Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Human Phishing … Playing the Odds

Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not :) This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells :)

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on :D

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.

Successful Introductions … Getting Results

Happy New Year Everybody. Sorry I have been slack with blog posts this year, family and work are keeping me busy at the moment.

So less about the excuses and more about the doing :) When I speak to people about Social Engineering there are many common themes, most common being how to handle failure and how to go about being the person / group you are impersonating. The other one is how you make that initial introduction, and start getting your manipulation fu on. Its a good question, and one I used to struggle with when I first got started.

I would say its pretty common to be nervous when approaching someone, especially when you have some form of manipulation planned. I don’t want to offend anyone, but this is what dating is initially right? You want that person of interest to be spell bound by you, so how do you make that first step without totally destroying any chance of success? Well my clue is in the aspect of dating.

When I was researching Hypnosis, NLP and the wonderful world of Mentalism I came across the work of PUA (Pick Up Artist) Ross Jeffries. Now I am no huge fan, and I think some of this stuff from the PUA community is border line on the ethical and moral front for me, but I am sure it works and gets the results if thats your thing. Anyway, one of the things they talk about is how to introduce yourself to that person of interest. This technique applies for the dating game, if your looking to try out some magic and mentalism, as well as engaging in some social engineering. Obviously its important to have context, and timing and the place is crucial, but the approach is to Compliment, Introduce, Question (CIQ).

A simple example could be as follows: You look like a helpful set of guys, my name is Dale and I started here today. I left my badge inside, would you help me get back in please?

Its simple, concise and does the job. It is also useful to use language that implies compliance. Phrases that include, could you, would you, can you etc have a form that implies of course we all know you can meet our request, but its not very often you get a smart Alec that doesn’t want to comply.

Short but sweet post, but something for you to try out in any situation where you need to introduce yourself, remember never miss an opportunity to use the power of persuasion.

Confirmation Bias … The Manipulation Assistant

I think most people would accept, that when it comes to building rapport and getting to a stage of some form of manipulation is normally always possible with anyone give a decent amount of time. This is great for making REAL friends, but in the social engineering context we normally don’t have or want this lucky, we like it quick and dirty so to speak. We have discussed many ways to have this happen, but I think we have a little discussed manipulation assistant that we can utilise. This is something known as confirmation bias, also known as Tolstoy Syndrome.

So what is confirmation bias? Essentially this is something that we all suffer from to some degree, and depending on your opinion more than others. Confirmation bias is the human tendency to favour information that is associated with their beliefs or preconceptions, regardless of if this information is true or factual. So when we communicate people will be selective in their memory selections and interpret what we say in a biased way.  Some consider this bias as being the internal yes man, also willing to agree even in an ambiguous context if what they hear matches their beliefs, and filters out the unwelcome information.

Probably all sounds obvious right, and why do we care about this. Well I have to be careful how I describe this as to not get your backs up regarding your confirmation bias.

Lets consider this scenario. As part of your intelligence gathering exercises on your mark / victim you identify that they support Man United Football club, they love dogs, recently got a new car, seen on forums they are not to happy with their job, and a recent tarot reading said good fortune is coming their way soon.
Now in my experience using any of the obvious stuff, like animals, football clubs will yeild good rapport building results, as we like people who like us, and are like us, it sets up a common ground. However I think the stronger and faster rapport builder, that will lead to a quicker manipulation frame would be the tarot route. The reason for this (in my opinion) is that this sort of thing is treated with a large amount of scepticism, and myself personally don’t believe it to be valid and have not seen any solid research to prove it. However many people have a confirmation bias to this, and I would imagine feel a minority in that aspect and would really feel a close bond to someone who shared this same interests.

The reason I raise this point is that when we are acting out our pre-text as a social engineer, we should no longer be ourselves. We should leave behind our personal baggage and be 100% committed and open to the situation we find ourselves. If we fail to do this we may end up in a situation that builds distance not rapport. So for example when not working and if someone started speaking to me about tarot readings I would quickly lose interest and be looking for an exit plan, this could present a missed opportunity. Since my transition from hypnosis sceptic to hypnotist I have a large appreciation for this sort of thing.

Now you might be thinking, OK sounds great in principle, but there is no way I could just blurt out I was into tarot reading as it would be just so odd. My first point is your thinking out of context. Blurting that sort of thing out to a random person could be considered crazy, but we know this is a person of interest.

Lets go through a super quick conversation example.

Victim : Hello Acme Systems, how can I help?
Me : Good morning. I hope you can help me as I am on a tight deadline to gather some information for my project.
Victim : Sure I can certainly try, what do you need?
Me : I work for the local government security council and we are carrying out a study of how companies securely dispose of their confidential waste.
Victim : Oh, I am not really to sure if we can give out that information.
Me : I totally understand your concerns, and I dont want to get anyone in any trouble, but this is for a government report. We sent out official requests in the post but so many companies didnt response, I guess everyone is just so busy.
Me : Could you possibly find out who could confirm if you can give this email. Perhaps there is some information on your Intranet, or someone you can call.
Victim : OK I will have a look, please bare with me.
Me : No problem
Few seconds pause….
Me : Whilst your looking, did you have a good weekend? The weather was pretty bad again wasnt it.
Victim : My weekend was to bad thank you, how about yourself?
Me : It actually turned out really well. I went to see a tarot reader, and I had a really good reading. I know some people think its  all phooey but it was just amazing.
Victim : Really. I have had a few tarot readings myself, and your so right about other people, but I really rate my tarot reader.
Now we go through the process of talking tarot for abit, so make sure you have done some research on terms etc.
Me : Its great to meet someone who shares my same interest, it really is rare. By the way how are you getting on with the information on the confidential waste information.
Victim : I cant seem to find anything, but I think it would be ok to share the information anyway. Its Acme disposals.
Me : Brilliant, thanks you really helped me out. Thanks for everything and take care.

This hopefully kinda gives an idea, utilising that dead time when they are searching for stuff, get the hook and exploit it to manipulate your way to getting the desired information.

Hope this was of interest, and you can try this in many scenarios. Those that know me will know that I used similar techniques to this on the phone to get discounts and freebies when I am buying stuff, same principles apply. Essentially regardless of your beliefs you are going to go with the grain, not against it.