Old Still Cool

Next up we have Daniel, I'm hoping I'm pronouncing this right, Daniel Isler or Aila? Daniel you'll have to correct me. Hi Daniel, Isler or Aila? It's many ways, it's from Switzerland. In Chile we say Isler, sometimes a few persons they say Isler, so it doesn't matter. What does your mother think? She's from Denmark, so she thinks different. Okay, well, but your mother's always right. Yeah, yeah, yeah. So whatever she says it is, is what it is. I think it's Eisler. Eisler. If that's what your mom says, then it's Eisler. Okay, Daniel, welcome. Welcome. Thank you. Where are you calling in from? From Chile, from South America. Oh, fantastic. We are such an international conference here at B-Sides Deli. um and we get all the best speakers so daniel you're

still talking you're going to be talking about old still cool yeah um uh so where abouts what what do you do for the day job or is this your day job yeah this is my day job i'm a rat

i'm the team leader uh of friendly rats it's um a social engineering unit from Dreamlab Technologies in the office from Chile because Dreamlab is a Switzerland company.

And that's it. We do social engineering every day. Fantastic. Fantastic. So, and a quick reminder for our viewers as well, don't forget the chat window to your right will have, that's where you pose any questions, which we'll ask at the end. Hopefully we'll have time at the end. And Daniel, if you wouldn't mind joining our Slack channel afterwards, that would be wonderful as well. Awesome. Please, folks, can we bring up Daniel's slides?

uh daniel over to you thank you thank you so welcome to all still cool um many times i have considered myself like an outsider or a weirdo in the world of pentesting because i do not came from professionally from the it world but Creating this story, I must remember all the actions that we generate with my unit. I realized that social engineering is not an exclusive word for one type of career or training. I think that is the first mistake of a lot of companies when they think about security.

That because I... ask who designs people focuses uh focus um security who should we test it and how how and who should educate the people because every time it's only it people and it's people that we educate where are the teachers where are the psychologists

Where are the psychiatrists? I think we need that. Where is the art, for example? We are all social engineering. Yeah? We need to believe that because social engineering is everywhere in

all our lives, everywhere. Yeah, because we are talking about people, we are talking about dreams, projections, interactions, stimulus. And that is something we all relate and we can eventually explode everyone. So stop thinking about social engineering only for criminals. Everyone do social engineering. But we have two concepts very different. For that, I will tell you

an example. Let's see this example about the real life, about my life. And you can think if it's persuasion, manipulation or something else. So the early nineties were running and I was a pre-adolescent looking for an identity, Above all, I'm looking for a true love.

I was fortunate because I have very great friends and a very nice group of classmates. So that was me, the second kid to the right who was looking to something else, not to the camera. And the guy by my side was my best friend.

Here I met a nice girl with like we hold our hands, we even make some kisses. She's also in the picture, but we're gonna hide her identity. One day I want to go a step further and I proposed to her to become boyfriend and girlfriend. She told me that She was actually with me because she liked my best friend and it was the best way to be close to him since her best girlfriend was the girlfriend of my best friend. That was my first time that I was heartbroken. But, sad story.

Okay, what we could conclude, it was manipulation or it was persuasion from her? Was there a benefit for both or only for one of the parties? That is social engineering. So remember that we can all be tremendous social engineers It is important to recognize the circumstances given the goal and the means by which I'm gonna try. That's where we separate good guys from the bad guys. That we separate persuasion and manipulation. Personally, I believe that we can divide, sorry, the good guys from the bad guys. Yeah, persuasion versus manipulation. If there's a benefit for both or only for a third party, that's the way I see. If there's a benefit for both, I think in persuasion. If the benefit

is only for one party, I think it's manipulation. I know that it's an eternal discussion, but that is how I look that and my unit too.

Here we can remember the nice girl, yeah? Who broke my heart and reflect on her social engineering was manipulation or persuasion. You decide, okay? So I want to, everyone knows that because I gonna talk about services and I gonna talk about criminals. So we need to separate things. Okay, I'm gonna present myself. I am Daniel Eisler. I'm team leader from Friendly RATS, the social engineering unit at DreamDap Technologies in Chile. RAT is an allegory that reminds us that threats will always exist. It also concede with acronym of Remote Access Trojan, a vector commonly exploited by cyber criminals. I always remember you can burn the house, but the rats will always come back. So it's better to have a friendly rat who can tell you how to prevent others

from getting in. Yeah. So have a friendly rat, a friend. It's a good thing. So we are nice rats.

