In these uncertain times, many companies are allowing employees to work from home more than ever before. Essential personnel onsite at the workplace are kept to a minimum and are offered remote support when issues occur. The scope of remote work is unprecedented and brings up a lot of questions for managers aiming to support their employees.
This series will discuss security testing and consulting options that Raxis offers to help companies work as securely as possible while employees work from home using home wireless services and systems or jump on the company VPN in unprecedented numbers.
Phishing
Raxis expects a rise in phishing attempts — emails, texts & phone calls — as attackers realize that employees are at home and not as easily able to verify that requests are legitimate.
Let’s start with your VPN itself. It’s likely at least a few of your team members are going to have problems logging on. Though they may be overwhelmed, your help desk workers are inclined to be helpful. Verification is a step that might easily be skipped in a rush to get an exec or senior manager online.
Finance is another point of vulnerability. Say that you receive an email from your boss saying to approve a new vendor payment. Normally your boss would never send that in an email . . . but these are not normal times, and you’re both working from home. You think of giving her a call, but she just told you she’s busy setting up her children’s new online school meeting. Do you approve the request? How are you sure that it’s legitimate?
What if it was a phone request from a customer who is working from home? He’s on his cell phone. Are you sure it’s really him? Should you verify before telling him customer financial information? Sure you should, but you’re out of your normal environment and he sounds really annoyed. What do you do?
And what about your teammates? Your employee texts you and asks for the password to an old system with a shared password. Do you text them back? Do you check the number first? Send it in email?
These are different questions than you ask when you’re in the office and can lean over the cube wall. It pays to make sure all your employees know the answers (or at least ask the questions) before they face them in the real world from home.
Where to start
Raxis has a number of phishing tests that fit these scenarios, and we are happy to work with you to customize a test that fits your needs. We provide a report and a debriefing call to help you educate your employees with real world examples. Whether they pass or fail, it’s an opportunity to safely assess their readiness and reinforce their training.
Take a look at our social engineering offerings. As always, Raxis is happy to advise you and work with you to customize a test that meets your needs. If you have concerns, we’d be happy to chat with you about options that work for you.
Each October the NICCS (National Initiative For Cybersecurity Careers And Studies) leads National Cybersecurity Awareness Month (NCSAM) . This year the focus is on personal accountability and taking proactive steps both at home and at work. Raxis is joining in the fun by offering tips that we all can try at home and in the workplace (or school), no matter our age or what we do.
Computer & Smart Phone Basics
These tips are the same ones you’ve been hearing for years, but it’s always good to have a reminder.
Apply updates to your devices. The IT department at your office is likely handling this there, but it doesn’t hurt to check and be sure your operating systems and software are running current, patched versions. This is also important for your personal devices. Watch for notifications that it’s time to update your operating system and keep software that you buy up to date. Almost all software has a place (Updates, Preferences, Settings) where you can check to see if you are on the current version. Most vendors watch for security news and provide patches and updates as soon as they fix issues. And don’t forget smart devices, such as phones, tablets and household products like cameras and lighting systems. Such devices can be easy to overlook, and hackers often focus on them because they know that.
Set passwords/passcodes on your computers and smart devices. Your kids may “hack” your phones by entering the passcode that you’ve told them and posting amusing Instagram photos, but, when you misplace your phone while out, you will appreciate setting that passcode so that a stranger doesn’t have access to your private information including sending texts, reading your emails, or erasing your phone for their own use. The same applies to computers. Step away for a few moments, and you don’t know if someone has stopped by to look at your private downloads or browser history.
Use strong passwords. While on the topic of passwords, please don’t use 12345 or Password1. It’s often tempting to set easy passwords or the same password for every login to save time and make passwords easier to remember. Hackers count on that. Some websites allowed hackers to guess many passwords until they find the right one, and, once they have it, they may try it to login to your other accounts or even sell the password to other people. Raxis gives tips on setting passwords that are easy to remember but hard for others to guess here: The Weakest Link in the Password Hash.
