Unwanted text messages are always annoying, but some can be dangerous. Smishing is a phishing attempt carried out via text and it can be more effective than you might think.
We’ve all been there — waiting on an important text message, receiving a notification, and opening the phone only to see a message about our car’s warranty expiring.
Isn’t that just the worst?
As it turns out, no. Far more damaging are the ones that bring phishing and spear-phishing into the more personal, less-guarded world of SMS texting. You’ve probably heard the portmanteau “smishing” (SMS + phishing) to describe the practice, but you may wonder how and why it works. More importantly, you should know what you can do to make sure it doesn’t happen to you.
The psychology of smishing
At its essence, smishing is a form of social engineering that relies on the implied urgency and intimacy of a text message. Whereas most businesses have effective spam and virus filters in place, and we’re reminded often about the dangers of email, text messages often bypass company security. What’s more, they occupy a different place in our minds than standard business communications.
If email reflects the type of discussion you might have in the conference room, texting is more like banter over drinks after work. In the former, we’re conscious about what we say and what we hear. In the latter, we’re more relaxed and trusting of those around us. And, like other forms of social engineering, that’s what hackers count on when they send a smish.
Enabling technology
There are several widely available consumer-grade apps that allow the user to spoof a phone number, display a fake name, and send a message directly to voicemail or text. In the name of privacy, they offer anonymity to the sender, making it extremely hard to trace. Though the phone companies are working to identify and warn users that such messages may be fake, more customizable and concealable apps are available for sale on the dark web.
As with email, these provide scammers with the ability to deliver malicious phishing links to a broad audience. One click could download malware to your device or take you to a website that will attempt to harvest your credentials. But more troubling is the advanced spear-phishing abilities they provide. We might suspect a direct request for money (or gift certificates) or something obvious. However, consider the image above and ask yourself how many of your employees would immediately comply just to be helpful. If they do, it could render your multi-factor authentication meaningless.
Protecting yourself and your company
There are several other ways smishing can put your organization at risk, and there’s only so much technology can do to protect. With that in mind, here are several things you can do to make sure you and your organization don’t become smishing victims.
Remember that a legitimate person or company sending you a text message will want you to be wary and check.
Even if you recognize the company, think about other texts you’ve received from them. Most pay services, like Venmo and PayPal for example, include “we will never call or email you to request this PIN.” Most banks tell you to login to their site rather than include a URL in the text.
Even if the phone number looks correct, remember that numbers and names are easily spoofed. A strong phish may email, text, and call you so that you feel like someone has backed up the claim that it’s legit.
A true alert should provide a way for you to take the requested action without using the text. Login to a trusted URL that you have bookmarked. Call the number on the back of your credit card to confirm. Or, reach out in some other way that doesn’t rely on information provided by the same person or company.
Messaging apps often provide a way that you can report spam, scams, and phishes. Reporting them helps them block further attacks and makes it harder and more expensive for the hacker to continue.
The bottom line is that any form of electronic communication is subject to compromise by a determined hacker and there is an ongoing “arms race” between hackers and the experts working to keep us safe. That’s why personal vigilance will always be the most important security measure in our cybersecurity toolkit.
Ever wonder if hackers sit around talking about phishing expeditions and the “big one” that got away? The big one, of course, being a huge cache of sensitive data.
According to research from Proofpoint, those conversations probably don’t happen nearly as often as they should. That’s because 75% of organizations around the world experienced a phishing attack in 2020, and nearly 75% of attacks aimed at US businesses were successful. Sadly, not many actually get away.
What makes this stat even more concerning is the same report found that 95% of organizations claim to deliver phishing awareness training to their employees. That tells me the training isn’t being validated with the type of rigorous testing it takes to make sure it’s working.
To make sure we’re all clear on terminology, phishing is the practice of sending emails pretending to be from reputable companies or people in order to entice an individual to reveal information such as passwords or sensitive data. Verizon’s 2020 Data Breach Investigations Report found that phishing was the second-leading threat action behind security incidents and the top activity that led to data breaches.
As a lead penetration tester at Raxis, I work with our clients to figure out what type of test they need, and then I customize a phishing attack designed to trick their employees and even their spam and virus filters, depending on the scope. Just like the blackhats, I’ll use any trick I can to get employees to give me their credentials or click on a malicious link. Unlike my unethical counterparts, however, all my phishing is catch-and-release.