So let's begin. The stories that we'll see next do not pretend to be a novelty. On the contrary, what we want is to demonstrate how the humans continue obeying simply stimuli and even thought we have make an effort to create colossal virtual strengths These are only gravel that makes the path to the object teeth slower, which continue to be the same with the same weakness, the same one that believes what others have believed in for decades, centuries, millennia. This is all still cool.

we have in social engineering services is a short time we have in relation to an organized event. They managed to carry out effective attacks in periods of six or 12 months. We only have five to 10 days for a complete project like information gathering, execution and report. Therefore, trying to replicate the flow in real time of a whole attack, it's unfeasible and trying to emulate it in such a short time, it only gives results that are not very close to reality. So those generating a false sense of security in the collaborators involved in the simulation, depending on the results. For this reason,

For this reason, we have to look for a process and techniques that will place us in a realistic scenario of high rate emulating and achieving in an effective way, the exercise of suggestion in those involved. So let's talk about the context that we have. We have like, collaborators or departments with high level of awareness associated with cybersecurity. Controls and filters are advancing according to market, demands are increasingly difficult to carry out phishing simulations with significant scope. Without this being rejected by security systems, reaching the spam mailbox or security filters alert and prevent the integrated display of malicious email. So the internal and legal restriction of each company often condition the test to such an extent that judge yourself. Let's

see an example. We have this typical phishing campaign. Yeah. But now we have a meeting with the client. so the client needs to have some requirements the first thing so uh this is an important date for you so um the the client says okay you cannot use a real brand of honey yeah you need to replace that for something similar so we replace the brand um the the word honey for money So after that, the client says, hey, hey, hey, hey, hey, you cannot use a similar brand. You need to replace for an obviously fake logo. Okay, we erase the word, we put a very fake logo. Yeah. And after that, they say, hey, hey, hey, hey, hey, you cannot use a sensitive

subject. It's a holiday, okay, just use the word holiday, not the holiday. So, okay, let's change it. Very persuasive. And after that, they say, hey, you can't display subject like that, like themes like that. We need to use something like a benefit for collaborators. It's always in the

bottom of the campaign, but he never saw that. So we put now in the front. You cannot use the word benefit or collaborators. Okay, we removed that. I need a request. Can you ask for corporate credentials?

Because of what? Okay, you are the client. So we ask for corporate credentials for a fake honey in happy holidays. So we are ready to our biggest, greatest phishing campaign. And now we gonna send it and this is a stop, stop, stop, stop, stop. I have one thing. Our email will not accept an image only text. Okay. So this is our greatest phishing ever with requirements of the client. So that's, it's the issues that we have in our services. So if someone likes social engineering and wants to learn more about it, I have a few books for you. For us is our Bible. It's a holy grail. And the first one is Impro for Storytellers. It's a book about

improvisation, improv. But paradoxically, most people who read this book is not people from theater because they use this book like a self-help book. Why? because it's allowed to establish an effective communication. Think this, you think in something, you say something, and the third party will understand that. Easier, but it's not too easy. I hope everyone can do that, but it's not too much people who can do that. So this book teaches you how. And sounds simple, yeah? And also allows you to achieve goals from modification of yourself and modify others from their related status to catch a goal, yeah? It's a very effective and powerful book. It's awesome. The next one is Haydn's Persuasion. It's a

book about advertisement. There are 33 cases of advertisement that introduce you to the world of needs and selection from suggestion. Yeah. There are 33 cases and exercises that helps us, our unit, to establish effective phishing campaigns. So are two very great, great books to introduce you in the social engineering world. So if you like it, they are in Aniston, I think. So let's start.

We ask ourselves these three things, how to avoid an antivirus in a service under a black box format. Yeah, we don't know nothing about the client. Yeah. How to evade firewalls in order to access systems without being stopped. And it is necessary to go unnoticed. Yeah.

The objectives in our services, like in a cyber attack, It's obtained access and sensitive information from critical units, critical areas with high awareness thinking about social engineering and about cybersecurity. So we need to mix, yeah? We need to merge some vectors from social engineering. In these cases, phishing, bishing and physical intuition. And in the executions, as a unit, we have specialized in the last five years in development of pretexting, persuasion techniques and extremely, extremely particular and effective deception scenarios. You will see now. So we create these two vectors. The first one is physical spear phishing, that is a merge from a physical intrusion I wrote, no, it's bad. So, okay, it's a merge from a physical

intrusion and spear phishing. So it's a physical spear phishing. Yeah. And we have also the Bishing Web Scan and it's a merge between a bitching and a malicious website. So let's start with the first case, physical spear phishing, physical intrusion plus spear phishing.

We have... Let's see it.

You seem to take it greatly to heart. No doubt I do. So much so that I am resolved to be revenge on them for their impertinence. I know well enough why they despise us. Affectation has not alone infected Paris, but has also spread into the country, and our ridiculous damsels have sucked in their share of it. In a word, there are strange medley of coquetry and affectation. I plainly see what kind of persons will be well received by them. If you will take my advice, we will play them such a trick as I shall show them their fault and teach them to distinguish a little better the people they have to deal with.