WiFi Networks
Nowadays all sorts of places from coffee shops to hotels have free WiFi guest networks. It’s convenient to join these, and you can do that safely if you follow a few rules. While connected to these networks, there is a chance that a hacker could be watching your internet traffic, including passwords as you login to sites and private information that you enter in websites or upload to the cloud. If you’re logging in to check a score or find the closest pizza parlor, there’s probably nothing for a hacker to steal. But if you plan to stay on the WiFi network for a while or do anything that may be private, Raxis advises you use a VPN tool such as Private Internet Access (PIA) while connected to the guest WiFi network. Tools such as PIA have apps for your phones and tablets as well as software for your computer, and they often charge a low monthly or annual fee so that you can use the service at any time. Once you connect to the guest WiFi network, start PIA, and it will encrypt your internet traffic so that an attacker attempting to watch your secure data only sees gibberish.
Setting up a home WiFi network. When setting up your WiFi network at home, either through tools from your local cable, phone or satellite service, or with your own wireless router, be sure to set a strong password (see above) on the administrative webpage where you set up the WiFi network. Though these sites appear to be personal for your home, the signal often travels outside and to neighbors’ houses. If you leave the site with no password or an easily guessable password, someone nearby could change your settings. Raxis also advises that you set a password to join your home wireless network. Though you’ll likely share this with friends and family, it makes it harder for someone nearby to join without you knowing.
Use WPA2. Your router setup likely has several options for the wireless security protocol and sometimes defaults to a weak protocol. The WEP and WPA protocols are about 20 years old, and exploits are easily available on the internet. Several varieties of WPA2 are available on most routers, and any of these should work well for a home network.
Social Engineering & Phishing
Many hackers and thieves look for a simpler way to get the information and access they want.
Email, fax and phone (calls & texts) phishing campaigns have become very realistic and are often difficult to distinguish from legitimate messages. Hackers can steal your information by talking you into telling them, tricking you into entering your private information, such as credentials, on their malicious webpage, or even automatically stealing credentials or infecting your computer when you open a link that they send you. At Raxis we advise our customers to stop and think before acting. Many companies, such as banks and stores, provide contact numbers and forms that you can call to confirm the information.
It may seem brazen, but the easiest way to get access to businesses, apartment buildings, or other shared spaces, is to act like you belong and see if someone lets you in. Once inside, it’s often rare for people to confront others about whether they belong there. Raxis recommends not holding locked doors for people you don’t know as well as keeping confidential information and keys hidden in case someone does gain access. If someone appears suspicious to you, you don’t have to confront them. Let a security guard, receptionist, or someone in authority know.
The most important thing to remember is, to quote the Department of Homeland Security, “If you see something, say something.” This is the case whether at work or at home. Check with your manager or IT department or check with your neighborhood watch or HOA. If you are not sure about an email from your bank, contact them about it; if it’s a scam, they may want to inform other customers. If you see someone acting suspiciously, report it or ask around.
Raxis provides more information in the following series of blog posts:
As the holiday season gets closer, focusing on cybersecurity is not just for the month of October. When we focus on security in our daily lives, we can work together to make things more difficult for hackers and thieves. Let’s all do our part
Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.
The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.
Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.
This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.
Many of the external network and web application penetration tests that we perform list ‘clickjacking’ as a vulnerability. We find that many website developers, as well as many users, do not fully understand what clickjacking is. While clickjacking is not exploitable to gain system access on its own, this web configuration vulnerability can be used to gather valid credentials that can lead to system access when paired with a social engineering attack such as phishing. Clickjacking falls under the A6 – Security Misconfiguration item in OWASP’s 2017 Top 10 list.
A LOOK AT HOW IT WORKS
Clickjacking uses a genuine webpage, usually a login page, to trick users into entering private information such as credentials. To show how this works, we created a sample login page for a great little app called Not a Secure Site.
As the page does not implement clickjacking protections, an attacker can quickly and easily clone the page by placing it within an HTML iframe on their own website. By overlaying their own username, password, and sign in button elements on a layer above the iframe, the attacker can capture any credentials the user believes they are entering into the original login form. The example below shows how the attacker’s cloned page might look. Can you tell the difference between the real site and this malicious site?
Without inspecting the source code of the malicious page, the content of the page appears identical to the legitimate one. Now, let’s highlight the overlaid text fields and button fields in blue so we can see where the magic takes place:
Those fields are in a layer of HTML that is physically sitting on top of the iframe containing the Not a Secure Site’s log in page. When an unsuspecting user enters their credentials on this page, they are entering them in the attacker’s text fields and clicking the attacker’s button.Let’s add a border around the iframe on the attacker’s website:
Here we can clearly see where the attacker has embedded Not a Secure Site’s log in page into the malicious site.Using Burp Intercept, we can watch the HTTP Request. For this example, I just set the attacker’s form to POST to the Raxis website. In the intercepted request below, we can see that the user’s credentials entered into the form are being sent to the attacker’s site instead of to Not a Secure Site.