In today’s video, I share some of my favorite tips and tricks for phishing assessments. The reason I’m happy to show you how is because, the more realistic the testing, the better prepared companies are when the bad guys come calling.
Phishing attacks are a significant threat to all organizations, no matter the size. It is important that members in your organization are up to date on security training, know how to spot the most common phishing scams, and understand the safeguards in place to help protect them and the company.
Raxis offers a variety of cybersecurity services, such as penetration testing, red team assessments, and other ethical hacking solutions, to help companies take a proactive approach to improve their security posture.
Tesla deserves great credit for bringing electric vehicles into the mainstream. Say what you will about Elon Musk, his vision is proving wildly successful in a space where many others have failed.
Even so, if the two of us could have a conversation, I’d probably recommend that the company invest more time and resources in cybersecurity for its vehicles.
Here’s why:
Recently I decided to see how easy it would be for my personal Tesla to be hacked — and stolen. As you will see in the video below, with some commonly used tactics, it was relatively quick and easy.
The attack demonstrated in the video relies on phishing to get the victim’s credentials. At that point, the hacker has complete control and can do pretty much whatever they wish — including unlocking the car and driving away.
The video demonstrates why, if you’re not careful, your Tesla could be compromised and stolen without a lot of effort from the attacker.
Until the company itself adds more protection, it’s up to you to take some basic precautions. By the way, it’s wise to follow these practices no matter if it’s your Tesla, your bank account, your Twitter feed, or any online account.
Stay vigilant and question any WiFi network that asks you to connect.
Never give account information, credentials, or access tokens to a third party unless it is absolutely necessary.
Every account you create should have a unique and strong password. Every. Single. Account.
If your account is compromised, immediately reset your password and let the company or companies know.
Here at Raxis, we offer a broad range of services to help find security vulnerabilities within your organization. And though a typical penetration test would not uncover this type of vulnerability, a Raxis red team assessment could.
Our red team assessments tests your organization’s security from top to bottom and end to end to uncover any way your network can be compromised by a skilled and determined attacker. If you are ready to take control of your company’s security, contact us and let us see how we can help.
‘Tis the shopping season! First up, Black Friday, followed by Shop Local Saturday, Cyber Monday, and all the shopping days that follow.
Did you wake up early to stretch out your “add to cart” fingers so you can snag that hard-to-find, hot item of the season at a discounted price? Planning on heading out to that cute little boutique next to your office during lunch?
Before you do, there are a few things you need to remember. Most important is that cybergrinches are out there year-round, just waiting for the perfect opportunity to steal your holiday joy. The holiday season is big business for them, and they are waiting for you to drop your guard. (And, no, they don’t care if it lands them on the naughty list.)
In the video above, I detail five red flags you should look out for on Black Friday — and all the other shopping days of the year. I’m hopeful these tips will help keep you and your company’s network secure this holiday season.
Let’s review, if you are going to be holiday shopping in the coming weeks, it is imperative you take the proper precautions to keep yourself and your company secure.
Don’t click on links within emails, and be very suspicious of any emails that discuss your credit cards or bank accounts.
Be wary of phone calls seeking donations to various charities. Be vigilant, and do your research on the charity. Even then, donate directly, not from the email.
If you are out shopping on your lunch break or after work, make sure your work badge is in a protective sleeve to help prevent cloning.
Strangers are still strangers in the holiday season. Make sure everyone in your building and anyone trying to get in has the proper credentials to be there – or that they have an escort.
Stay vigilant with your security practices, even when your office is short-staffed. When we get busy, it’s easy to skip locking computers and returning sensitive documents to a secure location. Take the extra few seconds to do cybersecurity right.
Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company far more secure and giving you additional peace of mind.
Ready to find out how secure your network really is? Reach out to us, and let’s discuss your needs and how we can help.
Long gone are the days of a Nigerian Prince trying to win you over – via email – with his incredible offers. Today, it is all about the ‘ishings’ – you know, phishing, vishing, spear-phishing and smishing. And don’t forget about direct interaction.
Ah, the wonderful world of social engineering. Hackers love it because it’s highly effective, and, though there is no way to just make it go away, there are plenty of ways you can become more resistant to these types of attacks.
Check out the video above from our smart friend Brian Tant, Chief Technology Officer here at Raxis, who explains it all in terms even your grandpa can understand.
Effective cybersecurity requires an investment of time, talent, and treasure. But, when you consider that a cyberattack can cost even a small business upwards of $200,000 – plus reputation damage and other intangibles, the costs to harden your security posture are a bargain. Every company needs a cybersecurity threat mitigation plan.
