Tag: social

  • Raxis Presents at the (ISC)² Atlanta Chapter Meeting

    Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.

    The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.

    Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.

    This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.

  • Tailgating & Other Physical SE – SOCIAL ENGINEERING [PART 3]

    In Part 1 and Part 2 of this series, we discussed remote social engineering that an attacker could perform from any location. Those types of attacks rarely are traced back to the attacker who could be located anywhere. The social engineering attack that we’re discussing in this post is much more brazen. In this case the social engineer is actually located onsite, possibly talking with you face-to-face.The stories below are all from ethical physical social engineering engagements that my colleagues and I have performed. Our goal was to help each company find weaknesses so that they could correct them and educate their employees to make the job site more secure. My goal in writing this post is the same. As with all social engineering attack vectors, education is the best defense. For that reason, I’m focusing this post on the interpersonal aspects of SE. Some of my colleagues at Raxis made a video last year explaining some of the technology that can be used on physical SE engagements. Check it out at https://raxis.com/2017-04-19-physical-security-pitfalls/ to learn more about that.

    Getting In

    Companies often put safeguards in place to secure entrances and then hope that the bad guys stay out. Surprisingly, getting in is often much easier than you might expect. I have used platters of cookies and cakes to gain access on some engagements, but often it’s even easier than that.I once was attempting to enter an office building located in the suburbs of a large city and scoped out the building on the Sunday afternoon before the engagement started. I find this to be a good way to find out about the building and security policies in place so that I can make a plan before the Monday morning rush. Also, different security guards are often on duty on the weekends, meaning I likely won’t be recognized the next day when I start the engagement. In this case, a colleague and I checked out the building and discovered that all doors except the main entrance were locked. The main entrance was open during posted hours, and a uniformed security guard was visible behind glass windows. We decided that tailgating during the morning rush was our best option. The next day we arrived and immediately split up. After a few attempts, I saw a woman heading towards a door I was near. I looked upset & riffled through my purse frantically. When she walked up, I told her I couldn’t find my badge anywhere and could she let me in. She was definitely suspicious. “What department do you work in?” I told her IT, a department that is likely to have employees in or to need access to several buildings. She let me in and told me that it was okay because I worked for IT. And then she told me that she disliked the rule that they could not let people in, and IT made that rule, so I had better not tell my coworkers. Once in the building, I plugged a device into a network port in an open cube and called my colleague so that he could begin remote access to the network.I could tell multiple stories of people holding doors for me, especially during busy times of day — morning, lunch, and at the end of the day. On one engagement I was attempting to clone badges and eventually wondered why since every single person who passed me as I obnoxiously stood outside a locked door held the door for me. When you realize that many companies rely on locked doors for security, this starts to become scary.So how about another story that is much the same, but possibly not as expected. On an engagement in the financial district of New York City a few years ago, I had more hurdles to make my way into the office. The large skyscraper I was in had two elevator banks. Each bank had turnstiles that required employee or visitor card access. Two guards were seated at a security desk that had a clear view of both elevator banks. Once I made it to the elevator, I knew a floor number but did not know what security measures were in place. I stood near a snack shop and watched as most people used the elevator bank for the floors I didn’t need. When I eventually saw someone head to my elevator bank, I casually, but closely, followed. No alarm. Later testing showed me that the alarm would go off if I allowed a comfortable distance between myself and the person I was tailgating but the turnstile would still work as long as I followed someone through. I followed my target onto an elevator and discovered that she was going to the floor I needed. She used her card to allow the elevator to go to that floor and then used her card to get into the office area of the floor. Though the floor was designed to lock visitors in the elevator area where they used a phone to request access, my target held the door open for me. Once I was on the floor, I sat in the break room, walked around work areas and file cabinets, and, fifteen minutes in, eventually had to start acting suspicious before anyone asked me who I was and what I was doing. The safeguards in place made everyone believe that they floor was secure and that everyone there must have been fully vetted.

    Staying In

    It’s definitely a win to say that we got into our customer’s building. The test, though, is to see how we can exploit that, and, unless we know exactly what we are looking for, that requires staying in the building for an extended period of time without getting caught. Finding our way around takes a while. I’ll take photos of fire exit maps and then run into restroom to have time to look them over and figure where to go next. Most of the time we’re entering buildings blind and figuring out where to go as we go.Remember that suburban office building I mentioned above? My colleague and I went back at 5pm. We bought coffee at a local spot across the street and stood outside a locked door drinking that local coffee. The first person who walked out the door held it for us. We walked in and walked past rooms labeled with department names. When we found one with no name, we walked in and saw that it housed offices and cubes that appeared to no longer be used. We waited inside an office there for an hour. When we left our hiding space around 6pm, the building was deserted except for the cleaning crew. We ran into the same members of the cleaning crew multiple times, and they never stopped us or reported us. Earlier in the day we had gathered some credentials in a phishing campaign. We were able to use those credentials to login on a customer service representative’s PC and to view customer financial and medical information. We had full access because internal doors were left unlocked after hours and the only employees we met did not report us.Another time I was in a large hospital. As you’d expect, at a hospital, it wasn’t hard to gain access. There were nurses and doctors all around, though, and the computer access and private documents that were my aim, were all behind nurses stations. Luckily I had guessed this might be the case and had bought a cheap pair of scrubs before starting the job. I wore the scrubs along with a lanyard that had a blank white card on it, and I gained full access. To what?

