Phishing

Phishing falls under the category of social engineering and always has been, and will continue to be, the easiest way into most organizations today. Phishing is so dangerous as it usually bypasses all defenses in place and has a low likelihood of detection.

Everyone knows the common indicators as follows:

  • The sender is unknown, or you are not expecting an email from the person
  • Similar sounding domain names, eBay-secure.com, paypol.com, and so on
  • Incentive-based surveys, prizes
  • Missing logos, spelling, and/or grammatical mistakes
  • Generic greetings
  • Links with alternate URLs, such as shorteners (tinyurl, bit.ly, and so on)

There are a number of reasons why they continue to work:

  • The human element, sometimes the user knows it looks dodgy but will continue anyway out of curiosity or confusion.
  • People have a natural desire to be helpful (and curious).
  • The user is distracted, tired, and it only takes one slip of the concentration, exhaustion from a newborn baby for example.
  • The user is lacking in cyber security awareness.
  • The user is expecting a package or similar and mistakes the phish for a real email.
  • Fear. A classic social engineering tactic is to utilize fear to invoke an immediate response without thinking, such as a speed camera fine notification, email from the CEO, and so on.

Each day, phishing emails get more sophisticated and harder to spot, which is why it is important for you to stay abreast of the latest techniques and campaigns.

Recent campaigns leverage utility bills and Office 365 scenarios, similar to the following:

Classic scenarios that work well for us include new systems scenarios, such as new email archiving, AV, or a cloud service. Merchandising and free stuff (people go crazy over the word free ). Fake notifications such as dropbox, sharepoint, and so on have also yielded success in the past. It is important that the campaign looks and feels as real as possible. In our recon, if we identify through metadata or other public information that an organization is using ADP for their payroll, we will create a new site and domain called adpp.com or similar and use that.

If we identify an accounts-payable person through LinkedIn, they are the perfect person to send a fake-payloaded, outstanding invoice to. It should be addressed to them of course, no generic names!

Again, the targeted email or global campaign should be specific and seem legitimate to the target.

Along with the previous, I can tell you that myself and my team get into a large number of heavily secure environments using social engineering. This includes phishing, physical access, USB drops, and fake/evil Wi-Fi APs.

Our phishing assessments yield, on average, a 20% click rate, with 25% of people happily providing us their passwords. We also have 1-2 repeat offenders on every single engagement. A repeat offender is someone who comes back to the phishing site two, or multiple, times and gives us their passwords multiple times, just in case it doesn't work the first time.

We have breached physical environments, through arriving on-site dressed as an air-conditioning / service guy—We have been alerted to an issue with the HVAC system in your server room and we're here to investigate, or, We are here to test the fire alarm, and through imitation of legitimate users as well, we will leverage classic tactics such as tailgating when it comes to imitating a legitimate employee.

On one of my earliest engagements, I remember performing an assessment for a large internet marketing company. This company had two wireless networks, a guest and a corporate, like most organizations today. Obviously I was after the passwords for those networks. From the outside, they were quite secure, firewalls, IPS, MFA, and so on. So, I called the receptionist—Hi, this is Dan from XYZ, I'm working with Bill in sales (of course I didn't know Bill from a bar of soap, I just got his details off LinkedIn). Bill told me I should contact you to get hold of the wireless password, so I can set up for a presentation I'm doing for you guys on Friday. She responds to me, Oh sure, which password were you after? The guest or the corporate? I'm playing stupid—I think Bill told me I need the corporate one. She then replies, I tell you what, why don't I email both of the passwords to you, and you can work out which one you want to use? I'm like, That sounds great. So, she sent them through and I finished early that day.

We also have success using USB drops. In the old days, and the earlier versions of Windows, we could get away with own agents and autoruns, but these days we leverage tools such as the Rubber Duckys to generate our own shellcode and to bypass restrictions at https://hakshop.com/products/usb-rubber-ducky-deluxe.

Please refer to the link https://www.packtpub.com/sites/default/files/downloads/LearnSocialEngineering_ColorImages.pdf for the images of this chapter.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.214.155