This is all very clever, but it doesn’t mean a thing if a user never enters credentials. This type of attack must be used as part of a larger attack, which is generally a phishing attack that encourages the target to click on a URL in an email.The HTML code on the malicious page can be remarkably simple. The attacker needs only to create and properly position text fields and a button on the page, and the iframe does the rest!
In more advanced clickjacking attacks, an attacker can log your credentials as you type them, capturing your username and password before you even submit the form.
WHAT WEB DEVELOPERS CAN DO TO PROTECT THEIR SITES
So, what makes this webpage vulnerable and what could the website’s developer do differently to fix it? It all comes down to preventing the page from being embedded in the iframe. Modern browsers look for the X-Frame-Options header to determine when an external site is permitted to be presented in an iframe. Looking at the HTTP response for Not a Secure Site’s log in page, we see that the site does not set the X-Frame-Options header, which defaults to allowing any site to be embedded in an iframe.
The X-Frame-Options header can be set dynamically in server-side code or configured on a global level through the web server or proxy configuration. The X-Frame-Options header allows three possible values:
DENY
SAMEORIGIN
ALLOW-FROM uri
If the website never needs to be embedded in an iframe, the developer should use the DENY value to block all iframes. Here’s what the attacker’s website looks like when Not a Secure Site has set the X-Frame-Options response header for the entire website to DENY. The header prevents the login page from rendering within the iframe.
The SAMEORIGIN value can be set if the webpage needs to be within an iframe on its own site. The ALLOW-FROM uri value is not recommended because it’s not supported by all browsers.While the X-Frame-Options header is the best defense against clickjacking attacks, the Content-Security-Policy directive can use the frame-ancestors property to restrict which domains are allowed to place the website in a frame, though frame-ancestors is not yet supported in all major browsers.OWASP has a great Clickjacking Defense Cheat Sheet explaining these options in detail, as well as explaining old methods that will not work well and are not advised. The OWASP Secure Headers Project is another great tool that you might want to check out.Raxis offers several penetration tests that alert customers to websites that are vulnerable to clickjacking. Check out our Web Application Penetration Testing service to get a start. If a full penetration test is not within your company’s needs or budget, take a look at our Baseline Security Assessment option, which also highlights clickjacking vulnerabilities.It’s important to note that some phishing attacks will copy webpage code, instead of embedding the page in an iframe, to achieve the same results. Depending on the webpage, this can be complicated and may require an advanced knowledge of HTML, JavaScript, and CSS. When an attacker is able to produce a convincing clone of a website without using an iframe, any form of clickjacking protection, including X-Frame-Options, cannot prevent this form of attack.
WHAT USERS CAN DO TO PROTECT THEMSELVES
Clickjacking recommendations are often focused on what web developers and website administrators can do to protect users, but what can you as a user?Keep in mind that the attacker has to trick you into using their website. Whether they do this through an email, a flyer, a poster on a wall, or casually mentioning it in a conversation, it’s always a good idea to verify that the link you are using is legitimate. If you’re at work, check with your IT department; if you’re a user of a consumer site, go to the genuine site and use the contact form or the phone number there to verify the link.Remember that links can be masked to look like something else. Hover over links in emails and webpages to see what URL they truly point to. Look at URLs carefully to see if they are legitimate. Attackers will often buy domain names that look a lot like the true website’s domain in the hopes that their targets will not look closely.See our recent phishing blog post to learn more about protecting yourself from phishing attacks.
We’ve all heard of phone scams such as Rachel at card services offering to help us out of a jam we didn’t even know we had. Scams such as this have become common in the workplace as well. These scams, called vishing or phone phishing, are a type of test we often perform for Raxis’ customers.You may be surprised to hear that often we achieve a high success rate with these phone phishing assessments. During one particular assessment, we called a large number of people throughout a company and told them we were contractors performing the annual credential check and asked the employees to please provide their email username and password. Often those credentials are used to login to their computers as well. Providing this information yielded more access than the targeted user was aware of. During this assessment, approximately one fourth of the people we called provided their credentials.