Comforts, Places and Workshops capture credentials from specialised security units. Place, Office, Corporate Building, day business hours client reserve.

Let's begin the tale. 13 objectives are indicated as common denominator. They share advanced knowledge about cybersecurity and none of them attend to the cybersecurity awareness talks since they consider that because they are advanced knowledge, they don't need it for this. we took a couple of

messengers who would take a very particular package to the office of the target company where the 13 individuals were located. Meanwhile, in the rat hole that we call the Warren, the rats prepare a website a website associated with a cybersecurity conference, so the targets be attracted by it and enter without arousing suspicious. To increase the hook, we research their social networks to offer exclusive workshops that match with their interests and specialties. And voila, full access VIP members. A nominative invitation for each of them with limited time validated and registered. We characterize our soul and give our courage, our watch to the target's office.

The messengers calmly go to the reception of the building with a suitcase full, full of invitations for a cyber security conference. So they went to the secretary, they introduced themselves to the receptionist And she asked,

What can I do for you? And they answered, We bring a certificate mail. She answered, Okay. They asked them certain names and she wrote them down. They managed to get into the building and the office in question without any problem. The employees are called one by one to receive this wonderful and exclusive present. They are stunning and very happy to receiving and opening envelopes. They are giving credentials and tutorial with a QR code to register for the workshops. Then they rush to their workstation, open their browser and start logging with their corporate credentials on the sites to validate their entries and register for these attractive workshops exclusive for their company.

Let's talk about this physical spear phishing activity. So we have this unit with high level of cybersecurity awareness, face it with a targeted attack based on their preference and specialities. Where the client consider that more than a fortress, this reaction by its conscience in cybersecurity maybe could be a threat. It is possible to capture the credentials of 11 of 13 employees. Of this remain, two were not at the office and just one employee reports the activity only in less than 10 days. Let's continue. Case number two, another physical spear phishing. But in this time we go further. This is a physical intrusion with recognition by a

specialized magazine, an invitation to an award event and a pen drive with extended interview in a malicious file.

Let's see it. One night, bored and fiddling idly with bad thoughts, he decided to send a message to five of his friends. Everyone, without exception, had some unconfessable secret. A crisis, a fraud, a scam, a dread. The note was delivered anonymously, without signature or information. It was just saying, everything has been discovered. run away to later dinner his social circle was agitated with the sudden and control of the disappearance of one of the people to whom he sent the message he assumed nothing was ever heard again telegram arthur conan doyle united kingdom 1800s

Physical intrusion, specialized magazine recognition, invitation to an award event, and pendrive, remember that. So we have this ego validation, access to the CEO office, and the client is reserved.

Let's begin. So we go to talk with the client, And this is the scope of this red team. The client says there's no restriction to any specific area. So we press it, we ask why and the CEO office is included. He says, yes, you cannot go inside because we have guards, we have validation, an appointment, an identity check. So one of our consultants dresses like a journalist goes into the company minutes before the customer service closes, which allows to us to avoid the first control. She carries a box with a very important price to the CEO. At the next checkpoint, the guard interrogate and suppose the journalist, she decides to take the price out of the box and tell him the proposal of her visit. He decides not

to intervene and Forderand takes her straight to the system for something we call ego validation. The consultant repeat the same story again this time, starting with the name of the prestigious economy magazine and the category of the award for the person of the year. They call the CEO office and authorize the entry. At this point, they only have asked for the name and reason for the visit, but not registration or validation of their identity has been made. Finally, the hook and the device with the malicious files arrived in the hands of the CEO. The journalist retreats calmly and safely without raising any alarms. The guard says goodbye. She doesn't answer. She only think about the target leaving on the building. The last part of the plan fails. The payloads

don't work. We program for Windows, not for Mac.

Let's talk about this one. Although the simulation is not complete because the payload was configured for another operation system. This tells us about an element that many times is not given importance. And that is that when the security infrastructure is a robust. Users begin to have behaviors based on absolute confidence in the system. But this will allow that in an eventual attack, collaborators with an oversecure perceptions will click on anything, download and install because they will not consider it a threat. This lead us to a following case, the Bishing Web Scan.

So we have this vision and this malicious website

with an infected file. We contact by phone to the objectives to request a basic information, establishing a relationship of trust to ask them to visit a website in which they must log in with their corporate credentials, follow the instructions of the technician download a file and install it in their computers. So, let's see this.

Wasz said, can we call the Pope? And they both marked the Vatican. Wasz pretended to be Henry Kissinger and asked to speak to the Pope, who at the time was sleeping because it was four in the morning.

