The Oldest Trick in the Book is Still the Best Trick in the Book

because all right hello everyone my name is Chris Horner I am a cyber security engineer with a local consultancy triaxium security which we are now a part of strata information group and very happy about that today my talk is on the oldest trick in the book is still the best trick in the book and what is the oldest trick in the book it's social engineering so in this presentation we're going to cover three main things first we're going to look at the psychology behind social engineering why do even very smart people fall for social engineering then how we as cyber security practitioners create a professional test for our clients professional not a canned one not a generic one not just a check box but something that can help our clients be able to prepare for and defend against social engineering attempts that in turn helps everybody at the company learn how to recognize and avoid these attacks even in their personal life so let's start by defining social engineering social engineering is using deception to manipulate a person into taking an action that they shouldn't or to reveal some kind of confidential information sometimes this is referred to as social hacking this is not a new attack Vector in fact it's oldest time we all heard the story about the Trojan Horse thousands of years ago so deceit and trickery have always been a part of The Human Experience unfortunately but it's only been in the last couple of decades that this tactic has actually been given a name so while technology continues to improve and become new apps new technology Stacks are always coming out human psychology though is generally the same and people will tend to operate in the same way and in a predictable fashion and that is why social engineering is actually so dangerous these days technical controls as long as they're set up correctly are generally pretty good but why should an attacker go through all the trouble of identifying and defeating technology when all you have to do is get somebody to open the gates for you from the inside so the Verizon data breach report that came out this year the latest one showed the 74 percent of attacks Incorporated some kind of social engineering element and this is a really interesting time to be giving this presentation and to have been polishing it off because if you've been paying attention to the news there was a very high profile hack at uh in Las Vegas and the details are still coming out as of this presentation but the group that is claiming responsibility for this attack said the social engineered uh the help desk by using a phone call and I will tell you as somebody who does social engineering campaigns that is a very credible possibility even with technical controls in place it is possible to do that I know because I've done it so when you're looking at Social Engineering there are typically four kinds of attacks that could take place one is phishing emails texts and phone calls we're probably all familiar with those then there's pre-texting that's pretending to be somebody else to uncover secret information now phishing and pre-texting would take up the majority of attacks that you see and hear about then there's baiting that's exploiting somebody's curiosity that could be dropping USB drives around the building for example hoping somebody picks someone up and plugs it into the computer to see what's on it just out of curiosity or the promise to reveal something secret to somebody and then finally quid pro quo that is offering something to somebody with the goal of getting something back to you in return so no matter which attack Vector social engineering takes it usually plays on one of these four things with people fear trust curiosity and greed now fear that can play on the fear of missing out fomo it could also Play On Their Fear facing repercussions we see this a lot in phishing emails don't we we've all gotten them uh the ones that say we're going to deduct 47 million dollars out of your bank account if this is a mistake just call this number and give us your bank information we'll fix it or uh we're having trouble delivering the package that you drunk ordered the other night on Amazon just give us your Amazon account and we'll reroute it for you or we can't verify your Netflix payment so you can't finish Formula One drive to survive this weekend sorry but call us and give us the credit card information we'll make sure that you get your ass access back then they can also play on people's trust in general people want to be helpful now this is even more so at companies if their role is service based curiosity we mentioned it could be the offer to get early access to something or be the first to get some kind of a limited edition thing anything that incentivizes them to listen more and then finally agreed that can be offered a gift card or some other incentive monetary or not for them to take an action that the attacker is looking for human brains actually operate very much like a computer brains take an input they analyze it it triggers the response which is then manifested in an outward action now scientists that have studied the brain also know that there is something simmering underneath the surface as well all the time and that's our subconscious that's a part of our minds that integrates ideas together what these studies show is that subconscious thoughts actually happen first and then your conscience mind needs time to catch up so if something is out of place or dangerous sense then the conscious mind is activated for more evaluation and oftentimes we call this a gut feeling how we relate this to social engineering tests are if the details are wrong in the test the game is up before it ever begins and the test doesn't help anybody thing is the converse of that is also true if the details are right it can trigger a subconscious response before your target even knows what's happening and the very best social Engineers are excellent at intercepting this process and triggering that automatic response secondly the other way that humans of course are different from computers is that humans run on emotions and emotional responses can override logic even when somebody knows better we've all done it right haven't we all done something that we look back and like boy I knew I shouldn't have done that or I wish I hadn't done that computers don't have that problem computers run on logic human beings do not so again the best social Engineers excel at generating an emotional response from their targets because even when there's doubt that can be overridden so with all that in