    • Computers
    • Papers on printers and fax machines
    • Medical files and binders with patient information

    I took my time and went from floor to floor. I was not stopped or questioned even one time. In fact, I made a friend in the elevator as I was leaving the building. We chatted about how being a nurse hurts your feet after running around all day. I later found out that the scrubs I was wearing were a color not even used at that hospital.So timing helps and dressing the part helps. One last story on this topic. Back to that skyscraper in NYC. On one occasion there I was tailgating with the lunch crowd to a different floor using the popular elevator bank. I slid through the turnstile following someone but wasn’t quite fast enough. The alarm went off, and a security guard started walking towards me. Just then an elevator opened, and I walked in with the crowd. On the way up, as the elevator stopped at several floors, a man turned to me and asked why I didn’t use my card to go through the turnstile. I pointed to my big computer bag and said that I didn’t feel like looking through there to find it. He laughed and started talking to his buddies about the fight on television the night before.So add confidence to that list. It’s shocking what you can get away with when you expect someone to believe you.

    Getting What You Came For

    In the end, it’s all moot if you don’t demonstrate that a security breach can lead to a compromise. This can be plugging a small device into the network so that you can later gain remote access, it can be photographing private documents found on desks and in file cabinets, and it can even be accessing employee computers that are left unattended. I already mentioned in passing that I have had opportunities to install devices on networks and to access computers on some of the engagements I’ve done, but there’s more!Hospitals often hire us because they have a lot of private information and critical equipment to protect while also often allowing many people through their doors daily. They walk a fine line of being kind to patients and their families while still protecting patient rights by guarding their security. At one busy hospital, I was set on getting access to the files in the Medical Records room. I tried in a doctor’s coat and in scrubs and didn’t make it past reception. I went back in jeans and told them I was from IT to fix a computer. The receptionist let me in without another word. I opened file cabinets and took photos of the papers inside.At another hospital, I walked up to a reception desk that blocked my way to a cancer center. I told the receptionist that I was from IT and had to manually install updates using a USB drive because the automatic security updates were failing. Not wanting to miss a security update, she let me into the locked area behind her and told me to take my time. She left me alone to install payloads to open remote sessions on several machines and photograph patient records that were lying on desks.On one job I had been hired for had an SE engagement and an internal penetration test combined. This is a great idea because it demonstrates how a real attacker might put the pieces together to gain more access. From the penetration test, I already knew of administrative interfaces on the internal network that allowed default credentials. With my SE hat on, I walked into one of the hospital’s specialty buildings. This is where they treated cancer patients and other patients who would be back for multiple visits. There was a very nice room, open to anyone, off the lobby. Computers were provided to allow patients, friends and family to research what they had heard from their doctors. I sat down at one of these computers and proceeded to login to the internal admin websites that were all accessible from those public computers. In this way, I, or an attacker, could access and change administrative controls for the hospitals systems.

