,
18 tweets,
5 min read
Read on Twitter
One of the weirdest things we do as social engineers is impersonate other people. It allows us access to some amazing places... but let me tell you a story about how this occurs. Social Engineers rarely just rock up...
This one job starts with scouring LinkedIn. Helped by the human desire to boast and share we manually make a list of 200 people that show an affiliation to our target company. 
So armed with a makeshift staff list, we convert these names to email addresses and it’s time for some phishing! Not just any phishing though, a special upgrade that cuts to the core of a companies SSO implementation.
How does it feel to take peoples passwords whilst pretending to enhance security... horrible. But the pretext was valid and they didn’t check the domain.
So inevitably people click, they type is passwords. In a few hours we are amazed. We have an unusual amount of passwords... but why so many... we start to compromise email accounts and discover why.
IT had sent an email around that week complaining about passwords and security... wow, now we have genuine guilt to go with actually being guilty of horrible things. The poor users were trying to improve security.
So of all the email accounts we compromised the most valuable to us was the receptionists. We jump in the car and head down south, reading and understanding about the company on the drive down the M1. Staff induction, the welcome video from the CEO. I even did some Elearning 🤭
Armed with a pretext from her own inbox I arrive at reception. Today I’m a lift engineer, here to check the lift for insurance purposes. “Hello dear, I’m Eric from XXX” the sign in goes well... but she’s nervous. Something is wrong. I get guided to a cupboard.
So here it is, the glamour, the luxury. I’m in a cupboard under some stairs wondering if I’ll get locked in. I can hear reception whispering to a guy and I’m debating calling it off because it’s prime time to call police.
The whispering intensifies, I hear steps. This is it... I’m getting locked in a cupboard...
The guy flings open the door, “how’s it going”
“Yeah so so fella, trying to get this thing to f’ing connect”
*Points to laptop sat on the lift box, already on WLAN scanning for 3389*
The guy flings open the door, “how’s it going”
“Yeah so so fella, trying to get this thing to f’ing connect”
*Points to laptop sat on the lift box, already on WLAN scanning for 3389*
He smiles and goes. I hear him laughing with receptionist now. They thought something was up, but reassured and slightly bonded over our joint hatred of IT and the WiFi we are now cool.
The rest is history, found an RDP enabled machine and had a handful of creds already to use. Hardly even hacking. Left site and all is well in the world. I wanted to share this because (especially younger) testers look up to SE like it’s James Bond. Like it’s special.
The reality is, it’s simple and often basic. Yes it requires some foundational skills and nerve but nobody needs to feel this is unobtainable. It can be learnt. Don’t forget we got to the cupboard with some LinkedIn, HTML skills, Ubuntu skills, being able to setup Email and nmap.
You’ll see news articles about advanced threats, Russian agents on industrial espionage missions, Fancy bears and such... The reality is the basics are enough nearly every time. Protect your staff from the basics!
THE FIXES:
▪️Staff shared specific details of job roles on LinkedIn, consider limiting this especially for financial roles.
▪️Mail gateways allowed inbound phishing emails, implement industry leading email filtering. Block TLD variations, create a blacklist of similar domains.
▪️Staff shared specific details of job roles on LinkedIn, consider limiting this especially for financial roles.
▪️Mail gateways allowed inbound phishing emails, implement industry leading email filtering. Block TLD variations, create a blacklist of similar domains.
▪️Users didn’t receive phishing education training, train staff to spot malicious domains. We phished using TLD variations. We used HTTPS.
▪️Reception couldn’t validate guests, contractors should present government ID (passport/license) as a minimum.
▪️Workstations had RDP services enabled, regularly scan for services, consider closing off. They can offer ingress points for attackers.
▪️Workstations had RDP services enabled, regularly scan for services, consider closing off. They can offer ingress points for attackers.
▪️In an office of Windows devices, a Mac that’s port scanning should SCREAM attack, consider @Darktrace or similar industry leading IPS offerings, you don’t want the telemetry of an F1 car, you want basic reporting, fast actionable alerts.
