Old Still Cool

So welcome to All Still Cool. First of all, many times I have considered myself like an outsider or a weirdo in the world of pentesting because I do not came from professionally from the IT world. But creating this story, I must remember the actions that we generated with my unit. And I realized that social engineering is not an exclusive world for one type of career or training. I think that is the mistake of many companies when they think about their security. There's a nice movie from Newcastle and have a lot of social engineering stuff. So if you not seen yet, it's a nice one. We are talking about people, dreams, projections, interactions, stimulus, and that is something we all are related to

and that we can eventually explode. We are all potentially social engineering experts. We just need a context and necessary triggers to get that goal. So let's make a little example. Let's see this example and you decide if we are talking about persuasion or manipulation. Because we have this concept that we have this difference between bad guys and good guys. So you decide. The early 90s were running and I was pre-adolescent and I'm looking for my identity and but above all I'm looking for a true love. I was lucky to have great friends and a very nice classmates. That was me, the little guy with a blue coat. The guy by my side was my best friend. Here I met a

nice girl that that one that we held our hands and we even catch each other she also is on the picture but i will hide her identity one day i wanted to go on a step further and i proposed to her that we can become boyfriend and girlfriend She told me that she was actually with me because she liked my best friend and it was the best way to be close to him since her best friend was my best friend's girlfriend. That was my first time that I was heartbroken. Oh, sorry, sorry, sorry. I put this name. It went. Oh, sorry. But what we could conclude about this, it was manipulation or it was persuasion? It

was a benefit for both or only for one of us? So we are all social engineers. Remember that we can all be tremendous social engineers. It is important to recognize the circumstances given, the goal and the means by which I aim going to try. That's where we separate the good guys from the bad guys. We separate manipulation from persuasion. I personally believe that we can divide good guys from bad guys. Persuasion or manipulation. Benefit for both sides or just for one side. Here is a useful, remember the nice girl who broke my heart to focus on her social engineering tactics. It was manipulation or it was persuasion? You decide. I present myself. I am Daniel

Eisler. I am team leader of Friendly RAT, the social engineering unit at Dreamlab Technologies in Chile. RAT, it's an allegory that reminds us that threats always exist. It also consists with the acronym of remote access trojan, you know, a vector commonly exploited by cyber criminals. always remember you can burn down the house but the rats will always come back so it's better to have a friendly rat who can tell you how to prevent the others rats getting in so that because we call ourselves friendly rats if we catch up in the web in twitter or whatever you can call me danny dick Rata is rat or splinter like the master splinter it's whatever you want

it's okay for me so the stories that we will see next do not pretend to be a novelty on the contrary what we want to demonstrate how humans continue obeying simple stimuli and even through Though we have and make an effort to create colossal, beautiful strengths, these are only obstacles to make the path to the objective slower, which continues to be the same one, the same, sorry, with the same weaknesses, the same one that believes in what others have believed in for decades, centuries, millennia. This is All Still Cool. Excuse me. Cheers. So let's start this. One of the first difficulties we have in social engineering services is the short time we have in relation

to an organized band. They manage to carry out an effective attacks after periods of six or even 12 months of investigation and testing. We only have five uh yes five to ten days to complete the object perform information gathering execution and report therefore trying to replicate the flow in real time of a whole attack is unfeasible and trying to emulate in it in such a short time only give us like results that are not very close to reality though generating a false sense of security in collaborators involved in the simulation. For this reason, we have to look to processes and techniques that will place us in a realistic scenario of higher-edge. So we have this context in

our tests. collaborators or departments with a high level of awareness associated with cyber security controls and filters are advancing according to market demands and it's increasingly difficult to carry out phishing simulation with significant scope without this being rejected by security systems reaching the spam mailbox or security filters alert and prevent the integrated display of malicious email. The internal and legal restrictions of each company often condition the test to judge for yourself. We have always these problems when we want to make phishing campaigns. So we have this tremendous fishing campaign for people from Newcastle, for example. Free beer for a year. Click here. It's like a poem. So we have this nice beer from your city. But the client says,

"Oh, it cannot be a real brand. It's a legal problem for us. So please replace that for something similar." But it cannot look like the original brand. So replace that for an obviously fake logo. Okay, so we made that. and we have this Beaucastle the only one and after that he says okay but it's a free beer for a year maybe everyone's gonna click in that link so please replace that for maybe a holiday okay so never day and then the client says no no no no no no those are sensitive themes replace that for a benefit Okay, but we already said that it's a benefit. It's used. If you see down there says exclusive benefits for collaborators, but the client

never see that. So, okay, you want to change that benefit for collaborators? Very real everything. Yeah. So then the client says, no, no, no, no, no. It's vain to use word like benefit or collaborate on. So please remove that. Okay, so we have this. But please, can you ask for corporate credentials without the brand? And Olly says like, you win. Okay, win corporate credentials. Wow, very advanced phishing campaign. So all the rats in our office says, okay, let's launch this. So maybe this happens to you if you're a pen tester, if you make phishing tests. It's very difficult. So what we do in that cases? I want to share with you some bibliography that we use a lot. It's like our Bible. The first

book is "Impro" from Keith Johnstone. It's the father of improvisation. It's a book of improvisation, but paradoxically, most people who read this book are not from theater. They're not theater people. And they use this book like a self-help book. because it allows you to establish an effective communication process. In very basic words, let's say this: "You think something, you say something, and people understand that." I know it sounds very simple, but you know it's not that easy. read this book it also allows you to achieve goals from modification of yourself and others from related status it's very important for that when we emulate like physical intrusion we need to use that And then the following book is Hidden Persuasion.

