Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Human Phishing … Playing the Odds

Happy Easter everyone, I have some spare time so I thought I would put fingers to keyboard and put a blog post out I have had on my mind for the last month. Even though I plan to post every month, life with a little one and busy at work does get in the way, and I really don’t want to post something just for the sake of it. I always want to share information that is relevant and will be of value.

So with that in mind I wanted to talk about phishing, and how important it is to select the right bait.

So as a social engineer there are going to be many times when phishing is going to be the best approach to get your gig off to a good start. Phishing is a low risk approach, but the rewards can be very high.

The important thing to say at this point is I am talking about phishes that have a higher percentage chance of success, this might sound obvious but all phishes are not created equal. APT, Hacktivists and those just out to make a buck play the percentages, they send a large amount of email out, and the quality isnt always that great (You have seen them, you can spot them a mile off). Of course this is different to spear phishing, where things are more targeted and frankly they do a better job when it comes to the content of the phish. The reason I mention this is, if this is what your customer wants (they probably know the answer, and it might not help them in reality, or you for that matter) simulate it appropriately, but depending on your targets it could be hit and miss.

So how do you do it right? Like most things in social engineering do your homework. OSINT plays a big part here, what are your targets doing online, are there common interests, shared groups and themes around their activities. What types of language and communication is their employer using to communicate, what campaigns are running, what would be expected?? When I talk about language I mean both the actual language (many people involved in SE have to deal with people outside of the English speaking world), this doesn’t mean that you cant use English, your homework will tell you this, but regardless you are looking for the phrases, buzzwords, key names and meanings that will imply legitimacy.

Legitimacy is important, and will often force you to use languages and subjects that don’t shout spam and phishing email, but this is something important to consider also. What inbound controls are you facing, how will your email be graded, what tests can you do, how can you verify delivery of phish? These are all components you will need to be considering if you are truly simulating your customers external threat.

So lets assume legitimacy has played its part, your phish has arrived in the targets inbox, and they think it looks legit. So what is it that is going to make them open your attachment, or click that link? Influence that’s what. You may remember some time ago I wrote about the 6 rules of influence, well this approach will help you in your phishing attack. Perhaps they will click your link as they will gain access to something difficult to get hold of (scarcity), perhaps its a direction from the top and must be followed (authority), or perhaps its as simple as the chance of winning something, I mean who doesn’t want to get there hands on a sexy iPad 3.

Right so your target is all about the clicky clicky, you have succeed? Erm possibly not :) This is where playing the odds comes in handy. To get to this stage you have already had a few levels of phishing success, the mail made it pass all the ingress checking and arrived in the inbox, the subject was appropriate enough that your target opened and read the email, now they are clicking the link or opening the attachment. This is success, but I imagine in most cases now you want shells :)

Of course you do, who doesn’t. Of course if this works you can do the happy dance, but if it doesn’t you will be pulling out your initialed hanky and weeping like a baby. Why didn’t it work? Perhaps your payload wasn’t built properly, perhaps you set the handler up wrong, perhaps your system crashed, who knows, but you had all your eggs in that one basket. This is why you should play the odds with your phish, have multiple out, this leads to success at some level.

Playing the odds in my mind means the following. First of all I always try and include some form of credential harvesting component (Its a common winner in my experience), I also tend to employ the joys of a BeEF hook. I think BeEF has alot to offer in the future so now is a good time to build it into your approach (you can grab systems info, launch iFrames, keylogging and all sorts). Its also a good idea to consult your Apache logs to see whats being give away. If you do a sample wave of phishing you can use this as recon (I tend to use what I consider low value targets here) and find out browser types, plugins running, java versions etc, all important information for phishing. Include some browser exploits based on what your recon has informed you about, if you can do it transparently great, but if you need to pop up a windows or dialog box (ala Java Exploit) then make sure its believable.

This isnt an exclusive list by any means, and I appreciate I have not gone into huge detail (perhaps I will give a talk on it) but I really think you will see an increase if your success, and as a result increase the value of the service you provide to your customer. Oh and don’t forget, if its appropriate a little phone call could help in the legitimacy stakes and get that clicking going on :D

So as always I hope this was of some interest, and of some help. I welcome all questions and feedback, and if you liked it please feel free to share with others. Until next time, take care.

Global Gestures … Don’t Get it Wrong

In my recent talk Social Engineering Like In the Movies – The Reality of Awareness and Manipulation I talk about how important it is to understand body language, especially in the right context. I also mention how even though generally once you have a baseline alot of body language is global, but some gestures can catch you out.

