James Morris - Vishing, Not just for Extroverts!

okay the next presentation is fishing not just for extroverts presented by James Morris fishing just for extroverts so you may be wondering who I am my name is James Morris I'm an introvert hey I'm also the offensive lead at rendition InfoSec where we do a lot of real cool stuff we do a red teaming pentesting Incident Response digital forensics we offer training 24/7 sauk located here in Augusta Georgia a lot of cool stuff swing by the booth where we're hiring if you're looking for a job in the InfoSec community prior to rendition I was a senior pin tester at a fortune 100 company I've discovered a couple of zero-days written some cool tool scripts and created a security meetup in Central

Florida so for this talk we're going to talk about social engineering and phishing we're going to walk through how you could create a spearfishing example then we're going to introduce phishing into the equation we're going to pick up the phone call someone discuss how that could increase the success rate we're also going to discuss how you could get creative with your phishing engagements and phishing engagements then we're going to discuss that an advanced method to harvest credentials and provide a demo Rob joy said at best well-run networks make our job hard that's where social engineering comes into play I'm not going to purchase an expensive vulnerability scanner blast your network get caught if I can send one phishing

email to your CEO get his password login it's him I'm going to take the path of least resistance so how do you social engineer it helps first by understanding the old-school attack mentality we're gonna search the internet get all these email addresses we're going to clone a login page make a fake website blast out emails hope someone responds gives us their password social security number whatever we're asking for or we hope that they log in to our fake login page give us their credentials the old-school defense mentality this is you know are you expecting the email are you hovering over the link is there a red X and attackers know all this and use it against you and we'll go

through a few examples this is the typical email that you expect to see you for phishing hey I've got five million dollars please give me your bank account to prove you are who you are and I'll transfer it all to you it was your great great grandfather and we need to verify you know your social and all this information yeah you're not expecting that it's true too good to be true don't don't click it don't fall for it and keep this in mind later as we build a fishing scenario we're not gonna go to the extreme and offer something too good to be true we're gonna kind of ride that border of it could be true no no yeah

this this email right here we're we're not gonna do that one we're gonna make it a little more targeted so you know only only check stuff click stuff that you were expecting but as an attacker you weren't expecting Joshua to send you a message but are you expecting you know social media emails to your email if people add you all the time send you messages just based off the inbox of you can you tell which of these is fake which of these is real you can't just from from this slide the same thing for the email as an attacker we're gonna clone something make it look real were you expecting this you know maybe not

from this person but maybe you're expecting you know social media emails maybe someone's messaging you sending you invites so here it's hard to spot the difference just based off the body of the email then we train users check the header but do we always tell people what to look for how many people in here check the header of every email that you open I see a couple hands pretty good yeah the challenging part there do you think John in the real estate department does he know what a email header is does he know I've heard before where someone clicks an email and they say hey it was from Gmail Google's trusted why should I not click it yeah so attackers keep this

in mind and we know hey emails accepted by a lot of companies so we're gonna play off of that we also tell people to hover over the link the challenging part there is are we telling them what to look for you know can we throw together some subdomains to make it look like a real domain and what if we throw in a you know rendition our sect about us people look at the first part they see hey I see calm that's what I'm expecting it has the domain in it they click on it right away if they even hover and take the time to look at it we also tell people look for the red X so

this is a real login page but what if we force HTTP instead there's no red X should you log into it what could we do here what would we train people on for this what could we tell them to look for yeah the lock symbol how many people in here like free stuff first hand agree sure come get something free there's some swag up here if you want it yeah no no what was the name of the trick it wasn't a hard question grab something for free yeah I also love free stuff right we can generate a cert for free add that lock symbol so now we just buy Pat you're telling your people to look

for a lock symbol my page has a lock symbol now can they enter their information so let's build a sample fishing scenario we're just starting with a first name what would the first thing be that you you would do what's that yeah or say you were targeting someone specific you have just their first name and last name but what's the first thing that you would do google them what's one of the first things that you find from people when you google them you see a address so you take this address you could you know start googling that find out more information maybe look at a house how many people in here have car insurance okay about a

quarter of us okay okay a little more than I was expecting you know have you ever tried to go to a competing website plug-in first name last name and address what does that tell you all the vehicles that are registered at that address did you know that it's interesting so now you know all the vehicles that this person has registered their address you may not know which ones registered to them so what could we do next look at social media okay so many people take pictures of their vehicles yeah I saw some friends joking recently someone's saying hey are you a truck so all it was was a picture of a truck as a profile picture