Enter Raxis. Our team of experts can bring your company’s security vulnerabilities to light, show you how to remedy them, and provide ongoing remote monitoring to help you stay secure.
Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.
Hackers and cybercrooks use lots of tools to get into your network and steal your information, but the cheapest, easiest, and most common is still by email phishing. Effective spam and virus filters can shield you from a lot of these attempts, but certainly not all. The most effective way to protect yourself is to educate your team. Toward that end, here is yet another reminder about some tell-tale signs in an email that it might be a phishing attempt. Of course, there are some other signs that tell you it’s definitely a phishing attempt.
If your CEO suddenly asks you to buy a ton of gift cards, it might be a phishing attempt. If she’s the type who also frets over the cost of paper clips, it’s definitely a phishing attempt.
If it’s a random news story from an outlet you don’t follow, it might be a phishing attempt. If the link points to http://mailorderbrides.someassemblyrequired.com, it’s definitely a phishing attempt.
If you see .ru in the email anywhere, it might be a phishing attempt. If it’s written in Cyrillic script, it’s definitely a phishing attempt.
If you vaguely remember your network admin warning you about the sender, it might be a phishing attempt. If she’s running toward you, waving her arms wildly, and shouting “nooooo!” it’s definitely a phishing attempt.
If it’s an unsolicited email, even from a reputable company, it might be a phishing attempt. If it’s from Facedook, Amazom, Microsfot, or Gooogle, it’s definitely a phishing attempt.
If your friend says she’s stranded in Japan, it might be a phishing attempt. If she hasn’t traveled outside the city since ‘N Sync broke up, it’s definitely a phishing attempt.
If it’s about your benefits or salary and you had no prior notice from HR, it might be a phishing attempt. If they misspelled HR, it’s definitely a phishing attempt.
If it’s from your significant other reminding you to bring home coffee, it might be a phishing attempt. It’s probably not a phishing attempt, but now you have a (lame) excuse if you forget.
Hi everybody, it’s Brian with Raxis, back with another video today!
This is a busy time for us all, with no signs of slowing down. Do you know who else is busy now? Hackers – especially ones that know just how easy it is for thousands of us to forget to update passwords, patch operating systems, and scan for new viruses.
I get it. Life happens. Seniors are graduating, families are acclimating, dogs are crashing Zoom meetings, and many of us are adjusting to completely new work environments. But if you can remember to lock your doors at home, you can get in the habit of locking out cyber attackers at work.
Watch the video above for the top 3 things I wish every company would do today to keep out intruders online:
These steps are the basics that every company should be taking, but, as hackers know all too well, not everyone does. Your company’s security is a 24-hour-a-day responsibility. Make sure your employees and your IT department know how critical it is for everyone to use the tools you already have to stay one step ahead of criminals.
If this video made you wonder how secure your company’s data is, contact Raxis and learn how our tests can help you assess and improve your cyber defenses. We partner with small- and mid-sized businesses, as well as Fortune 500 companies, to help protect your employees, your data, and your bottom line.
Follow us on this blog or social media, and we’ll share more ways that hackers can get in — and how we can help you keep them out.
Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.
In these uncertain times, many companies are allowing employees to work from home more than ever before. Essential personnel onsite at the workplace are kept to a minimum and are offered remote support when issues occur. The scope of remote work is unprecedented and brings up a lot of questions for managers aiming to support their employees.
This series will discuss security testing and consulting options that Raxis offers to help companies work as securely as possible while employees work from home using home wireless services and systems or jump on the company VPN in unprecedented numbers.
Phishing
Raxis expects a rise in phishing attempts — emails, texts & phone calls — as attackers realize that employees are at home and not as easily able to verify that requests are legitimate.
Let’s start with your VPN itself. It’s likely at least a few of your team members are going to have problems logging on. Though they may be overwhelmed, your help desk workers are inclined to be helpful. Verification is a step that might easily be skipped in a rush to get an exec or senior manager online.
Finance is another point of vulnerability. Say that you receive an email from your boss saying to approve a new vendor payment. Normally your boss would never send that in an email . . . but these are not normal times, and you’re both working from home. You think of giving her a call, but she just told you she’s busy setting up her children’s new online school meeting. Do you approve the request? How are you sure that it’s legitimate?