mind let's look at how we create a professional social engineering campaign emphasis on professional the difference between a professional test and a Candor generic one is that the test should be thorough and the ultimate goal is that the recipients reinforce and test their own security mindset and procedures it's a practice drill the military runs practice drills they're not flying their fighter jet for the first time in combat athletes run practice drills so they know what to do at the event my kid's school runs lockdown practice drills and why do people do this well it's because when crunch time comes people will already know what to do the response will already be ingrained within them so a professional test helps an organization Baseline their employee defense as well as their technical defense because remember security is not just one thing and it also gives direction for them on where to focus for improvements so start with the overall objective what is the objective that the client wants do they want to see if you can capture credentials is it getting remote access to their system is it physical access to a secure building I like to start with that and work backwards then you look at what tools do you have at your disposal what do you scoped for in your Roe and then remember the details matter and a proper campaign takes a lot of preparation I mean a lot as a matter of fact the more time you spend preparing the more successful you will be and that's why genuine red team engagements go on for months so if you if you're familiar with a technical pen test and if you've taken any of the major certifications pmpt and oscp especially you've heard the word enumerate until your ears bleed but enumeration is the key to a successful contest because this through enumeration and seeing what's going on that's how you get the lay of the land it allows you to build a holistic picture of what you're dealing with before you ever attack and these same principles actually apply to a social engineering test so on a technical test you can have things like nmap scans website directory scans manually looking at web pages hopefully you're taking notes of what you're seeing right now once you get all of that information you can paint yourself a picture of how everything fits together and this is key in the context of their business every business every industry is different you don't have to be an expert on how all of those work but you should at least understand the basics and understand how their business operates now for a social engineering test you're less reliant on technical tools but you're more reliant on osun open source intelligence gathering these are free resources no hacking is required to get them but you do have to know how to look for the information so to start with that you can look at things like their main website what messaging or keywords do you see over and over can you find an organization chart can you find the email address format are they using firstname.lastname or first initial last name for example that detail becomes important later social media of course is a gold mine for osun both for the company and on individual targets scroll through it what are they talking about what are their concerns who do they interact with what other companies do they interact with going through Linkedin especially you can learn job titles the main functions of the business you can also learn their lingo do they have a help desk or service desk again that detail matters and becomes important later are the employees geographically Central or are they spread out that can tell you if you're working with a remote organization or one that could work in office might also clue you into how quick they can communicate once you start attacking and then what are newsworthy topics in their industry are there mergers are the new advances rolling out and then online documents companies sometimes will post studies they'll have PDF documents out there but look at the metadata for those who wrote it what software did they use was it Mac based or Windows based again that detail can matter tools like power meta can scrape for this and Google dorks can be used to find documents and sometimes documents you wouldn't even believe are out there so once you start taking these notes you'll start percolating an idea and again just like in a technical pen test once you find a new server or gain user access you begin the enumeration process all over again the difference is this time it's just more targeted from there you can start trying to figure out who are their vendors Google is good for that um I've even done things like an image search on our clients logo one time I found the client's logo that went back to an HR software company which seemed weird right why would it be there well our client had written a testimony about how much they loved the HR software guess what the social engineering campaign became tools like amass or the Harvester they can help you pinpoint some of the tech stack that's in use do they have URLs for a CRM or VPN which one is it sometimes all you have to do is call and ask uh if I noticed a company that doesn't have any Tech roles on LinkedIn that's a clue they're probably using an MSP so one of the tactics I use is I spoof the number to an MSP that's in their region and I call and I pretend I'm a business development representative hey we're your neighbor over here just wondering if you fire them out any I.T services oh yeah we do oh okay great do you mind if I ask who you use they'll tell me that's awesome thank you is there someplace I could send information about some of our services typical innocent phone call but now I've got a really good piece of information I've even done that for internal phone numbers um I've spoofed a new employee called a HR number infernal for example that turned up on Ocean hey I'm new I've locked myself out I know this isn't the red Department can you please tell me how to reach the help desk bam then you have the help desk phone number sometimes I've even found internal internets open to the wide open internet there was one client their internet was behind a username and password but for some reason a lot of it was exposed publicly and so I told them of course that so they could close it up after I plundered everything out of it but once you ID some of these vendors look at their login Pages what colors and fonts do they use what can you mimic how are the fields labeled what disclaimers appear on these pages I'm not a great coder I'm really not that good at writing code for Scratch but you know what I am good at copy and paste I know how