    Getting Out

    When we perform physical SE jobs for our Raxis customers, we discuss carefully with the customer to discover what they want us to test and not to surpass those bounds. The customers provide us with a “get out of jail free” letter that we use if we are caught. The letter is on the company’s letterhead and provides information about who to call to verify the testing in the event that we are challenged by a vigilant employee. With this, we can boldly enter company buildings without fear of arrest. True attackers will likely not be as careful as we are in our testing… their goal is to get in, get what they came for and then to get out without being caught, whether they cause other harm or not.Once, at a small insurance office, I had gained access to everything that was in scope, but I still had extra time. I had done it all by staying under the radar the first time, so I went back a second time and tried to talk my way into gaining the same access again so that I could see if the people I spoke to would allow me to have access or would stop me. Kudos to them for not believing my story about performing an audit without calling first. Unfortunately, they did not want to be mean to me, so they placed me in a conference room alone for ten minutes while they attempted to reach someone for confirmation. Because I wanted to test them thoroughly, I stayed and eventually handed them my “get out of jail free” letter. If I had wanted to leave, I could have left the building before they checked on me.Then there was the time that I was in a hospital’s administrative building attempting to gain access to Human Resources. I had already spent time in the hospital itself and read a free hospital newspaper that mentioned three star employees by name and with photos. One was in HR, so I went over to the HR building and told the receptionist that the star employee had told me I could wait in their conference room so I could work until my flight arrived. The receptionist happily took me right over to see this star employee. She looked me in the face and told me that she had never seen me before. Since I had nothing to lose, I told her that we had only met twice and I was sorry that she didn’t remember me. I didn’t offer to leave. I stood next to the receptionist and just stared after that. My target told me that she had never met me but that I could stay in the conference room anyway. I stayed long enough to plug a device into the network and then walked out telling everyone that I got an earlier flight. Sometimes the best way to be able to get out is to act like you are comfortable staying… as if you belong there so fully that you have nothing to hide.In my SE career, I have only been forced to show my “get out of jail free” letter once (without me forcing the situation into that). This was an example of an employee doing everything right. I had discovered that a high level manager at the small firm we were tasked with assessing, as well as his wife, had public Facebook profiles. I learned all about them, bought a cake that said “Congratulations, Dad!” and walked up to the receptionist saying that I was his daughter in town to surprise him for his anniversary (which happened to be coming up according to Facebook). I knew my mother’s name and my siblings names, and I had a whole story set up. It was enough to get me into his office, but the receptionist called his assistant to escort me, and the assistant didn’t take her eyes off me. When I tried to catch a coy photo of a paper on my target’s desk, she entered the room and told me that she was calling security. After a brief attempt to talk my way out of it, she stood her ground. Upon receiving my letter, she called the people on the letter to verify that the letter was true. While a lot of these stories make this sound easy, this was an example of a situation where a real attacker could have ended up talking to the police. And it shows what diligence from employees can do to protect the company.

    What You Can Do

    Hopefully this article was a fun read, and hopefully it scared you a little as well. When someone wants something from your company, they can be very convincing, but you don’t have to be an unwitting accomplice. What can you do?

    • Many companies have physical security policies. Ask what yours is. It likely includes several of the following items as well.
    • Don’t allow people to tailgate behind you. If a door is locked or protected in some way, let people unlock the door themselves. If they complain, explain that it’s company policy (if it’s not it should be!) and tell them where they can go to sign in and gain access if they don’t have the key or badge needed at your door.
    • If you see people you don’t recognize in your internal office space, ask who they are. Ask to see a visitor badge if your company provides those. Many visitor badges have blurry photos and small “approved for” dates. Check the badge closely.
    • If you find someone to be suspicious and don’t want to or don’t know how to confront them, call security. That’s what they’re there for. Tell them as much information as you can and keep an eye on the suspicious person until they arrive if possible.
    • Keep private and critical documents in locked drawers. Don’t leave them on desks or in unlocked cabinets. Remove these documents from printers and fax machines as quickly as possible as well.
    • Let your IT department know of any network ports that are not being used. If an attacker plugs a malicious device into a network port that IT has turned off, you’ve thwarted their remote access to your company’s network.

    While this is my last post in this Social Engineering series for now, we’re always happy to discuss what Raxis can do to help you improve your company’s security in this area. You can find more information at https://raxis.com/redteam/social-engineering, or drop us a line at https://raxis.com/company/contact.I’ve heard a rumor that my colleague, Brian Tant, is working on a related blog post about Neuro-Linguistic Programming (NLP) using cognitive resets, visual cues, and body language. Keep an eye out at the Raxis blog for that coming up soon!

    Want to learn more? Take a look at the first part of our Social Engineering discussion.

  • Voice Phishing – Social Engineering[Part 2]

    We’ve all heard of phone scams such as Rachel at card services offering to help us out of a jam we didn’t even know we had. Scams such as this have become common in the workplace as well. These scams, called vishing or phone phishing, are a type of test we often perform for Raxis’ customers.You may be surprised to hear that often we achieve a high success rate with these phone phishing assessments. During one particular assessment, we called a large number of people throughout a company and told them we were contractors performing the annual credential check and asked the employees to please provide their email username and password. Often those credentials are used to login to their computers as well. Providing this information yielded more access than the targeted user was aware of. During this assessment, approximately one fourth of the people we called provided their credentials.

    PREPARATION

    This type of phishing is different from the email phishing attacks that most people are familiar with. First, a telephony-based phishing campaign requires additional preparation to sound convincing. We rehearse what we plan to say as well as how we will respond to questions, suspicion, and anger. We invent a story and background as part of a convincing pretext. It is said that the devil is in the details. A sense of legitimacy can be borrowed by peppering the conversations with specific information. Are we saying we work for the same company as the target? Then we’d better be able to say what office we work in. We’re calling from IT? Who’s our manager?Unlike email phishing campaigns, it is imperative to hook the target as soon as the call starts. Once the target hangs up, it’s unlikely they will call back or take another call from our number unless they trusted us (though I once had a person call me back to check who answered the phone). For this we prepare a persona.