With this in mind I thought I would share something with you that I stumbled across this week. Its a book about global gestures and a guide to what they mean. Now dont get to excited, I have not yet bought the book, and now sure I will has the feedback isnt great, however I did find out the writers have released an iPhone App, and its only 0.69 pence, so gotta be worth a punt :)

So is it any good? Well I think its not to bad actually, and for the price its very good. If nothing else its interesting to look and the different meanings, and you can tell it what country your in and it will bring up some common gestures.

I would like to see alot more gestures to be honest, as it is some what limited (perhaps if the book is the same its why people have not given it a high rating) but perhaps they will build upon this. The main thing is I dont think there are many other resources with this info, so why not check it out.

Check out some screen grabs from the application to see what your buying.


Dont Get Me Wrong
IMG_1546
IMG_1547
IMG_1548
IMG_1549
IMG_1550
IMG_1551

Social Engineering 101 Workshop … Hash Days 2011 Lucerne Switzerland

This year I have the honour of giving a workshop at Hash Days 2011 in Lucerne Switzerland. The course will run on the 26th and 27th October 2011, coffee breaks, snacks and lunch will be provided, all located at the Radisson Blu in Lucerne. All attendees will receive full copies of the workshop slides including notes, and will have the opportunity to have 1 to 1 discussions with myself to discuss other related workshop topics that they would like more information on.

Registration is now open, so CLICK HERE TO REGISTER

Course Details :

Overview :
All  organizations  have  one  vulnerability  in  common  and  that’s  the  staff.  People  are  valuable  in
making  an  organization  function  but  sadly  the  wetware  is  vulnerable  to  attack.  In  this  course  we
will  look  at  how  to  exploit  those  vulnerabilities.  Attendees  will  cover  the  fundamentals  required
on  a  social  engineering  engagement,  such  as  the  approval  and  planning  stages,  information
gathering  and  execution.  However,  the  main  focus  of  the  course  will  be  the  subliminal  hacking
skills.    In  this  course,  we  understanding  how  the  mind  works  and  why  it’s  vulnerable,  and  how  to
exploit  it  as  well  as  how  language  is  a  powerful  influencer.  Body  language  will  also  be  discussed,
how  to  read  it  and  use  to  our  advantage,  as  well  as  how  to  build  and  operate  a  successful  pretext.
The  subject  of  ethics  is  often  raised  in  connection  with  many  manipulation  techniques,  so  we
shall  also  touch  upon  this,  as  well  as  how  you  can  reduce  the  risk  of  being  social  engineered
yourself  or  your  company.  We  will  also  cover  useful  tools  for  information  gathering,  as  well  as
handy  equipment  whilst  on  the  job,  this  course  is  not  intended  to  teach  you  how  to  run  ports
scans,  exploit  application  vulnerabilities  and  drop  shell,  its  about  how  to  hack  the  mind  and
influence  the  situation  to  your  meet  your  goal.
You  do  NOT  need  any  previous  experience  to  Social  Engineering  or  Penetration  Testing.  If  you
have  thirst  for  knowledge  and  an  open  mind  to  new  possibilities  this  course  is  for  you.
Learning  Objectives:

What  is  social  engineering
Authorization  and  Scoping  Documents
Information  Gathering  Techniques
Engagement  Methodology
Reporting
Mind  /  Brain  Vulnerabilities
Psychological  Approach
Linguistics  /  NLP  /  Hypnosis
Body  Language  /  Micro  Expressions
Elicitation  /  Rapport
Persuasion  /  Influence  /  Manipulation
Pretexting  –  Being  THE  social  engineer
Engagement  mediums  –  Phone  /  Email  /  Face  2  Face
Ethical  and  Moral  Concerns
Handling  Failure
Social  Engineering  Risk  Reduction
Defense  Strategies  for  your  Business
Tooling  for  the  job

Who  Should  Attend: 

Pen-­-testers  who  want  to  get  into  Social  Engineering
Anyone  who  is  responsible  for  Information  Security
Anyone  who  is  curious  in  learning  techniques  to  influence
Company  personnel  responsible  for  security  awareness

Hardware  Requirements:  

Laptop  (Netbooks  not  preferred)
Windows  OS  (Physical  or  VM)
Ability  to  run  VM’s  (VM  Player,  etc)