PREPARATION
This type of phishing is different from the email phishing attacks that most people are familiar with. First, a telephony-based phishing campaign requires additional preparation to sound convincing. We rehearse what we plan to say as well as how we will respond to questions, suspicion, and anger. We invent a story and background as part of a convincing pretext. It is said that the devil is in the details. A sense of legitimacy can be borrowed by peppering the conversations with specific information. Are we saying we work for the same company as the target? Then we’d better be able to say what office we work in. We’re calling from IT? Who’s our manager?Unlike email phishing campaigns, it is imperative to hook the target as soon as the call starts. Once the target hangs up, it’s unlikely they will call back or take another call from our number unless they trusted us (though I once had a person call me back to check who answered the phone). For this we prepare a persona.
We need a name, possibly an accent, a department, a purpose for calling, and just enough back story that we never say “umm”.
When we call our target, we’re unlikely to provide most of these details, but we need to be in character. Our target is likely to start off suspicious and will only get more suspicious if we say we work at the IT Help Desk and then act like we’re a high level manager telling them what to do. I’ve also had targets question me on what building I work in as well as my manager’s name. If I have a number of people to call, I often make small talk to gather more information to use in my next calls. Every bit helps in establishing rapport and building trust.Another part of preparation is technical. While it’s illegal to spoof (imitate) a phone number maliciously, in phishing campaigns it’s all part of the test. We use services like SpoofCard to display the phone number of the company that we claim to be calling from to make the call seem even more real.
A SIMPLE, MULTI-TARGET VISHING CAMPAIGN
Many companies hire us to call a large number of people in various departments to see if they reveal private information. The goal is to get something simple like their username and password for the email system or the direct phone number for an employee who doesn’t have that listed publically. We often seek to check the effectiveness of their security awareness training by evaluating employees’ responses to the attack. As an employee, knowing that a company tests employees in this way can be a great incentive to exercise vigilance when handling unknown calls.In campaigns like this, I like to make myself a low level contractor. This job is so lowly that they don’t even make the lowest level employees do it! My goal is to establish rapport and then elicit a sense of empathy. Maybe you feel sorry for me. Maybe you realize that I get paid by results, so I will keep calling until you give me what I ask for. Most importantly, I have an excuse for not knowing answers to all your questions or not having a phone number that looks familiar.So back to my sad, lowly contractor. I make the call. I’m friendly. If they don’t believe me, I sound like I am used to hearing this and hate my job. I don’t tell them I’m a contractor; my goal is to get their credentials, but if they push back or ask me questions like “what building do you work in?, I “admit” that I’m just a contractor. I look for any opportunity to ask the best way to get a job there. I ask if my target likes working there. Are the managers nice?This allows me to keep the target engaged without knowing all the answers and makes people feel important because they possess information that the caller doesn’t have. If they refuse to answer, I’m polite and tell them that is no problem at all… but someone will have to come to their office in person, and it will take longer. Sometimes that threat of someone physically coming to see them is enough to change their mind.These types of campaigns can be conducted under a myriad of personas. Some people mumble a lot so that it’s easier to act like you know answers you may not know. Think of calls you’ve received from spammers that you believe are legitimate at first. Sometimes it’s hard to say no.
SPEAR PHISHING CAMPAIGNS
Spear phishing campaigns, whether using email, phone, or a combination, are much more complex to set up but can be well worth the effort when all the pieces fall into place. In these campaigns, we focus on a small number of specific targets and spend a great deal of time researching them to tailor the campaign specifically for these individuals.We start with research, and it may surprise you what we can find from the comfort of our own home using the Internet. I’m not discussing the dark web here; I’m talking about search engines like Google and Bing, social media, such as LinkedIn, Facebook and Twitter, and even the websites of your own company and your customer companies.A few years ago I was hired by a small firm of about fifteen people who each worked with two or three customer companies. I won’t reveal the specific industry, but they worked mostly with financial information. I was tasked with using only phone calls and calling as few or many people as I wished as long as I extracted any type of critical, private information.My first step was to look at the company’s website where I found a list of key employees along with a small write-up about them. Many companies do this… it’s a great way to show prospective customers that your team has experience and would serve them well. Even Raxis has a page like this: Using Raxis as an example to illustrate the value of seemingly extraneous information, from this web page I gathered names, and I made short bullet lists of personal and professional information that might be useful in my calls.I also looked around the webpages and got an idea of the company itself. Sometimes information is revealed about products or companies that work closely with our target company. The Raxis webpage lists our partners, Rapid7 and GE Digital Cyber Security, giving an attacker an idea of who might be calling us, as well as lending a sense of importance to the calls that are believed to originate from them. Next I looked at LinkedIn and found many of the same people. LinkedIn is used by most people when they are looking for a job, and, because of this, many LinkedIn profiles have a great deal of information about people and what they do at work. School and work history give an idea of the target’s age as well as their interests. We look for any connection that we could exploit to build a bond.