    We need a name, possibly an accent, a department, a purpose for calling, and just enough back story that we never say “umm”.

    When we call our target, we’re unlikely to provide most of these details, but we need to be in character. Our target is likely to start off suspicious and will only get more suspicious if we say we work at the IT Help Desk and then act like we’re a high level manager telling them what to do. I’ve also had targets question me on what building I work in as well as my manager’s name. If I have a number of people to call, I often make small talk to gather more information to use in my next calls. Every bit helps in establishing rapport and building trust.Another part of preparation is technical. While it’s illegal to spoof (imitate) a phone number maliciously, in phishing campaigns it’s all part of the test. We use services like SpoofCard to display the phone number of the company that we claim to be calling from to make the call seem even more real.

    A SIMPLE, MULTI-TARGET VISHING CAMPAIGN

    Many companies hire us to call a large number of people in various departments to see if they reveal private information. The goal is to get something simple like their username and password for the email system or the direct phone number for an employee who doesn’t have that listed publically. We often seek to check the effectiveness of their security awareness training by evaluating employees’ responses to the attack. As an employee, knowing that a company tests employees in this way can be a great incentive to exercise vigilance when handling unknown calls.In campaigns like this, I like to make myself a low level contractor. This job is so lowly that they don’t even make the lowest level employees do it! My goal is to establish rapport and then elicit a sense of empathy. Maybe you feel sorry for me. Maybe you realize that I get paid by results, so I will keep calling until you give me what I ask for. Most importantly, I have an excuse for not knowing answers to all your questions or not having a phone number that looks familiar.So back to my sad, lowly contractor. I make the call. I’m friendly. If they don’t believe me, I sound like I am used to hearing this and hate my job. I don’t tell them I’m a contractor; my goal is to get their credentials, but if they push back or ask me questions like “what building do you work in?, I “admit” that I’m just a contractor. I look for any opportunity to ask the best way to get a job there. I ask if my target likes working there. Are the managers nice?This allows me to keep the target engaged without knowing all the answers and makes people feel important because they possess information that the caller doesn’t have. If they refuse to answer, I’m polite and tell them that is no problem at all… but someone will have to come to their office in person, and it will take longer. Sometimes that threat of someone physically coming to see them is enough to change their mind.These types of campaigns can be conducted under a myriad of personas. Some people mumble a lot so that it’s easier to act like you know answers you may not know. Think of calls you’ve received from spammers that you believe are legitimate at first. Sometimes it’s hard to say no.

    SPEAR PHISHING CAMPAIGNS
    Webpage Showing Entire Raxis Leadership Team
    Company Website Reveals Partners

    Spear phishing campaigns, whether using email, phone, or a combination, are much more complex to set up but can be well worth the effort when all the pieces fall into place. In these campaigns, we focus on a small number of specific targets and spend a great deal of time researching them to tailor the campaign specifically for these individuals.We start with research, and it may surprise you what we can find from the comfort of our own home using the Internet. I’m not discussing the dark web here; I’m talking about search engines like Google and Bing, social media, such as LinkedIn, Facebook and Twitter, and even the websites of your own company and your customer companies.A few years ago I was hired by a small firm of about fifteen people who each worked with two or three customer companies. I won’t reveal the specific industry, but they worked mostly with financial information. I was tasked with using only phone calls and calling as few or many people as I wished as long as I extracted any type of critical, private information.My first step was to look at the company’s website where I found a list of key employees along with a small write-up about them. Many companies do this… it’s a great way to show prospective customers that your team has experience and would serve them well. Even Raxis has a page like this: Using Raxis as an example to illustrate the value of seemingly extraneous information, from this web page I gathered names, and I made short bullet lists of personal and professional information that might be useful in my calls.I also looked around the webpages and got an idea of the company itself. Sometimes information is revealed about products or companies that work closely with our target company. The Raxis webpage lists our partners, Rapid7 and GE Digital Cyber Security, giving an attacker an idea of who might be calling us, as well as lending a sense of importance to the calls that are believed to originate from them.  Next I looked at LinkedIn and found many of the same people. LinkedIn is used by most people when they are looking for a job, and, because of this, many LinkedIn profiles have a great deal of information about people and what they do at work. School and work history give an idea of the target’s age as well as their interests. We look for any connection that we could exploit to build a bond.

