Penetration testers and chief information security officers (CISO) should find this article useful as it sheds light on a number of new social engineering hoaxes doing the rounds these days. These stratagems can be highly effective in targeted attack scenarios where a specific employee or organization is in cybercriminals’ spotlight.
Preparing a targeted attack can be a time-consuming process. As opposed to this breach vector, incursions with a large number of intended victims can lead to more clicks on a phishing link, but they don’t yield proper results in pentests.
A penetration tester cannot possibly leave the trial attack to chance by casting a wide net in an attempt to get someone trapped. Although most targets will overlook the red flags, a few employees are likely to notice the pitfall and will probably let the security personnel know about their suspicion. This will make all the pentest efforts futile.
Thorough prepping should be accurately aligned with the specific organization, and a penetration tester needs to think outside the box in terms of the tactics, techniques and procedures (TTP).
Most companies adopt a reactive rather than a proactive approach when writing security rules, which means that new threats will probably slip below the radar of their defenses.
Nowadays, armed robbery is an obsolete method of perpetrating bank heists. Instead, email (phishing) is the dominant channel for compromising most companies. In spite of this, a lot of enterprise executives are still reluctant to change their mindset and focus on physical protection mechanisms while neglecting the digital ones.
Security experts know social engineering scams are today’s primary information security threat. However, many security managers are still confident that traditional antimalware tools combined with the standard guidelines for their staff suffice to stop hacker raids in their tracks.
Let’s see how social engineering can be used during phishing attacks.
The Sketchy @ Symbol
This technique probably won’t fool vigilant personnel, but social engineering relies on a lack of prudence for a reason: Most users don’t notice subtle tricks like this one, only to fall for the fraud. Those who always scrutinize URLs for dubious characteristics will instantly realize that a link like https://email@example.com is a dodgy one.
According to the conventional URL syntax outlined in RFC 1738, the @ sign can be used to split the <username><password> and <host> attributes of a URL to grant someone permission to access a specified web page by simply clicking the link. The catch is that regardless of the string preceding @ character, the web browser will forward the user to the site (host) indicated right after it.
If you take a number of Arabic characters, encode them with the UTF8 – Hex conversion routine and concatenate the resulting string to your URL, then the address will look unintelligible and may appear to be harmless upon initial inspection.
Here’s an example:
If you point the mouse cursor at such a URL using a web browser on a computer, the string will be automatically displayed in its decoded form, which will give you clues about the risk if you are careful enough. However, this isn’t the case if you do so in the Outlook email client or mobile browser.
Link Preview Exploitation
It’s common knowledge that Windows hides file extensions by default and you need to toggle the settings to actually see them. This quirk is known to be a source of some attacks, in which malware executables are disguised as benign files.
A similar hoax may work out with URLs. For instance, a harmful link may assume the following shape:
https://companyname.com:firstname.lastname@example.org/bbbbbbbbbbbbbbbbbbb.html (you can simply replace the “aaa” and “bbb” parts with arbitrary keywords that are typically shown on the genuine web page)
Mozilla Firefox automatically truncates such links in the middle and therefore, the “badsite.com” string will be obfuscated. All you will see is an array of characters that don’t seem malicious.
Other browsers render such long URLs in different ways, so the techniques of hiding the shady part will vary. If an attacker knows exactly what browser the target uses, then they can leverage the appropriate mechanism.
‘Good Old’ Traditional Post Can Work Wonders
If a company’s senior manager is your target, you can try to exploit their ego. To start, you need to set up a rogue website supposedly dedicated to a business event such as a conference or forum. Your next move is to convince the executive to visit this page.
One of the ways to do it is to send the person a regular letter, which will circumvent the electronic defenses deployed in the organization. Also, your paper mail will undoubtedly reach the victim because handing it over to the boss is among their secretary’s day-to-day duties.
An important prerequisite of a successful attack is to make sure the envelope looks professional enough to match the recipient’s VIP status. The message itself should emphasize the proposed role of the victim in the future event, which may come in the form of an invitation as a speaker, awardee, special guest or jury member.
You should cloak the phishing site as part of a registration form provided at the end of your letter. Rather than typing the URL itself, print a QR code that opens the malicious landing page.
OSINT stands for open source intelligence, and it’s definitely an ally of a pentester. If done right, it can speak volumes about the personal life of a target employee. By analyzing the person’s social media profiles, you may be able to find breadcrumbs that lead to their interests, lifestyle details and pain points to take advantage of.
For instance, if you come across a particular hotel the victim has recently visited, impersonate its staff and send an email demanding an extra fee for some unpaid services. Make sure you indicate that the message is generated automatically and the person can reply using a form in the customer support section on the official site. This way, you can lure the target to follow a phony link and sign in. Chances are that the victim reuses the same authentication details on different sites.
In case you discover that the employee mostly uses a particular airline service when traveling, send a message stating that they can earn a ton of extra bonus miles by joining an additional loyalty program. Emphasize that this is a short-term offer to make the user act quickly to activate the phony program.
If you find out that the person has recently participated in an event, you can write an email providing a link to download the appropriate presentation content. Tell the recipient that they can also get a discount for the next conference once they sign into the site, which is your phony page in disguise.
Two-factor authentication (2FA) is a great way to safeguard one’s personal accounts, but social engineering can help get around this protection layer. Here is one of the ways to do it.
To set your pentest in motion, send the target employee an SMS asking them to sign into their mobile carrier account and accept the purportedly updated terms of service or refresh some personal information there. The text message should feign urgency so that the recipient doesn’t call the tech support first.
Also, make sure the phishing link resembles the typical URL structure used by the carrier. Once the unsuspecting victim enters their username and password, you can use these details to access their valid account and enable the SMS forwarding feature. As a result, you will be receiving verification messages in 2FA scenarios. This will allow you to sign in to the employee’s sensitive accounts.
A Few Extra Tips
Here are several recommendations that might help make your benign social engineering attack more effective.
- Send an inquiry to the target organization’s corporate email address. When you receive a response, scrutinize the email design and copy it to make your phishing messages look as trustworthy as possible.
- Make some test calls to the personnel as part of your reconnaissance. If you hear the answering machine saying that an employee is currently on vacation, you can try to take advantage of him or her being out of office. Reach out to colleagues on behalf of the person (purportedly from their personal email account) and discuss some business issues to wheedle out confidential information.
- A particularly intricate method of social engineering is to entice the potential victim to find your phishing site on their own. This technique relies on an information bait pulling the right triggers to evoke the target’s curiosity. Then, the person will probably look up the subject on a search engine, only to come across and visit your malicious website that shows up among the top search results.
The primary protection strategy of modern companies boils down to preventing malware attacks and stopping hacker incursions by means of automated security mechanisms.
These defenses don’t suffice, though. Even if your organization leverages top-notch security systems, they are nearly worthless as long as your employees download dubious email attachments, use poor authentication practices or click on phishing links. With that said, constantly improving the social engineering awareness of your personnel is a fundamental element of your company’s security posture.