but so many people have pictures so you look at this you see hey the the profile picture was changed August 2011 you see that the truck the color a partial license plate you pull up Google Maps look at the shadow the shadows three times the length of the people it's probably 7 p.m. 8 p.m. at night you know it was purchased from the dealership you see who purchased it you see that a wife a daughter so you pick up a lot of information from this picture and you can keep digging into it research the dealership find out the name address the email phone number of the person that sold the vehicle so we're getting a lot

of good information here but is there anything that we could really you know cause panic cause the person to click on something you could good there's so there's so many yeah it's definitely in there's so many directions you could go with this if we could say hey from this dealership you want a new car would that be believable some people might say oh that's probably fake we talked about it's too good to be true what if we slam them with a recall how many people live in here replaced their air bags a lot I replace my driver's side a month later replace the passenger side had to go back to get the driver side there was a malfunctioning with that had

it three times four airbags so that's realistic people you know you may not be expecting it but you see it on the news it's pretty common it's you know safety so let's take all of this information that we've gathered and researched let's cause a little bit of panic a little fear play off the human emotions say hey we know your name we know that the vehicle make model what day you purchased it we're not saying you can come in we're saying you must fix this it's a safety issue throw in a quote people love quotes and you can quote anything in an email people believe it they're sharing you know social media Facebook I see bolts

quote shared all the time also throwing some statistics you know throwing some numbers hey this many people have been injured armed throw in a playoff the emotions of hey what about kids children you know you definitely want to cause a little bit of concern there and make sure it's in scope for your fishing engagement I've seen I've seen engagements go bad from other people or they say hey the company stocks dropping you don't want to go to some extremes that could affect the company make the client mad make sure it's substance coke but you know who earlier you said you love free stuff not only do you have a problem I'm giving you a free appointment yeah there

was some of those keywords in there but what else do we have to consider it's not just the email that has this information in it we want to make sure if you're cloning a login page to capture credentials you're gonna make it look realistic a few pointers instead of using subdomains you can add dashes tweak letters tweak numbers you want to make it look believable make it look like something you know they're used to logging into this portal it's not suspicious when they click on it but what do we do once the user logs in are we just taking credentials capturing seeing if they click the email we can then say hey thanks for logging in but verify who you

are what about your credit card number your social maybe we make a post on the Rio login page log them into the real site and they don't even know you know they don't know anything happened there's so many directions you could go with this you could also clone other parts of the website just five minutes in paint a free tool we all like free we've said it a million times now tweak the logo you know if you're registering a similar domain adding a letter dropping a letter just tweak the logo tweak the images that way they see what domain the emails coming from and it matches everything on the website now we talked about phishing who in here show

of hands is familiar with phishing okay so quite a few of us so phishing we're sending emails trying to get information phishing we're gonna pick up the phone call it's hard for those introverts out there it's easy to sit behind the keyboard types and the phishing email but now we're gonna pick up a phone call and ask for your password to ask for information and this can be very awkward the first few times it was awkward for me and it still is we've had engagements where the client wants us to just figure out information about the company there's no no clear direction so okay what am I asking for you got to make a plan to a few pointers

here did spoof the number they have a similar area code that they're expecting play off the human emotions say please thank you you asked for help you also want to have a backstory and research just as much as it that we did for the phishing scenario you want to research you know who you're calling what you're asking and don't be afraid to hang up and call back later might get someone else that gives you a little more information so let's circle back to that phishing email that we were talking about how could we add phishing into this to increase our success rate yeah

yep exactly and if you're calling hey James this is Mike how do you like your truck oh I love it you know get that conversation going I've talked to people on the phone and phishing engagements 15-20 minutes before I even asked what I needed to get hey you know how's your truck oh I love it you know how do you like that four-wheel drive it's awesome I'll use it for towing you have this whole conversation going he thinks you're the guy that sold it to them oh by the way I remember you had a wife daughter real nice family there's a serious safety recall it's the largest one in US history you know it's a major concern

but we'll hook you up well we'll give you a we'll fix it for free and give you a free oil change how about that so you get all this it's believable free oil change hey thank you what I need to do I need to come in you're talking to him on the phone check your email I'm sending it over now he gets the email oh yeah I see it clicks the link logs in then what you know if we just leave it at that would he be suspicious does he called a real dealership he starts looking into it I don't see anywhere to schedule the appointment could we call him back and say hey thank you we saw that you logged