    You went to Carolina? I can’t believe it. I did too! What year did you graduate? Go Heels!

    LinkedIn Page Showing Past Work Experience

    LinkedIn also can provide detailed information about our target’s job. Part of my LinkedIn job history is shown below. You’ll see that I once worked at a PBS station and a university. All of this type of information can be helpful as we enhance the target’s attack profile and determine under what pretext the attack will take place. In the case of the company I was researching, two people stood out. Each of them posted names of their customers on either the company website or LinkedIn. Next, I researched these customers. Immediately one customer stood out. Their website showed an org chart showing the structure of all of the top management.Since I’m female, I picked a woman on the list and decided to call my target using her name. I also found two other names that were higher in the org chart. With this information, I made my call.

    Hi, this is Stephanie Smith. I hate calling you at the last minute like this. My phone died, and I’m running around trying to get all the financial statements together for our annual planning meeting. Rich and Jim decided at the last minute that they need statements for the full fiscal year, and I can’t find them anywhere. The meeting starts in thirty minutes. Is there any way you can fax them to me ASAP? You can? Great! Our fax machine is actually broken too. Would you use this number instead?

    When you have time to sit and read this, it sounds ridiculous. There are red flags throughout. I never even said my company name, but I had enough information that I hooked my target into believing that I was trustworthy because she believed me when I gave my name, which happened to be a name that the target had been conditioned to view as a very important client that she wanted to please. She did not expect the call and made a split second decision to comply, rather than risk alienating a customer.She sent over 50 pages of financial statements to my fax machine.Of course, this was a security test. I deleted all of the data and provided my customer with a customized report that they used to train their staff. If I had been a malicious attacker, that one call could have broken the trust that company had with all of their clients. 

    GET THEM TO CALL YOU – THE REVERSE PHISH
    Phishing Email With My Phone Number

    In Part One I talked about email phishing. Why limit ourselves to emails or calls when attackers will use any means they have at hand?When customers allow us to combine emails and calls, one method that we’ve found value in is asking targets to call us. It may sounds silly, but think about it. Something you use daily on your computer to get your job done stops working. You call the help desk, but they are already swamped. You’re waiting unproductively and your work is piling up. We’ve all been there, and we all hate it.So along comes an email with a link in it. The wording in the email gives you a special number to call. This webpage is so important that there is a priority number for it. This type of hybrid vishing campaign makes it easy to target a large group of people. Once someone calls back, we know they, at least partially, buy our story, and we can hook them in even further. When people call us they are more likely to trust us. They have no proof of who we are, but most people feel more comfortable with the person on the other end of the line when that person is answering them on their own terms at their own time. 

    WHAT YOU CAN DO TO PROTECT YOURSELF

    When someone calls us, it often takes us off guard, and we are deciding if we should trust them at the same time that they are talking and encouraging us to get this over with by giving them what they want. We are conditioned to comply, especially in the work environment. But it’s important to maintain a sense of vigilance when dealing with any electronic communication including phone calls.

    • Remember that you can hang up on people. Tell them no or just hang up the phone. If you don’t trust them, just hang up.
    • If you don’t want to be rude or worry that they may really be who they say they are, put them on hold. Think about what they’ve said. Ask a manager or call the IT help desk and ask. IT often can help you decide if a call is legitimate.
    • Calling from a different number? Even if the calling number looks right, an attacker may be spoofing it. Before giving any private information, tell them you’ll need to call them back at the number you already have on record.
    • After hanging up, call the number you already have and verify that they just called. If the call was false, they’ll appreciate you checking. Call the department they say they’re from and ask. It’s obvious you have their security in mind. Most people appreciate that.
    • Are they asking you to send to a different fax or email? Tell them you can send to known ones you already have.
    • Most importantly, report it. Make note of the number and any details they provide. They may call other people, so the sooner you alert your company the better. If your company does not provide a way to report possible phishing and vishing attacks, report them to your IT department.

    Raxis provides social engineering tests, including phishing and vishing tests, that are tailored to your company. See our Social Engineering site at https://raxis.com/redteam/social-engineering for more information.

    Social engineering testing such as this is a critical part of compliance testing for companies in the financial sector. Learn more here https://raxis.com/industry/financial.If you have questions or ideas for further blog posts, contact us at https://raxis.com/company/contact.

    Want to learn more? Take a look at the next part of our Social Engineering discussion.

  • Phishing Emails – Social Engineering [Part 1]

    Gone are the days of Nigerian princes who left you their fortune. Today it’s much more difficult to separate the genuine emails from the malicious ones that are out to steal your information and your money. While many of us deal with the spam that ends up in our personal email inboxes, Raxis helps many companies avoid corporate and customer information leakage from phishing emails targeted at unsuspecting employees.