to copy and paste color codes I know how to copy and paste font types I know how to copy and paste logos and disclaimers then find then also look at what matters in their industry is there certain compliance requirements that people in Industry have to adhere to HIPAA and medical for example were certifications do employees in that field have to obtain certain certifications and then what organizations or causes does does the company support are they active in their Community are they proud of some of those achievements see all of this stuff is stuff that can be copied and mimicked because remember you want their subconscious to think that everything is familiar and comfortable or to put it another way it's normal and safe so with those notes you probably have an idea for a campaign at this point and now it's time to pick a URL that you will use as the starting domain for your campaign I like to use the spellings flip-flop letters or adding words or numbers to things so like company name.com for example that could be the client I'll buy the domain company name hr.com and you'd be surprised how cheap you can do this I've never spent more than twenty dollars for a domain and usually I don't spend more than 12. but even some very high profile company names just adding it or HR to the end of the can be a very easy path to getting a start on your campaign now these are examples of some login pages that we've used in Social Engineering campaigns that we've conducted the one on the left here blue the one in blue this is the same graphic that was used in the company's background on their login page there's a phone company logo down there because there was a news article that they had been bought out and there was a merger going on employees of that company would have known that and that and then the one on the right the red one asset works that's a real Sales Force app it's used for Fleet Management through osun I discovered our client used that so I copied the color I copied the logo I call I copied the letter coloring and the copyright notice at the bottom this would have been a login page that looked very familiar to recipients of that company last one this is the one that uh I also copied the font type I copied the disclaimer from a real login page that they had I copied the company logo now this particular company their name was made up of three words in the URL and I bought the exact same name but in one of the words I flip-flopped the A and the E and again it's going to pass a very quick cursory inspection you have to look really close to see that it wasn't the same one but that domain was 12 dollars so now it's time to craft the message and remember the four things we talked about the social engineering attacks tend to prey on fear trust curiosity and greed whichever of those that you choose to use the bottom line is to have quality communication remember people are people they're busy you're busy I'm busy we're all just trying to get through the day and we'll typically decide very quickly how to deal with what's in front of you right people also feel good when they've accomplished a task so if you give them something and then it's done you get out of their hair it makes people feel good so things you can do install artificial time constraints when you're talking to somebody hey look there's only going to take a second I'm only going to take one minute of your time today I promise or in the email message this absolutely has to be done by week's end and the subject line put action required trying to bump it to the top of their priority list sympathy also works oh God I sure hope you can help me you know it has just been one of those days do you have a real quick second just to give me a hand people generally will quid pro quo if you do this for me I'll do this for you in return an ego this really works with phone calls and in-person physical pen testing this is where you get somebody to Like You by liking them first AKA people's Pride will come into play too if you can get them to agree to a series of smaller commitments to say yes to easier questions and work your way up to what you actually want people are a lot more hesitant to backtrack on a road that they've already gone down and again social engineering attackers will utilize those same tactics Remember The Details Matter every detail you put in your campaign either adds up or takes away from the effectiveness so match their email address format like we talked about before how are they using it what is the name is it first name dot last name first initial last name however it is that's what you're going to copy use the correct to lingo we talked before help death versus service desk make it believable bonus points if you can get the email signature and I know if it's our client it's easy enough just to copy it out of their emails but think like an attacker go a little farther I found success by getting this by emailing the sales department for example pretending I'm interested in what they're offering I get an email back what does it have in it the corporate signature then you can copy it if I'm sending out phishing emails I also watch for out of office bounce backs because again A lot of times those will have the Corpus signature in there too and when you get these details right I have found success and I can tell this from the out of office bounce back with the client's email system is telling the recipient this is from an external Source use caution do not click on things in here do not provide information and yet it happens anyway this one is an example of an email that we send out matter of fact it goes with that blue screen example we looked at a couple slides ago uh phone system provider vocera was purchased by Striker the integration was almost complete at the time that was in the news so again because that company already used that phone system that would have sounded familiar undoubtedly they would have heard that things were going through a transition so the campaign became hey we need your help verifying information has migrated successfully to ensure uninterrupted service please complete these following steps give me your corporate credentials and update anything else that needs to be updated at the bottom is concluded with IT service desk at help desk they used his service desk this is another example this was one a company was very involved in the local community and they were big supporters of community initiatives so in the beginning I referenced this is a community initiative we launched last fall that they were proud of again would sound familiar employees would likely recall hearing abo