You went to Carolina? I can’t believe it. I did too! What year did you graduate? Go Heels!
LinkedIn also can provide detailed information about our target’s job. Part of my LinkedIn job history is shown below. You’ll see that I once worked at a PBS station and a university. All of this type of information can be helpful as we enhance the target’s attack profile and determine under what pretext the attack will take place. In the case of the company I was researching, two people stood out. Each of them posted names of their customers on either the company website or LinkedIn. Next, I researched these customers. Immediately one customer stood out. Their website showed an org chart showing the structure of all of the top management.Since I’m female, I picked a woman on the list and decided to call my target using her name. I also found two other names that were higher in the org chart. With this information, I made my call.
Hi, this is Stephanie Smith. I hate calling you at the last minute like this. My phone died, and I’m running around trying to get all the financial statements together for our annual planning meeting. Rich and Jim decided at the last minute that they need statements for the full fiscal year, and I can’t find them anywhere. The meeting starts in thirty minutes. Is there any way you can fax them to me ASAP? You can? Great! Our fax machine is actually broken too. Would you use this number instead?
When you have time to sit and read this, it sounds ridiculous. There are red flags throughout. I never even said my company name, but I had enough information that I hooked my target into believing that I was trustworthy because she believed me when I gave my name, which happened to be a name that the target had been conditioned to view as a very important client that she wanted to please. She did not expect the call and made a split second decision to comply, rather than risk alienating a customer.She sent over 50 pages of financial statements to my fax machine.Of course, this was a security test. I deleted all of the data and provided my customer with a customized report that they used to train their staff. If I had been a malicious attacker, that one call could have broken the trust that company had with all of their clients.
GET THEM TO CALL YOU – THE REVERSE PHISH
In Part One I talked about email phishing. Why limit ourselves to emails or calls when attackers will use any means they have at hand?When customers allow us to combine emails and calls, one method that we’ve found value in is asking targets to call us. It may sounds silly, but think about it. Something you use daily on your computer to get your job done stops working. You call the help desk, but they are already swamped. You’re waiting unproductively and your work is piling up. We’ve all been there, and we all hate it.So along comes an email with a link in it. The wording in the email gives you a special number to call. This webpage is so important that there is a priority number for it. This type of hybrid vishing campaign makes it easy to target a large group of people. Once someone calls back, we know they, at least partially, buy our story, and we can hook them in even further. When people call us they are more likely to trust us. They have no proof of who we are, but most people feel more comfortable with the person on the other end of the line when that person is answering them on their own terms at their own time.
WHAT YOU CAN DO TO PROTECT YOURSELF
When someone calls us, it often takes us off guard, and we are deciding if we should trust them at the same time that they are talking and encouraging us to get this over with by giving them what they want. We are conditioned to comply, especially in the work environment. But it’s important to maintain a sense of vigilance when dealing with any electronic communication including phone calls.
Remember that you can hang up on people. Tell them no or just hang up the phone. If you don’t trust them, just hang up.
If you don’t want to be rude or worry that they may really be who they say they are, put them on hold. Think about what they’ve said. Ask a manager or call the IT help desk and ask. IT often can help you decide if a call is legitimate.
Calling from a different number? Even if the calling number looks right, an attacker may be spoofing it. Before giving any private information, tell them you’ll need to call them back at the number you already have on record.
After hanging up, call the number you already have and verify that they just called. If the call was false, they’ll appreciate you checking. Call the department they say they’re from and ask. It’s obvious you have their security in mind. Most people appreciate that.