    Identify

    Knowing how to identify suspicious emails is the first step in protecting your information as well as that of your employer and customers. I’ve performed many phishing campaigns for our customers, and I’ve heard multiple stories of smart, conscientious employees falling for clever phishing campaigns. The fallout, including public relations pitfalls, can be large enough that IT budgets get redirected to secure the environment and regain customer trust.I always tell our customers that it doesn’t hurt anyone to take a little extra time to react to an email. When I run phishing campaigns for our customers, I like to send the email out at the start of the day or at the end of the lunch hour. At these times most of us don’t want to be bothered by a new email request. We have work to do, and we’re focusing on getting to it and accomplishing our goals for the day.I make sure the tasks in the phishing emails are quick, simple, and easy to finish:

    “Just in time for the holidays, we’ve implemented web mail so that you can be home with your family and still answer emails! Your account will only activate if you log in at the following URL by the end of the day!”

    List of Raxis Employees on LinkedIn
    Raxis Email Addresses from theHarvester
    Phishing Email
    Error Webpage With a Malicious Link

    Well, maybe your IT department wouldn’t be quite so excited, but you get the idea.Phishers know common systems that most businesses use, and it’s often easy to find sample login pages online. Several free and paid tools exist that help companies perform phishing tests… and that help phishers steal your data as well. For this article, I spent about ten minutes finding email addresses and creating an email and website to steal credentials from my fellow Raxis employees. Just ten minutes, then I sit back and see if anyone responds.Step one was to find email addresses. Sound difficult? You’d be surprised. Search engines such as Google or Bing are a huge help, and social media sites, such as LinkedIn, provide employee names even when they’re not your connections.Manually searching for email addresses was taking too long, so I logged into my Kali Linux box and fired up theHarvester. In less than a minute, I had the full list of Raxis email addresses pulled from various search engines. There are also free tools that allow attackers to discover the format of a company’s emails, such as “[email protected],” so that I can create my own mailing list if I know some employee names.Now that I have a list of email addresses, I need those folks to give me their login information. There are tons of great tools that make it easy for users to set up a phishing campaign in minutes, such as the open source Social-Engineer Toolkit. This time I use Rapid7’s Metasploit Pro phishing tool.I start with a simple email. In some cases, I research the company’s culture and target a campaign at specific employees, but most of the time I can good results by setting up a generic campaign that does not require me to know a lot about the company. In this case, I pick an Outlook Web App (OWA) site and hope that employees find it familiar enough to fall for my story without looking too closely. Using the phishing tool, I add a number of features that make the email look legitimate, such as using a fake raxis.com email address and including the recipient’s name. Think about it: if I found your email address, I likely know your name, but it still looks official to add it to the email.If the recipient clicks the link in the email, they are taken to a page that appears to be a legitimate OWA webpage. If they enter their login information and click submit, they move onto an error page that I built. It tells the recipient that there was an error, and all they need to do to resolve it is click on a handy link that can do the fix for them while they continue with their work. Unfortunately for anyone who clicks on the link, a malicious file meant to open a remote session to the user’s computer will be downloaded, effectively giving me background access to that machine and potentially the network where it is located.

    React
    Phishing Email... Something Is Wrong Here
    Login Webpage

    This is scary stuff, but the real question is: “What can I do about it?”First, there are some clues in the email itself. When I hover over the link, I see that the URL starts with “http://” instead of “https://.” A real OWA webpage would almost certainly use an encrypted “https” connection. The site also doesn’t have the company name in the domain: it’s just an IP address. That’s a big red flag as well. However, many phishers know that vigilant employees will look for these issues, and configure the malicious website to use an encrypted connection, and register a domain name that might trick employees if they don’t look closely, such as “https://rax1s.com” or “https://raxls.com.” Make sure you look closely at the link!If you find an email strange or unexpected in any way, ask about it. Most companies are concerned with phishing and would much prefer that you ask IT if an email is real rather than clicking on the link. Some companies have phone numbers, email addresses or websites that allow you to report a suspicious email. If not, give your IT helpdesk a call or forward the email to them asking them to check. Have you ever received an email from IT notifying you that you may have received a phishing email and asking you to delete it? Someone likely reported it in time for IT to nip it in the bud, thwarting the attacker.What if you clicked on the link in the email and then became suspicious of the website? This is dangerous, as webpages are far more likely than emails to host malicious files that may not be caught by company controls. Immediately report the email and the fact that you clicked on the link to your IT department. They will likely be grateful that you told them quickly so that they can check for and mitigate any threat. Never enter credentials or other private information on a suspicious website until you get the official go ahead. In past customer phishing campaigns, I have listed my phone number on the website saying that they can call to confirm that the site is legitimate. Never trust the email or the webpage! Contact your IT department in ways that you know internally before trusting the site. If you call the phisher during a phishing campaign, they will definitely confirm that you should enter your credentials on the site!

