company name with a decent web footprint we can try to see what we can find for a few minutes Disney

okay I'll take Disney because I heard that one first I [Music]

think all right I'm gonna figure out what their main the main is though I should be on B sides

there it goes all right we can immediately we have disney.com I know they have a bunch of domains but let's try looking at disney.com let's see if we can find any interesting PDFs right away uh some sweep steak stuff this looks like marketing material dorms I'm curious what these dorm things are human resource management immediately we have a telephone number here from a PDF we found this is looks like Disney college program so some sort of course they're giving to uh maybe interns or people in this program we probably can find a lot of these if we just start clicking on these documents here's a scholarship application this one might have contact info at the bottom of it yep

we we have someone from not Geo here oh we do have another email address for Disney here too so you can see immediately just with a very quick search we can start to find PDFs that have real people's contact information in them and this can inform our pretext to begin with we might pretend to be someone applying for the scholarship or one of these programs let's try seeing what interesting sub domains we can find so dnis dumpster will give us text records which are all pretty public nothing really interesting there but let's look at these host records which might give us interesting subdomains to search I bet Disney's going to have a lot of them we can see

mail servers VPN proxy I'm looking for ones that sound like they might have files on them so of course FileMaker Corp could be

something we have some chats let's try one of these FileMaker and see if this gives us anything at all some of these might not be indexed at all no okay no documents but we do have the website itself some kind of service not sure what this is nothing immediately obvious but it gave us something that we could poke at later um even if we just looked at the source of this yeah not much here test page doesn't look like an active site but it's interesting that it's out there uh let's try one more let's find where their headquarters is which Wikipedia would probably tell

me or not

headquartered in Burbank let's see if I can search them

up we could just took take a look at one of their buildings here what if we go into street view looks like this whole campus is probably theirs let's see if they have any street view no street view on there so actually pretty good about this but let's see how close we can get maybe over here and see if we can look at that building that's probably all there if I was really trying to do more searching around this I'd go all around and see what angles roads I could look look at but I think that's a decent start of showing off some kind of Open Source intelligence we can do so leave it at

that with all this in mind uh the open source intelligence and the pretexting I do want to talk a bit about professional applications and how we can do this ourselves and learn from it and spread awareness I think when it comes to human security training is not the answer or at least not the whole answer it's funny because in my successful phone calls at Defcon when I would ask people have you taken a security awareness training they would always say yes and they would you know tell me about this annual training they take but clearly it hasn't been enough to stop them from talking to me and answering questions over the phone and I don't think that's a failure

on the individual people I think everyone is vulnerable and it just takes finding the right person at the right time in the right mindset you could get me on social engineering any of you could be vulnerable so how we can do better I like to focus on technical control and auditing how can we make it so it's impossible for the human to mess up or give away company secrets in the first place can we add stronger technical controls in front of our data and sensitive actions even if it's just stronger authentication like using Hardware security tokens or pass keys and auditing that access making sure people only have access to the least amount of data and actions they need to

do their job and especially when unusual things are happening how do we surface that through logging and alerts another thing we can do leaning more into the human aspect again is establish trust transparency and communication between our security teams and people at our companies like I said I've had a great time doing this with security Champions programs but really any way we can get people interested and engaged in security helps both in personal life and professional life often people only care so much about protecting the data of their companies but they really do care about protecting themselves and their friends and their families and so if we can teach techniques to stay safe in both

scenarios it's really what will keep people engaged and finally if you are on a security team and have a chance to try internal vising engagements give it a shot and whether it's success or failure it can create interesting stories either way even failures can be really fun to talk about talk about what you tried what worked and what didn't work and just by talking about these things we spreading awareness to people who might not have known they existed in the first place and again giving people tools and knowledge to help them at work and in their personal lives so with that I'm happy to take questions from slido I have some contact information here and I have a medium

blog where I've written up my experiences from Defcon the past two years so thank you all again for coming

out thank you Jason our first first question is what protections or processes do you recommend for companies that don't issue company mobile devices to mitigate vising and smishing so the question was about how do we protect kind of bring your own device um and that's an interesting one I think creating connections again encouraging people to report fishing and smashing attempts they see on their devices as important often with mdms it's not like you have complete control and access in every message that person is getting anyway um again I think about leaning into technical controls that are beyond what the user can bypass so even if someone is to fall for a text message or email having strong fishing resistant

authentication in place like Hardware tokens that an attacker can't get and can't get through is really helpful our next question is how dependent on any particular search engine or social media site is the ENT process in parenthesis can you google doc without Google you can um I'm a fan of duck duck go over Google and I've used that instead for a lot of my open source intelligence um to some degree a lot of the search engines have the same kind of filters uh Dro does use Google on the back end um so it's just the front end search I prefer a lot of the time but I would say you start to get an idea of

what sites you find the most information whether it's LinkedIn YouTube uh other social media sites and Google can point you toward those and point you toward internal documents and things but you're not really relying on one single site what kind of resources do you use to get breached data like credential or something else um I personally have never had to obtain breach data and I'm sure those of you working in security organizations you'll often have internal sources or vendors that can help Supply you with breach data uh I've never had that exposure though and i' I'd say use caution if you are searching for that um if you are going on the dark web to find

it just be very careful what you're doing and downloading our next question actually based on that do you do you utilize data from dark web for such campaigns I have not I think a lot of threat intelligence teams do uh really if you're planning a fishing simulation or vising simulation I don't think it's something we necessarily need to lean on uh as you showed we can get a lot just through public open- Source information but often and companies will use real breach data to Target employee emails and whatnot that were surfaced in a certain breach often those are also useful just for knowing which employees need to reset passwords and maybe get extra security awareness training that

their stuff might have been exposed in the first place what training do you recommend to teach employees to identify viewing what was the last part identify viewing viewing yeah um I think that question may be meant to ask uh to identify Vishing um I don't think a lot of trainings talk about it much currently uh like I said the best thing we can do is talk about real world real world examples probably everyone is familiar with the recent m MGM attacks and uh compromising it departments and whatnot that way Vishing has actually been pretty prolific lately and talking about examples we see in the news really gives people things to relate to and think about how it could

happen to them this is the last question we we have time for have you tried social engineering with llm well um I remember when the chat gbt hype started I did see if I can get it to like Rite me some pretexts and stuff um I haven't tried any models that can do browsing so maybe you can have them do open source intelligence for you often you can get them to write some kind of pretext by saying pretend you're a security professional um trying to do a vising assessment or something uh sure can probably spit out and you know some kind of idea of a story for you but I haven't really relied on that

heavily all right and unfortunately this is the time if you have more questions I encourage you to meet with Jason after and join me to thanking Jason for this presentation thank you