in we verified your information the recall was only on the two wheel drive trucks we didn't see that yours was marked as four-wheel drive false alarm sorry to disturb your day he said oh thank you so much and hangs up there's there's no suspicion he doesn't think twice doesn't call back doesn't try to go to the dealership to ask questions so keep this in mind when you're fishing vishen you know if you send it to thousands of people and they're going to a login page looking for something looking for an appointment and don't see it they're gonna start contacting a security team or calling and calling the client saying hey that this is weird I

got this information I got this email so keep all that in mind so a few things think outside the box build your statement of work you know include things like third parties do they receive the same fishing training often times to see contractors third parties don't receive the same fishing training that all the other employees have there are good people to target target interns new hires see what all you can add into your statements of work and scoping we once had a client they wanted us to target their third party MSP hey see what information you can find out about us okay who's the third party MSP well we want to see if you can figure that out

so imagine imagine all the paperwork and stuff it okay well we'll do this engagement we'll try to figure out all this information about you through a third party MSP and you won't tell us who the third party MSP is it was what are we gonna do here this is this is crazy we start doing our research checking social media we generate email addresses send email addresses to people we send one to the director of security guess what his out of office reply is hey I'm out of office it was so silly for internal people only if there's a problem please contact our MSP at this phone number and this this email can you believe that right the director of

security out of all all the directors there so we get that information we take that we call them up we do a little research at this point we still don't know what what we're trying to get from them what information and we couldn't find a login portal so we call it up we create a whole scenario I'm working from home I have a sick child at YouTube playing a baby crying on repeat Wow great scenario yeah you got to have that backstory you got to have stuff that makes sense so we call them up I pretend to be the director of security they talk a little bit past me to someone else ask me what I'm asking for I'm kind of like

I don't know what I'm asking for I'm trying to play off hey I'm trying to get logged in I'm working from home okay what are you trying to get logged into hold on you're increasing the volume of the baby crying hit I just said I'm working from home hold on one second let me you know take care of this and you're trying to think on your feet I'm just trying to get logged in I've got my laptop here oh you mean the hidden login portal that we don't tell you we don't tell everyone that just you have and yeah yeah that that's the login so you know if you kind of wait and hold back kind of play into it sometimes

they'll they'll try to help you they're trying to be helpful and in this case that was it yeah yeah okay well here's the URL you can log in oh but I don't have my work laptop you know I wasn't expecting a sick child my password manager is on my work laptop can you can you reset my password for me sure sure I'll reset it I'm gonna send it to your email oh but I'm working from home I can't access my email can you just tell it to me over the phone sure sure I just reset it it's password one with a capital P okay thank you thank you so you're asking for all this information you're playing off that the

human emotion the best part of it the final person they transferred me to it was a lady okay she's like okay tell me tell me what's going on hey I'm working from home sick child have the baby crying in the background because oh I feel so bad for you my child was sick a few weeks ago I had to miss work I didn't get paid now I've got doctor bills we talked for ten minutes about our kids that I don't have before I even told her what I was trying to do okay and you they're believing you there you know you're talking you they see you as a human on the other end of the phone

and then oh by the way can you please help me out my boss wants this report I need it by three o'clock it's like 2:30 you know if I don't do this I'm probably gonna get fired or something you know you're throwing all that out there oh sure sure I'll help you no problem and now then she helped get me the URL the login reset the password and all of that so if we play off the human emotion now I say all this but companies are getting better they're introducing multi-factor authentication they're minimizing their attack surface or their surface area for us to attack but we're still getting in can anyone guess why yeah

yes similar stuff you come up and grab grab some free swag yeah oh yeah what's that so I'll show a tool here shortly I actually wrote keyloggers and we throw it on our login pages so everything that you're seeing we see live we see the two-factor code password we're gonna ring it on the other other website and all we need you want to come up for grab something - yeah we are interacting earlier talking if you want something to grab something good answer so all we need is that one successful fish or fish I don't need this you know I don't need to send it to a thousand people if the first person I send it to gives us our you know gives

us their password and here's the screenshot of a tool will demo here in a second we throw this JavaScript key logger on to the page on to the login page and as you type your username password two-factor token we see that we enter it on the real login page sometimes if there's an additional push notification you're expecting it so let's run through this demo on the left hand side you see the login page