What if it was a phone request from a customer who is working from home? He’s on his cell phone. Are you sure it’s really him? Should you verify before telling him customer financial information? Sure you should, but you’re out of your normal environment and he sounds really annoyed. What do you do?
And what about your teammates? Your employee texts you and asks for the password to an old system with a shared password. Do you text them back? Do you check the number first? Send it in email?
These are different questions than you ask when you’re in the office and can lean over the cube wall. It pays to make sure all your employees know the answers (or at least ask the questions) before they face them in the real world from home.
Where to start
Raxis has a number of phishing tests that fit these scenarios, and we are happy to work with you to customize a test that fits your needs. We provide a report and a debriefing call to help you educate your employees with real world examples. Whether they pass or fail, it’s an opportunity to safely assess their readiness and reinforce their training.
Take a look at our social engineering offerings. As always, Raxis is happy to advise you and work with you to customize a test that meets your needs. If you have concerns, we’d be happy to chat with you about options that work for you.
Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.
The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.
Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.
This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.
Many of the external network and web application penetration tests that we perform list ‘clickjacking’ as a vulnerability. We find that many website developers, as well as many users, do not fully understand what clickjacking is. While clickjacking is not exploitable to gain system access on its own, this web configuration vulnerability can be used to gather valid credentials that can lead to system access when paired with a social engineering attack such as phishing. Clickjacking falls under the A6 – Security Misconfiguration item in OWASP’s 2017 Top 10 list.
A LOOK AT HOW IT WORKS
Clickjacking uses a genuine webpage, usually a login page, to trick users into entering private information such as credentials. To show how this works, we created a sample login page for a great little app called Not a Secure Site.
As the page does not implement clickjacking protections, an attacker can quickly and easily clone the page by placing it within an HTML iframe on their own website. By overlaying their own username, password, and sign in button elements on a layer above the iframe, the attacker can capture any credentials the user believes they are entering into the original login form. The example below shows how the attacker’s cloned page might look. Can you tell the difference between the real site and this malicious site?
Without inspecting the source code of the malicious page, the content of the page appears identical to the legitimate one. Now, let’s highlight the overlaid text fields and button fields in blue so we can see where the magic takes place:
Those fields are in a layer of HTML that is physically sitting on top of the iframe containing the Not a Secure Site’s log in page. When an unsuspecting user enters their credentials on this page, they are entering them in the attacker’s text fields and clicking the attacker’s button.Let’s add a border around the iframe on the attacker’s website:
Here we can clearly see where the attacker has embedded Not a Secure Site’s log in page into the malicious site.Using Burp Intercept, we can watch the HTTP Request. For this example, I just set the attacker’s form to POST to the Raxis website. In the intercepted request below, we can see that the user’s credentials entered into the form are being sent to the attacker’s site instead of to Not a Secure Site.
This is all very clever, but it doesn’t mean a thing if a user never enters credentials. This type of attack must be used as part of a larger attack, which is generally a phishing attack that encourages the target to click on a URL in an email.The HTML code on the malicious page can be remarkably simple. The attacker needs only to create and properly position text fields and a button on the page, and the iframe does the rest!
In more advanced clickjacking attacks, an attacker can log your credentials as you type them, capturing your username and password before you even submit the form.
WHAT WEB DEVELOPERS CAN DO TO PROTECT THEIR SITES
So, what makes this webpage vulnerable and what could the website’s developer do differently to fix it? It all comes down to preventing the page from being embedded in the iframe. Modern browsers look for the X-Frame-Options header to determine when an external site is permitted to be presented in an iframe. Looking at the HTTP response for Not a Secure Site’s log in page, we see that the site does not set the X-Frame-Options header, which defaults to allowing any site to be embedded in an iframe.
The X-Frame-Options header can be set dynamically in server-side code or configured on a global level through the web server or proxy configuration. The X-Frame-Options header allows three possible values:
DENY
SAMEORIGIN
ALLOW-FROM uri
If the website never needs to be embedded in an iframe, the developer should use the DENY value to block all iframes. Here’s what the attacker’s website looks like when Not a Secure Site has set the X-Frame-Options response header for the entire website to DENY. The header prevents the login page from rendering within the iframe.