Are they asking you to send to a different fax or email? Tell them you can send to known ones you already have.
Most importantly, report it. Make note of the number and any details they provide. They may call other people, so the sooner you alert your company the better. If your company does not provide a way to report possible phishing and vishing attacks, report them to your IT department.
Raxis provides social engineering tests, including phishing and vishing tests, that are tailored to your company. See our Social Engineering site at https://raxis.com/redteam/social-engineering for more information.
Social engineering testing such as this is a critical part of compliance testing for companies in the financial sector. Learn more here https://raxis.com/industry/financial.If you have questions or ideas for further blog posts, contact us at https://raxis.com/company/contact.
Gone are the days of Nigerian princes who left you their fortune. Today it’s much more difficult to separate the genuine emails from the malicious ones that are out to steal your information and your money. While many of us deal with the spam that ends up in our personal email inboxes, Raxis helps many companies avoid corporate and customer information leakage from phishing emails targeted at unsuspecting employees.
Identify
Knowing how to identify suspicious emails is the first step in protecting your information as well as that of your employer and customers. I’ve performed many phishing campaigns for our customers, and I’ve heard multiple stories of smart, conscientious employees falling for clever phishing campaigns. The fallout, including public relations pitfalls, can be large enough that IT budgets get redirected to secure the environment and regain customer trust.I always tell our customers that it doesn’t hurt anyone to take a little extra time to react to an email. When I run phishing campaigns for our customers, I like to send the email out at the start of the day or at the end of the lunch hour. At these times most of us don’t want to be bothered by a new email request. We have work to do, and we’re focusing on getting to it and accomplishing our goals for the day.I make sure the tasks in the phishing emails are quick, simple, and easy to finish:
“Just in time for the holidays, we’ve implemented web mail so that you can be home with your family and still answer emails! Your account will only activate if you log in at the following URL by the end of the day!”
Well, maybe your IT department wouldn’t be quite so excited, but you get the idea.Phishers know common systems that most businesses use, and it’s often easy to find sample login pages online. Several free and paid tools exist that help companies perform phishing tests… and that help phishers steal your data as well. For this article, I spent about ten minutes finding email addresses and creating an email and website to steal credentials from my fellow Raxis employees. Just ten minutes, then I sit back and see if anyone responds.Step one was to find email addresses. Sound difficult? You’d be surprised. Search engines such as Google or Bing are a huge help, and social media sites, such as LinkedIn, provide employee names even when they’re not your connections.Manually searching for email addresses was taking too long, so I logged into my Kali Linux box and fired up theHarvester. In less than a minute, I had the full list of Raxis email addresses pulled from various search engines. There are also free tools that allow attackers to discover the format of a company’s emails, such as “[email protected],” so that I can create my own mailing list if I know some employee names.Now that I have a list of email addresses, I need those folks to give me their login information. There are tons of great tools that make it easy for users to set up a phishing campaign in minutes, such as the open source Social-Engineer Toolkit. This time I use Rapid7’s Metasploit Pro phishing tool.I start with a simple email. In some cases, I research the company’s culture and target a campaign at specific employees, but most of the time I can good results by setting up a generic campaign that does not require me to know a lot about the company. In this case, I pick an Outlook Web App (OWA) site and hope that employees find it familiar enough to fall for my story without looking too closely. Using the phishing tool, I add a number of features that make the email look legitimate, such as using a fake raxis.com email address and including the recipient’s name. Think about it: if I found your email address, I likely know your name, but it still looks official to add it to the email.If the recipient clicks the link in the email, they are taken to a page that appears to be a legitimate OWA webpage. If they enter their login information and click submit, they move onto an error page that I built. It tells the recipient that there was an error, and all they need to do to resolve it is click on a handy link that can do the fix for them while they continue with their work. Unfortunately for anyone who clicks on the link, a malicious file meant to open a remote session to the user’s computer will be downloaded, effectively giving me background access to that machine and potentially the network where it is located.