okay doesn't seem to be playing but so with this as someone logs in on the left hand side they enter their username password and on the right hand side we see that the video live we see the keystrokes live the timestamp IP address as you enter the information here's a few resources there's plenty of great resources out there here's a few that I use personally so there's tools that can scrape social media it'll generate email addresses based off of first name last name a fish log it'll it'll capture the keystrokes as the user types it there's also tools to send phishing emails the track who clicks it track who enters passwords how many passwords we've seen

a user once entered five different usernames and passwords for different domains in the different environments everyone he was entering I guess he was expecting something different when he logged in he just kept going back trying different ones throughout the day are there any questions

yeah yeah so on the other monitor and that has sound built-in that you can customize the sound so if you send phishing emails out at nine o'clock in the morning you have that up on your other monitor or minimized so you're working on something else you start hearing beeping noises you open it up you see keystrokes going across the screen so you can you know pull up the real login page and enter the two-factor code before it changes we've also seen cases where you know the user name and password and it sends a push notification a client that I lasted that on the first twelve people that we tried guess how many accept it on their phone

I said yep this is me out of twelve seven out of the twelve so yeah there's other ways around it me yeah yeah so even though hardware so sometimes if they're used to entering the username password and token on the same screen or even next screen sometimes putting all of those on the same screen and as long as they're entering the code on the page we have the real page up we can enter the username password and even even if the next page is the token we can enter it there so this specific one is more just for the web portals to ask for a username password and and two-factor code haven't seen that too much usually

I yeah oh I think I back there oh okay yeah so the question is how often do we see companies that have a hard multi-factor I've seen cases where if you say you forget it lost the token you called a help desk and the help desk says okay what's the last four of your social so I've seen companies that start to ask for for more information sometimes you can find that information online if you did enough research it always helps as we were talking about earlier or hand yeah it's it's a good point I have seen a lot of ants don't use two-factor and allow six eight character passwords complexities could be all all lower case or lower case and upper case

so we I see that quite a bit yes

yeah that's good yeah another thing that we've seen a lot of times too not just that actual login page but you go to the forgot password page and you can use that for a username harvesting a lot of times if it if it enumerates you know company letter and then numbers one two three four four the company IDs a lot of times you can go to the forgot password page throw that into Burke you know spray it with different numbers letters you can get valid user names before you even password spray that where you're not you know setting off any of those alerts that say hey we're we're getting failed logins for user names that don't exist at least if if

there's anything that you're you're at least hitting valid user names any other questions yes yeah definitely concerns and the biggest thing that we tell the clients whether it's fishing vishing physical pin testing we've got bryce self giving a talk on that later today it's it's not the person you know where their company policies in place if we walk to the front desk and say hey we're you know we're contractors here's our badge it's after hours no need to call the you know the VP you wake them up let us in they let us in is there a policy for after-hours or visitor's after-hours no then the person received training for fishing fishing social nearing no okay

is there a what's supposed to happen a clients like well they're not supposed to let people in it's like okay but were they trained on that where they told that that documented a lot of times it's the the processes procedures that that need to be addressed not necessarily that ones that one person and a lot of times you're the year as we hit clients over and over that would be the wrong solution to me is fire the person get someone new if you don't train the new person we go back and do the same same thing or try different methods and it still works to be better to address the the problem and just throw a new body at

it yes

yeah

yes all a challenge that you know as the policies get more detailed the attacks need to be more sophisticated kind of to the beginning questions that we talked about the employee training a lot of times we see it says don't click on stuff that has a red X or look for a lock symbol that's pretty generic and easy to get around there their training so if they provide examples what I've seen work a lot is they provided you know multiple examples hey look for you know look for the red X oh that if block symbols there it could still be bad look you look at the domain are we expecting it there's a lot more that goes into it

but yeah it's definitely a challenge because you don't you don't want a thousand-page procedure on

he's setting

yeah

yeah there's always new techniques and new things that we're trying I've seen so many clients that we take they say hey we're gonna send this from Joshua at gmail.com no no no you told me you're you know this advanced red team you know we need something more advanced than that we throw up a login page that just says login password submit oh no no you need to do something harder than this then 50 60 % of the people fall for it so it's like hey we maybe we don't need to spend all this time training these very you're training our people on these very advanced attacks if they're clicking something that's from a gmail account and with the login page they've

never seen before and they're entering their company credentials any other questions all right thank you [Applause]