The SAMEORIGIN value can be set if the webpage needs to be within an iframe on its own site. The ALLOW-FROM uri value is not recommended because it’s not supported by all browsers.While the X-Frame-Options header is the best defense against clickjacking attacks, the Content-Security-Policy directive can use the frame-ancestors property to restrict which domains are allowed to place the website in a frame, though frame-ancestors is not yet supported in all major browsers.OWASP has a great Clickjacking Defense Cheat Sheet explaining these options in detail, as well as explaining old methods that will not work well and are not advised. The OWASP Secure Headers Project is another great tool that you might want to check out.Raxis offers several penetration tests that alert customers to websites that are vulnerable to clickjacking. Check out our Web Application Penetration Testing service to get a start. If a full penetration test is not within your company’s needs or budget, take a look at our Baseline Security Assessment option, which also highlights clickjacking vulnerabilities.It’s important to note that some phishing attacks will copy webpage code, instead of embedding the page in an iframe, to achieve the same results. Depending on the webpage, this can be complicated and may require an advanced knowledge of HTML, JavaScript, and CSS. When an attacker is able to produce a convincing clone of a website without using an iframe, any form of clickjacking protection, including X-Frame-Options, cannot prevent this form of attack.
WHAT USERS CAN DO TO PROTECT THEMSELVES
Clickjacking recommendations are often focused on what web developers and website administrators can do to protect users, but what can you as a user?Keep in mind that the attacker has to trick you into using their website. Whether they do this through an email, a flyer, a poster on a wall, or casually mentioning it in a conversation, it’s always a good idea to verify that the link you are using is legitimate. If you’re at work, check with your IT department; if you’re a user of a consumer site, go to the genuine site and use the contact form or the phone number there to verify the link.Remember that links can be masked to look like something else. Hover over links in emails and webpages to see what URL they truly point to. Look at URLs carefully to see if they are legitimate. Attackers will often buy domain names that look a lot like the true website’s domain in the hopes that their targets will not look closely.See our recent phishing blog post to learn more about protecting yourself from phishing attacks.
We’ve all heard of phone scams such as Rachel at card services offering to help us out of a jam we didn’t even know we had. Scams such as this have become common in the workplace as well. These scams, called vishing or phone phishing, are a type of test we often perform for Raxis’ customers.You may be surprised to hear that often we achieve a high success rate with these phone phishing assessments. During one particular assessment, we called a large number of people throughout a company and told them we were contractors performing the annual credential check and asked the employees to please provide their email username and password. Often those credentials are used to login to their computers as well. Providing this information yielded more access than the targeted user was aware of. During this assessment, approximately one fourth of the people we called provided their credentials.
PREPARATION
This type of phishing is different from the email phishing attacks that most people are familiar with. First, a telephony-based phishing campaign requires additional preparation to sound convincing. We rehearse what we plan to say as well as how we will respond to questions, suspicion, and anger. We invent a story and background as part of a convincing pretext. It is said that the devil is in the details. A sense of legitimacy can be borrowed by peppering the conversations with specific information. Are we saying we work for the same company as the target? Then we’d better be able to say what office we work in. We’re calling from IT? Who’s our manager?Unlike email phishing campaigns, it is imperative to hook the target as soon as the call starts. Once the target hangs up, it’s unlikely they will call back or take another call from our number unless they trusted us (though I once had a person call me back to check who answered the phone). For this we prepare a persona.
We need a name, possibly an accent, a department, a purpose for calling, and just enough back story that we never say “umm”.
When we call our target, we’re unlikely to provide most of these details, but we need to be in character. Our target is likely to start off suspicious and will only get more suspicious if we say we work at the IT Help Desk and then act like we’re a high level manager telling them what to do. I’ve also had targets question me on what building I work in as well as my manager’s name. If I have a number of people to call, I often make small talk to gather more information to use in my next calls. Every bit helps in establishing rapport and building trust.Another part of preparation is technical. While it’s illegal to spoof (imitate) a phone number maliciously, in phishing campaigns it’s all part of the test. We use services like SpoofCard to display the phone number of the company that we claim to be calling from to make the call seem even more real.