React
This is scary stuff, but the real question is: “What can I do about it?”First, there are some clues in the email itself. When I hover over the link, I see that the URL starts with “http://” instead of “https://.” A real OWA webpage would almost certainly use an encrypted “https” connection. The site also doesn’t have the company name in the domain: it’s just an IP address. That’s a big red flag as well. However, many phishers know that vigilant employees will look for these issues, and configure the malicious website to use an encrypted connection, and register a domain name that might trick employees if they don’t look closely, such as “https://rax1s.com” or “https://raxls.com.” Make sure you look closely at the link!If you find an email strange or unexpected in any way, ask about it. Most companies are concerned with phishing and would much prefer that you ask IT if an email is real rather than clicking on the link. Some companies have phone numbers, email addresses or websites that allow you to report a suspicious email. If not, give your IT helpdesk a call or forward the email to them asking them to check. Have you ever received an email from IT notifying you that you may have received a phishing email and asking you to delete it? Someone likely reported it in time for IT to nip it in the bud, thwarting the attacker.What if you clicked on the link in the email and then became suspicious of the website? This is dangerous, as webpages are far more likely than emails to host malicious files that may not be caught by company controls. Immediately report the email and the fact that you clicked on the link to your IT department. They will likely be grateful that you told them quickly so that they can check for and mitigate any threat. Never enter credentials or other private information on a suspicious website until you get the official go ahead. In past customer phishing campaigns, I have listed my phone number on the website saying that they can call to confirm that the site is legitimate. Never trust the email or the webpage! Contact your IT department in ways that you know internally before trusting the site. If you call the phisher during a phishing campaign, they will definitely confirm that you should enter your credentials on the site!
Next Steps If You Fall for the PHISH
So what happens next if you entered your credentials, or even clicked on the malicious link on the error page?
Step 1: Report the Phish and Your Actions
First of all, I’ll repeat it again, contact your IT department. They may have a process, and they need to get started as soon as possible. The sooner you tell them, they more able they will be to contain the threat.
Step 2: Change Your Password
Next change your password. Change your password on every system, company or personal, that uses that password. Attackers love to try credentials in any place that they have access. They might login to your email account and delete the email that IT sends telling you what to do next, or they might email a customer to scam them from your account. Changing your password as quickly as possible helps contain the threat. Here’s another handy post written by one of my colleagues with tips about creating a strong password: https://raxis.com/the-weakest-link-in-the-password-hash/
Step 3: Reboot Your Computer
Finally, reboot your computer. If you clicked on the malicious link in the error page that I created, a reboot would break my remote session to your computer. This doesn’t always work, but it also doesn’t hurt. Let your IT department know exactly what saw and what you did. In a case like this, they will want to look at your computer and make sure they remove any threat. That may seem like a lot of work, but it also sounds a lot better than someone watching you through your computer’s webcam or using your computer to attack other machines on the network. Once they have access, the attacker likely no longer needs your password even for extended access. It’s always best to report the issue to be sure.
Most companies realize that you can spend millions on network security but one of the biggest gaps is the employee. The human element of a workforce can easily be exploited once you understand the basic psychology of human behavior. Most people at their very core simply want to be helpful. People generally want to be nice and are often concerned about what people think of them. We see this time after time when we are doing a social engineering engagement for our clients. Do you want to get into a locked door – load up with boxes and follow an employee, “Oh – can you hold that for me?” Really – who wants to be the person that says, “No – put down those boxes and struggle with it yourself.”? Looking for a password – phishing emails are all too easy to the naturally trusting person. With basic precautions the email looks legitimate, and many will click the email and, in the process, load malware giving a malicious actor full access to their computer. Physical security – many times this is a false sense of security. Often times security guards are hired for low wages and without extensive training. Certainly this is not always the case, but many times it is. While the visual effect of a security guard can be a deterrent, to the experienced person seeking to infiltrate your business it’s often a mild annoyance that simply requires a little more surveillance and planning.
One of the best ways you can strengthen the human element is to test the human element. Whether this is through an outside company or internal tests. People respond to real-life examples. You can teach seminars and send emails about social engineering with somewhat limited results. However, when someone actually falls for an infiltration scam, and they later find out it was a test and are told the results of the actions of the person who infiltrated the company – that lesson sticks.
Many times employees don’t understand the critical role they play in the security of your business. However, once they see first hand the potential results of their actions, it becomes much easier to tell the person with the boxes that they must go to the front door and sign in. It becomes more comfortable to call your IT department about an email – even if it seems to be okay.Regardless of your industry, real world testing simply makes your business stronger. What will you do this month to help your people learn how critical they are to your security?