So we have this call, the website, and the remote control. Remember that. So

let's begin. At the heat of the pandemic, an empty city, The vast majority working from home with no means of immediate identity validation. Many do not have the security measures that they have at the office. What do we do? We call them. Hello, can you give me your... Hello, I'm the technician, can you give... What do we do now? So someone says, I know, let's call to the contact phone number on the website and ask them to transfer us with the objective. Nice idea. I will appreciate if you could enter to the technical support site. Yeah, of course, I go. You can log in with the same credentials of the corporate email. Okay, I will put that. Did you enter? Click on start. I will click on

start. That's it. Download and then accept. I put accept. Meanwhile, in the warrant, the rats waiting for the target login. Download and install the file so they can remote control of their computer. And that's what

start to begin. This one goes too fast. I'm going to explain to you that. So let's see the step by step of the attack.

We do not spoof the phone identity.

We call to the phone on the website. Once connected, we ask to speak on a specific people associated with the critical areas. The central desk, transfer us immediately without validating our identity or the reason for the call. This is why the user, when they see the call, they see the company phone number. So the impersonation is totally effective. The objective then trust delivers their request information, execute the actions, independent of the equipment racing alerts. These are deactivated by the user who trust on the technician and generates a remote connection to his equipment. This was only made in less than 10 days.

Thank you very much. Hope you think in another way about cybersecurity, about social engineering, the power of social engineering in the attacks is the first step of the biggest, biggest cyber attacks in the world. So educate yourself, educate your people, educate your company, and not only use IT people, you need human, you need psychologists, you need feelings, you have dreams, you need a full, team for that to think in the cybersecurity. Thank you very much. We are so, so happy. I'm only one of the unit. I'm talking from everyone here. So it was awesome. Hope next year we can go to India to eat Delhi and have a better and awesome paper for you. See you.

and good luck. I don't know. It was awesome. Thank you, besides Deli, friendly rats from Chile.

Bye. We have a little video.

Sorry about my English, it's very basic, my English, but I hope you understand. Daniel, I got every third word, but I saw everything that you did. I'm joking, I understood everything. It was perfect. It was perfect. I must admit that was some of the best storytelling I've seen in a long, long time. In fact, in the opening keynote, I discussed with Rad Malik about the importance, or we discussed the importance of storytelling when you're trying to put a point across and how important it is. And I have to say the use of GTA there was inspired

the best part for me was the outfits that you wore the last one is very poor but the other one was good maybe next time maybe next time yeah yeah i only have this old phone the one thing i would say is your microphone was live during every single um uh outfit change

And then we heard you drinking and eating. It was superb. Absolutely superb. So we do have a question for you. Yeah, of course. It appeared on Slack. So whoever asked it on Slack, have you not watched anything that I've been saying about putting your comments or your question in the comments on YouTube? Anyway, but the question is, have you had any situation where things might have gone wrong in a way in which legal aspects might have come or the law might have been broken? Yeah. In our country, it's very difficult because we have a very new, born new legal situation because so I can do things that in other countries I can't do. So like, for example, we use cameras in all our physical intuition.

We make this video reports with all the information and you can't do that for example, in the States.

Some information gathering that we do, like in social media, we report all the information that we have and some information sometimes is

in the border of legal things, but it's open source intelligence. It's not, we do not, we didn't, we are not doing something illegal, but, uh, in OSINT is very difficult because there's a lot of, uh, private information that you can, uh, get in it's, it's on the web. It's for free. It's, uh, it's on, uh, um, public profiles, but, uh, it's, wow. It's very difficult. Um, But we never have problems like with guards or police because sometimes a few clients, they ask to us for some actions that we realize after the requirement that they are asking for something not legal. Like for example, go to servers that are not only from them, they only hired a

part of the servers. So I realized that that place is not from them, it's for a third party, so it is totally illegal to get into there. So I presume you've also been asked to break into somebody's girlfriend's Facebook account as well? A few times some people ask me for that, but I don't know. I'm starting to use Instagram. I only have for OC, but I don't have my Instagram like active account. Daniel, where can people find you online? Are you on Twitter? Yeah, I'm on Twitter. Friendly Rats. Friendly Rats. Yeah, Friendly Rats. And... Yeah, we have Twitter, we have Instagram. Yeah, we have those. We have

Discord. Yeah. Yeah, Discord account. Okay. Twitch. Yeah. And will you hang around on our Slack channels for a little bit? So if anybody else wants to ask a question. Awesome. Yeah, of course. That would be great. That would be fantastic. Daniel, thank you so much. That was a rare treat. I thoroughly enjoyed it. Thank you. You know, your mother may be slightly embarrassed right now, but we're not. No, no, she's looking. She only cares about the legal thing, the police. She always says, please, please don't go arrest, please go. But then she would say, but my Daniel would never do anything like that. No, thank you, Daniel, so much. A really good presentation. Thoroughly enjoyed. Thank you. And have

a good rest of your day.