A SIMPLE, MULTI-TARGET VISHING CAMPAIGN
Many companies hire us to call a large number of people in various departments to see if they reveal private information. The goal is to get something simple like their username and password for the email system or the direct phone number for an employee who doesn’t have that listed publically. We often seek to check the effectiveness of their security awareness training by evaluating employees’ responses to the attack. As an employee, knowing that a company tests employees in this way can be a great incentive to exercise vigilance when handling unknown calls.In campaigns like this, I like to make myself a low level contractor. This job is so lowly that they don’t even make the lowest level employees do it! My goal is to establish rapport and then elicit a sense of empathy. Maybe you feel sorry for me. Maybe you realize that I get paid by results, so I will keep calling until you give me what I ask for. Most importantly, I have an excuse for not knowing answers to all your questions or not having a phone number that looks familiar.So back to my sad, lowly contractor. I make the call. I’m friendly. If they don’t believe me, I sound like I am used to hearing this and hate my job. I don’t tell them I’m a contractor; my goal is to get their credentials, but if they push back or ask me questions like “what building do you work in?, I “admit” that I’m just a contractor. I look for any opportunity to ask the best way to get a job there. I ask if my target likes working there. Are the managers nice?This allows me to keep the target engaged without knowing all the answers and makes people feel important because they possess information that the caller doesn’t have. If they refuse to answer, I’m polite and tell them that is no problem at all… but someone will have to come to their office in person, and it will take longer. Sometimes that threat of someone physically coming to see them is enough to change their mind.These types of campaigns can be conducted under a myriad of personas. Some people mumble a lot so that it’s easier to act like you know answers you may not know. Think of calls you’ve received from spammers that you believe are legitimate at first. Sometimes it’s hard to say no.
SPEAR PHISHING CAMPAIGNS
Spear phishing campaigns, whether using email, phone, or a combination, are much more complex to set up but can be well worth the effort when all the pieces fall into place. In these campaigns, we focus on a small number of specific targets and spend a great deal of time researching them to tailor the campaign specifically for these individuals.We start with research, and it may surprise you what we can find from the comfort of our own home using the Internet. I’m not discussing the dark web here; I’m talking about search engines like Google and Bing, social media, such as LinkedIn, Facebook and Twitter, and even the websites of your own company and your customer companies.A few years ago I was hired by a small firm of about fifteen people who each worked with two or three customer companies. I won’t reveal the specific industry, but they worked mostly with financial information. I was tasked with using only phone calls and calling as few or many people as I wished as long as I extracted any type of critical, private information.My first step was to look at the company’s website where I found a list of key employees along with a small write-up about them. Many companies do this… it’s a great way to show prospective customers that your team has experience and would serve them well. Even Raxis has a page like this: Using Raxis as an example to illustrate the value of seemingly extraneous information, from this web page I gathered names, and I made short bullet lists of personal and professional information that might be useful in my calls.I also looked around the webpages and got an idea of the company itself. Sometimes information is revealed about products or companies that work closely with our target company. The Raxis webpage lists our partners, Rapid7 and GE Digital Cyber Security, giving an attacker an idea of who might be calling us, as well as lending a sense of importance to the calls that are believed to originate from them. Next I looked at LinkedIn and found many of the same people. LinkedIn is used by most people when they are looking for a job, and, because of this, many LinkedIn profiles have a great deal of information about people and what they do at work. School and work history give an idea of the target’s age as well as their interests. We look for any connection that we could exploit to build a bond.
You went to Carolina? I can’t believe it. I did too! What year did you graduate? Go Heels!
LinkedIn also can provide detailed information about our target’s job. Part of my LinkedIn job history is shown below. You’ll see that I once worked at a PBS station and a university. All of this type of information can be helpful as we enhance the target’s attack profile and determine under what pretext the attack will take place. In the case of the company I was researching, two people stood out. Each of them posted names of their customers on either the company website or LinkedIn. Next, I researched these customers. Immediately one customer stood out. Their website showed an org chart showing the structure of all of the top management.Since I’m female, I picked a woman on the list and decided to call my target using her name. I also found two other names that were higher in the org chart. With this information, I made my call.
Hi, this is Stephanie Smith. I hate calling you at the last minute like this. My phone died, and I’m running around trying to get all the financial statements together for our annual planning meeting. Rich and Jim decided at the last minute that they need statements for the full fiscal year, and I can’t find them anywhere. The meeting starts in thirty minutes. Is there any way you can fax them to me ASAP? You can? Great! Our fax machine is actually broken too. Would you use this number instead?
When you have time to sit and read this, it sounds ridiculous. There are red flags throughout. I never even said my company name, but I had enough information that I hooked my target into believing that I was trustworthy because she believed me when I gave my name, which happened to be a name that the target had been conditioned to view as a very important client that she wanted to please. She did not expect the call and made a split second decision to comply, rather than risk alienating a customer.She sent over 50 pages of financial statements to my fax machine.Of course, this was a security test. I deleted all of the data and provided my customer with a customized report that they used to train their staff. If I had been a malicious attacker, that one call could have broken the trust that company had with all of their clients.
