Tuesday, March 29, 2016

Phishing is too easy

I only remember going in a boat fishing once. And did not catch anything. And had to help with engine problems all the way back to the dock. So I can't claim to be a fisher for I never learned and endured the hours of being pooped by the mocking seagulls while waiting on fishes who were much smarter than we give them credit for fall for the lure and get stuck on the shiny hook by the end of the line. There are many man, women, and children who are very successful in the way of the fish; I am not one of them.

Phishing is a completely different story. It is very easy to do. You can call it caveman-easy but you would be then insulting the cavemen. And yet, it is extremely effective.

Businesses (should) worry about being hacked since a breach costs them money and reputation. So, they (should) do their best to prevent the bad guys to get in by patching servers and services and deploying firewalls and making sure their mail and web servers are will not let anyone try to log in. Of course their problem is exacerbated because while they need to protect against any possible attack, the attacker just need to find one weak point to get in. And the easiest way to achieve that is through social engineering.

Basic Phishing Recipe

  1. Get a free website account. This is kinda important if you are providing a link in the email for your victims to click on. Some of them allow you to use very little or no verifiable info to create said account. So you can use really bogus info.

    Now, if you are doing Microsoft Office Macro attack, this still might be a good idea since it insulates your real addresses. Remember, it is not hard to create code to send collected data from the site to somewhere you want to collect the data.

  2. Select your target. You think that means to select the business you want to attack. Well, you are wrong; thanks to the crusade to push everything to the cloud you really need to think on a larger scale and go for who hosts those companies' emails. Based on what I have seen, the commercial google mail or the Microsoft equivalent (Office 365) are the best bets. First, a lot of businesses are using them, which mean you have to only hit one single target.
  3. Decide how you are going to deploy your payload. Are you going to send an attachment (most of the time a Word document) or a url? What about an executable (badly) disguised as an image? I say badly because I have seen a lot of attachments whose extension is simply changed or have an image extension appended to the filename because of how Outlook presents those attachments.
  4. Write the email. I would love to say this requires you to be creative and spend hours or days to recon the target company to figure out corporate colours, normal email format and language, and even the proper email addresses before launching an email-based attack. The reality is that is not necessary unless you craft it so badly the target's detection system will flag your email.

    People will fall for those emails even if it is badly written. Now, I am not saying everyone will, but those who are really busy and have to be reading and replying to emails every day -- people who order stuff from vendors all the time -- are rather likely to do so. They do not have time to stop and think whether the email makes sense. They will scan, made a decision, act on it, and then move onto the next target.

  5. HTML is your friend. The vast majority of people use email clients that will render a HTML-based email. If they use Office 365, you can disguise your attack links as
    <a href=https://shadysite.com/malware.exe>https://www.safeurl.com</a>
    Sometimes if you hover the link the real url will be shown, sometimes it does not.


Friday, March 11, 2016

On Handshaking

Since this blog deals with social engineering and the lesser technical aspects of hacking, your Pavlovian reaction to when I say handshaking is two hands -- no assumptions of where they have been -- holding each other and maybe shaking:

and that is exactly not what I have in mind. Instead, let's leave the realm of squishy beings and go to computers. There when a device wants to talk to another, it starts some kind of handshaking protocol to establish connection parameters and authentication. Once that is successfully established, data transfer begins.

But, how does that apply to people (I was going to say humans but it might be too politically incorrect)? So we have two people, Red and Blue, which are named after the web series of, well, the same name. They meet somewhere and start talking

There are a few subtle variations (Red might reply "I'm fine too!"), but the main point is they may be talking to each other, but they are not yet holding a conversation. In fact, they are in the handshaking phase that, as in networked devices, precedes the actual exchange of data, which is represented above by the "BEGIN TALK" line.

he difference between them and machines is that they really have not said anything; this was just a ritual learned by rote.

If you want to test how mindlessly people go through this handshaking protocol, change a bit your answers and see how they react. Here is an example I have tried at a store:

As you can see, Red

  1. Heard Blue reply but did not listen. As a result.
  2. Assumed the content of the reply matched the standard handshaking
  3. Replied to the assumed reply
  4. Finally realized the carpet has been pulled from under him. In other words, TILT.

The basis of Social Engineering as applied to hacking is to identify the expected pattern and use it to persuade others to help you achieve your goal. Expect to see quite a few examples here.