    Next Steps If You Fall for the PHISH

    So what happens next if you entered your credentials, or even clicked on the malicious link on the error page?

    Step 1: Report the Phish and Your Actions

    First of all, I’ll repeat it again, contact your IT department. They may have a process, and they need to get started as soon as possible. The sooner you tell them, they more able they will be to contain the threat.

    Step 2: Change Your Password
    Now the Phisher Has My Credentials

    Next change your password. Change your password on every system, company or personal, that uses that password. Attackers love to try credentials in any place that they have access. They might login to your email account and delete the email that IT sends telling you what to do next, or they might email a customer to scam them from your account. Changing your password as quickly as possible helps contain the threat. Here’s another handy post written by one of my colleagues with tips about creating a strong password: https://raxis.com/the-weakest-link-in-the-password-hash/

    Step 3: Reboot Your Computer

    Finally, reboot your computer. If you clicked on the malicious link in the error page that I created, a reboot would break my remote session to your computer. This doesn’t always work, but it also doesn’t hurt. Let your IT department know exactly what saw and what you did. In a case like this, they will want to look at your computer and make sure they remove any threat. That may seem like a lot of work, but it also sounds a lot better than someone watching you through your computer’s webcam or using your computer to attack other machines on the network. Once they have access, the attacker likely no longer needs your password even for extended access. It’s always best to report the issue to be sure.

    Want to learn more? Take a look at the next part of our Social Engineering discussion.

  • Physical Security Pitfalls: What our physical assessments show us

    A Strong Front Door

    An effective information security program is built upon a strong physical security strategy. After all, if an attacker can breach your physical security all of the network controls are more easily mitigated. On average our internal network penetration tests yield an 85% success rate. Once an attacker physically gains access to network connectivity, the chances of a data breach become exponentially higher. The role of a physical security strategy is to prevent an attacker from gaining tangible access to company resources so that secondary attacks are not possible.Raxis is frequently retained to test the physical security of corporations in various verticals. We utilize many techniques in our attempt to gain unauthorized access via highly technical approach vectors such as RFID badge cloning and IR cameras to simple social engineering pretexts.

    We average an 85% success rate on internal network penetration tests

    We commonly find that companies implement technology and processes that, on the surface, lend the impression of safety. Often, however, these controls are ineffective against a capable adversary, thus the net result is that the attack surface gains complexity without benefit, making the organization more vulnerable to targeted attacks.While some companies go to such lengths as employing security guards, both armed and unarmed, the presence of such personnel often provides a false sense of security. While they are excellent visual deterrents, security guards are only one component of a robust security strategy for physically safeguarding your critical data.Likewise, hi-tech security measures such as proximity cards and cameras often help an organization feel more secure, but the reality is these technologies add complexity and require additional resource overhead to maintain their effectiveness. Highly technical physical controls often can be hacked and, if not properly managed, sometimes leave a facility more vulnerable than it would be without them.Here is a sampling of the attack vectors we have employed in the past to circumvent physical security controls and gain unauthorized access to a facility: 

    Poorly Trained Employees / Employees with a Casual Approach to Security:

    At the end of the day a company’s best defense is a well-trained and vigilant employee. The popular phrase, “if you see something – say something” is incredibly important. Employees know better than anyone else what is out of the ordinary – be it a suspicious package or a person. Employees need to be trained in secure practices, and given the authority to challenge or report anything or anyone that seems out of place.Often employees are lulled into a false sense of security through observational confirmation bias. They believe if someone has made it past the guard and is on the floor they must have permission to be there. This is reinforced by social behavior tendencies that make it uncomfortable to confront unknown individuals. A fundamental tenant of awareness training is to re-train employees to practice heightened vigilance in the workplace. Raxis consultants bypass guards and other countermeasures regularly while conducting engagements for our clients. In every one of those cases, if an employee had simply recognized us as being outside of the normal and challenged us to to confirm the legitimacy of our presence, our attempts at compromise would have been thwarted. The reality is that most individuals do not feel comfortable with confronting someone in an office setting. This is a behavioral tendency that social engineering attacks exploit to lend legitimacy to a given pretext.The better an employee is trained to question people and events that are unfamiliar, the more robust the organization’s security posture will become. 

    Proximity Badges

    Many companies fall prey to the false sense of security that arises when using RFID proximity card access control systems. In practice, many of these systems can be easily hacked electronically without the employee’s knowledge.

    For less than $600 and the ability to do a Google search one can obtain step by step instructions in making a weaponized badge reader that can be used to acquire an employee’s RFID badge data from a distance for later cloning.