GET THEM TO CALL YOU – THE REVERSE PHISH
In Part One I talked about email phishing. Why limit ourselves to emails or calls when attackers will use any means they have at hand?When customers allow us to combine emails and calls, one method that we’ve found value in is asking targets to call us. It may sounds silly, but think about it. Something you use daily on your computer to get your job done stops working. You call the help desk, but they are already swamped. You’re waiting unproductively and your work is piling up. We’ve all been there, and we all hate it.So along comes an email with a link in it. The wording in the email gives you a special number to call. This webpage is so important that there is a priority number for it. This type of hybrid vishing campaign makes it easy to target a large group of people. Once someone calls back, we know they, at least partially, buy our story, and we can hook them in even further. When people call us they are more likely to trust us. They have no proof of who we are, but most people feel more comfortable with the person on the other end of the line when that person is answering them on their own terms at their own time.
WHAT YOU CAN DO TO PROTECT YOURSELF
When someone calls us, it often takes us off guard, and we are deciding if we should trust them at the same time that they are talking and encouraging us to get this over with by giving them what they want. We are conditioned to comply, especially in the work environment. But it’s important to maintain a sense of vigilance when dealing with any electronic communication including phone calls.
Remember that you can hang up on people. Tell them no or just hang up the phone. If you don’t trust them, just hang up.
If you don’t want to be rude or worry that they may really be who they say they are, put them on hold. Think about what they’ve said. Ask a manager or call the IT help desk and ask. IT often can help you decide if a call is legitimate.
Calling from a different number? Even if the calling number looks right, an attacker may be spoofing it. Before giving any private information, tell them you’ll need to call them back at the number you already have on record.
After hanging up, call the number you already have and verify that they just called. If the call was false, they’ll appreciate you checking. Call the department they say they’re from and ask. It’s obvious you have their security in mind. Most people appreciate that.
Are they asking you to send to a different fax or email? Tell them you can send to known ones you already have.
Most importantly, report it. Make note of the number and any details they provide. They may call other people, so the sooner you alert your company the better. If your company does not provide a way to report possible phishing and vishing attacks, report them to your IT department.
Raxis provides social engineering tests, including phishing and vishing tests, that are tailored to your company. See our Social Engineering site at https://raxis.com/redteam/social-engineering for more information.
Social engineering testing such as this is a critical part of compliance testing for companies in the financial sector. Learn more here https://raxis.com/industry/financial.If you have questions or ideas for further blog posts, contact us at https://raxis.com/company/contact.
Gone are the days of Nigerian princes who left you their fortune. Today it’s much more difficult to separate the genuine emails from the malicious ones that are out to steal your information and your money. While many of us deal with the spam that ends up in our personal email inboxes, Raxis helps many companies avoid corporate and customer information leakage from phishing emails targeted at unsuspecting employees.
Identify
Knowing how to identify suspicious emails is the first step in protecting your information as well as that of your employer and customers. I’ve performed many phishing campaigns for our customers, and I’ve heard multiple stories of smart, conscientious employees falling for clever phishing campaigns. The fallout, including public relations pitfalls, can be large enough that IT budgets get redirected to secure the environment and regain customer trust.I always tell our customers that it doesn’t hurt anyone to take a little extra time to react to an email. When I run phishing campaigns for our customers, I like to send the email out at the start of the day or at the end of the lunch hour. At these times most of us don’t want to be bothered by a new email request. We have work to do, and we’re focusing on getting to it and accomplishing our goals for the day.I make sure the tasks in the phishing emails are quick, simple, and easy to finish:
“Just in time for the holidays, we’ve implemented web mail so that you can be home with your family and still answer emails! Your account will only activate if you log in at the following URL by the end of the day!”