    In many cases, an old fashioned tumbler lock and key would offer greater peace of mind. 

    Lack of Photo Badging

    To make matters worse, many companies that leverage badge access systems do not utilize personalized badges with employee photos. This may be due to a myriad reasons from budgeting to lack of headcount to manage such a program, to the level of effort to upgrade from legacy systems, or other business drivers. Even in environments where photo badges are prevalent, employees often do not take the time to verify that the photo on the badge is actually that of the person carrying it.  Indeed, a surprising number of companies feel satisfied simply using a white proximity badge without any type of accompanying credentials.Proximity badges, if possible, should be paired with a photograph credential that validates the individual’s identity and indicates the level of access that person should be given. All visitors should have to sign in and in many cases be escorted while on premise.Even the most robust badging system is completely innefectual unless employees are required to use it consistently. The physical layout of the office reception area plays heavily into enforcing access policies. Along with the photo ID the form factor of the office should require that each person must pass through a checkpoint (even if it’s a receptionist) to show their ID and perform the badge swipe. 

    Unmonitored Cameras

    The use of video surveillance systems is another means by which a false sense of security can manifest.  In many cases, the cameras are either not functioning or are feeding directly to a DVR to provide investigative collateral after a security event has occured. The reactive use of surveillance systems negates the benefits of the added visibility they provide.The challenge is that most of the places we breach don’t even know we were there. We walk in, do our thing and exit. The company does not know to investigate because an incident response was never triggered; they were not leveraging their surveillance technology proactively.In many cases, if the company had security personnel charged with monitoring the cameras, a security breach could be stopped before it happened, rather than investigated after the fact when the damage has already been done.While cameras are an effective deterrent to many attackers, they must be used correctly and as part of a larger strategy lest they once again facilitate a false sense of security. 

    What You Can Do

    The importance of awareness training can not be overstated. Understanding the role that company culture contributes to the level of employee vigilance offers critical insight into the implementation of any security training program.. The goal is not to make your employees paranoid or uncomfortable, but to help them develop a sense of situational awareness in the workplace. Empower them to report anything that is out of the ordinary and to know that it’s part of their job to do so. A formal security reporting process that is well understood will assist with streamlining response efforts. Recognize the limitations and vulnerabilities of your security systems. It is often said that security is a process. An effective security program encompasses dynamic layers of controls in which weaknesses are identified and mitigated through compensating controls.Test the effectiveness of your systems regularly. Utilize an outside assessment firm such as Raxis to partner with you and your team and assess your performance. Tests such as these are critical to understanding the strengths and weaknesses inherent in any security strategy and how to best utilize available technology to increase the organization’s resilience to attack.We hope you’ve found this article insightful. Below is a short video that illustrates a typical engagement for Raxis. This video will demonstrate some of the techniques employed to by Raxis consultants to infiltrate a facility, establish persistence, and exfiltrate sensitive information – all without the company being aware.

  • The Human Element is Often the Weakest Link

    Most companies realize that you can spend millions on network security but one of the biggest gaps is the employee. The human element of a workforce can easily be exploited once you understand the basic psychology of human behavior. Most people at their very core simply want to be helpful. People generally want to be nice and are often concerned about what people think of them. We see this time after time when we are doing a social engineering engagement for our clients. Do you want to get into a locked door – load up with boxes and follow an employee, “Oh – can you hold that for me?” Really – who wants to be the person that says, “No – put down those boxes and struggle with it yourself.”? Looking for a password – phishing emails are all too easy to the naturally trusting person. With basic precautions the email looks legitimate, and many will click the email and, in the process, load malware giving a malicious actor full access to their computer. Physical security – many times this is a false sense of security. Often times security guards are hired for low wages and without extensive training. Certainly this is not always the case, but many times it is. While the visual effect of a security guard can be a deterrent, to the experienced person seeking to infiltrate your business it’s often a mild annoyance that simply requires a little more surveillance and planning.

    One of the best ways you can strengthen the human element is to test the human element. Whether this is through an outside company or internal tests. People respond to real-life examples. You can teach seminars and send emails about social engineering with somewhat limited results. However, when someone actually falls for an infiltration scam, and they later find out it was a test and are told the results of the actions of the person who infiltrated the company – that lesson sticks.

    Many times employees don’t understand the critical role they play in the security of your business. However, once they see first hand the potential results of their actions, it becomes much easier to tell the person with the boxes that they must go to the front door and sign in. It becomes more comfortable to call your IT department about an email – even if it seems to be okay.Regardless of your industry, real world testing simply makes your business stronger. What will you do this month to help your people learn how critical they are to your security?