Well, maybe your IT department wouldn’t be quite so excited, but you get the idea.Phishers know common systems that most businesses use, and it’s often easy to find sample login pages online. Several free and paid tools exist that help companies perform phishing tests… and that help phishers steal your data as well. For this article, I spent about ten minutes finding email addresses and creating an email and website to steal credentials from my fellow Raxis employees. Just ten minutes, then I sit back and see if anyone responds.Step one was to find email addresses. Sound difficult? You’d be surprised. Search engines such as Google or Bing are a huge help, and social media sites, such as LinkedIn, provide employee names even when they’re not your connections.Manually searching for email addresses was taking too long, so I logged into my Kali Linux box and fired up theHarvester. In less than a minute, I had the full list of Raxis email addresses pulled from various search engines. There are also free tools that allow attackers to discover the format of a company’s emails, such as “[email protected],” so that I can create my own mailing list if I know some employee names.Now that I have a list of email addresses, I need those folks to give me their login information. There are tons of great tools that make it easy for users to set up a phishing campaign in minutes, such as the open source Social-Engineer Toolkit. This time I use Rapid7’s Metasploit Pro phishing tool.I start with a simple email. In some cases, I research the company’s culture and target a campaign at specific employees, but most of the time I can good results by setting up a generic campaign that does not require me to know a lot about the company. In this case, I pick an Outlook Web App (OWA) site and hope that employees find it familiar enough to fall for my story without looking too closely. Using the phishing tool, I add a number of features that make the email look legitimate, such as using a fake raxis.com email address and including the recipient’s name. Think about it: if I found your email address, I likely know your name, but it still looks official to add it to the email.If the recipient clicks the link in the email, they are taken to a page that appears to be a legitimate OWA webpage. If they enter their login information and click submit, they move onto an error page that I built. It tells the recipient that there was an error, and all they need to do to resolve it is click on a handy link that can do the fix for them while they continue with their work. Unfortunately for anyone who clicks on the link, a malicious file meant to open a remote session to the user’s computer will be downloaded, effectively giving me background access to that machine and potentially the network where it is located.
React
This is scary stuff, but the real question is: “What can I do about it?”First, there are some clues in the email itself. When I hover over the link, I see that the URL starts with “http://” instead of “https://.” A real OWA webpage would almost certainly use an encrypted “https” connection. The site also doesn’t have the company name in the domain: it’s just an IP address. That’s a big red flag as well. However, many phishers know that vigilant employees will look for these issues, and configure the malicious website to use an encrypted connection, and register a domain name that might trick employees if they don’t look closely, such as “https://rax1s.com” or “https://raxls.com.” Make sure you look closely at the link!If you find an email strange or unexpected in any way, ask about it. Most companies are concerned with phishing and would much prefer that you ask IT if an email is real rather than clicking on the link. Some companies have phone numbers, email addresses or websites that allow you to report a suspicious email. If not, give your IT helpdesk a call or forward the email to them asking them to check. Have you ever received an email from IT notifying you that you may have received a phishing email and asking you to delete it? Someone likely reported it in time for IT to nip it in the bud, thwarting the attacker.What if you clicked on the link in the email and then became suspicious of the website? This is dangerous, as webpages are far more likely than emails to host malicious files that may not be caught by company controls. Immediately report the email and the fact that you clicked on the link to your IT department. They will likely be grateful that you told them quickly so that they can check for and mitigate any threat. Never enter credentials or other private information on a suspicious website until you get the official go ahead. In past customer phishing campaigns, I have listed my phone number on the website saying that they can call to confirm that the site is legitimate. Never trust the email or the webpage! Contact your IT department in ways that you know internally before trusting the site. If you call the phisher during a phishing campaign, they will definitely confirm that you should enter your credentials on the site!
Next Steps If You Fall for the PHISH
So what happens next if you entered your credentials, or even clicked on the malicious link on the error page?
Step 1: Report the Phish and Your Actions
First of all, I’ll repeat it again, contact your IT department. They may have a process, and they need to get started as soon as possible. The sooner you tell them, they more able they will be to contain the threat.
Step 2: Change Your Password
Next change your password. Change your password on every system, company or personal, that uses that password. Attackers love to try credentials in any place that they have access. They might login to your email account and delete the email that IT sends telling you what to do next, or they might email a customer to scam them from your account. Changing your password as quickly as possible helps contain the threat. Here’s another handy post written by one of my colleagues with tips about creating a strong password: https://raxis.com/the-weakest-link-in-the-password-hash/
Step 3: Reboot Your Computer
Finally, reboot your computer. If you clicked on the malicious link in the error page that I created, a reboot would break my remote session to your computer. This doesn’t always work, but it also doesn’t hurt. Let your IT department know exactly what saw and what you did. In a case like this, they will want to look at your computer and make sure they remove any threat. That may seem like a lot of work, but it also sounds a lot better than someone watching you through your computer’s webcam or using your computer to attack other machines on the network. Once they have access, the attacker likely no longer needs your password even for extended access. It’s always best to report the issue to be sure.