It contains 33 advertising techniques that introduced us to the world of need and selection from suggestions. There are 33 cases and nice exercises that help us in our unit to establish effective phishing campaigns. It's a nice book. I think you can find both in England, maybe more in pro because Keith came from England, but he lived now in Canada. So let's start with the nice part. We ask ourselves the following questions: How to avoid an antivirus in a service under a black box format? How to evade firewalls in order to access system without being stopped? It is necessary to go unnoticed? So we have these objectives in our services: phishing, vishing and physical intrusion. Obtain

access and sensitive information from critical areas and high awareness, though the combination of classic format of social engineering attacks in a limited time with a scope equivalent to a real cyber attack. Yeah. The execution as a unit we have specialized in these last five years in development of pretexting, persuasion techniques and extremely particular and effective deception scenarios. So, this paper presents three emerging cases of classical social engineering formats. united under two concepts that we call physical spear phishing and phishing web scan. So, physical spear phishing, physical intrusion plus spear phishing. An addressed envelope is delivered in a face-to-face way ensuring its reception, seeking for the target themes of interest. something attractive and of course credible.

Let's start. No doubt I do, so much so that I am resolved to be revenged on them for their impertinence. I know well enough why they despise us. Affectation has not alone infected Paris, but has also spread into the country, and our ridiculous damsels have sucked in their share of it. In a word, they're a strange medley of coquetry and affectation. Les précieuses ridicules, Molière, Paris, 1659 Physical intrusion plus QR code plus website plus corporate credentials. Workshops capture credential from specialized security unit. Office incorporate building business hour. Client reserved. So, 13 objectives are indicated as common denominator. They share advanced knowledge of cybersecurity and none of them attended to the cybersecurity awareness talks. Since they consider that because of

their advanced knowledge, they don't need it. For this, we took a couple, a couple of messengers. messengers who will take a very, very particular package to the offices of the target company where these 13 individuals were located. Meanwhile, in the rat hole, our office, we call it the Warren, the rats prepare their website, a website associated with a security conference. so the target be attracted by it enter without arousing suspicious. To concrete the hook, we search their social networks to offer exclusive workshops that match their interests and specialties and voila, full access VIP member. A nominative invitation for each of them with limited time to validate and register. We characterized ourselves and gave our courage and rushed to the target office.

The messengers calmly go to the reception of the building with the suitcase full of invitations of the security conference. So they introduced themselves to the receptionist and she very kindly asked them, "What can I do for you?" And they answer, we bring a certificate email. She answered, okay. She asked them their names and wrote them down. They managed to get into the building and the office in question without any problems. The employees are called one by one to receive their wonderful and exclusive present. They are stunning and very happy receiving and opening the envelopes. They are given credentials and tutorials with QR code to register for the workshops. They are rushed to their workstation, open the browser and start logging

in with their corporate credentials in the site to validate their entries to register for the attractive workshops exclusive for their company. Sorry for my English. So it was very fast for me. So a unit with a high level of cybersecurity awareness faced with a real target attack based on their preference and specialties, where the client considered that more than strange, this relaxation due to their conscience in cybersecurity could be a threat for them. It is possible to capture credentials from 11 of 13 employees of critical areas. The remaining employees, too, were not at the office and only one reported the activity. Let's see the next case. Physical spear phishing. Physical intrusion plus recognition by a specialised magazine an

invitation to an award event and a very nice gift a pen drive with an extended interview in an in there there's a malicious file so let's see the next case one night bored and fiddling idly with bad thoughts he decided to send a message to five of his friends one night bored he decided to send a message to five of his friends. Without exception, had some unconfessable secret. A mistress, a fraud, a scam. The note was delivered anonymously, without signature or information. It was just saying, everything has been discovered, run away. At a later dinner, his social circle was agitated with the sudden and total disappearance of one of the people to whom he sent the message.

from whom nothing was ever heard telegram Arthur Conan Doyle United Kingdom 1800s physical spearfishing physical intrusion by a recognized recognition magazine invitation to award event and a pen drive case ego validation or access to the CEO office client reserve the team meets with the client to define the scope of the red team. The client said that there are not restrictions in specific areas. Surprised, we asked him if the CEO offices include. He very sure tell us that we were not able to enter. We insist that it was sure not to discard this office. And he say, you can go if you want, but you can't enter. So one of our consultants dresses like a journalist,

goes to the company minutes before the customer service closes, which allows her to avoid the first control. She carries a box with a very important price for the CEO. At the next checkpoint, the guard interrogates her the supposed journalist, and she decides to take the prize out of the box and tell him the purpose of the visit. He decides not to intervene. and further takes her straight to the assistant for something we call ego validation. The consult repeats the same story again, this time starting with the name of the prestigious economic magazine and the category of the award of the person of the year. They call the CEO office and authorize the entry. Up to this point, they have only asked the name and the reason of

the visit Finally, the hook of the device with the malicious files arrived to the hands of the CEO. The journalist retries, calm and safe, without raising alerts. The guard says goodbye. She doesn't answer. She only thinks about the target and leaving the building. The last part of the plan fails because the payload doesn't work. Because... We were programmed for Windows and the CEO equipment was Mac. Also, the simulation is not complete because the payload was configured for another operating system. This tells us about an element that many times is not given importance. When the security infrastructure is robust, Users have behaviors based on absolute confidence in the system. This would allow that in an eventual attack, collaborators with an

over-secure perception could click on anything, download and install any file because they will not consider it a threat. This leads us to the following case. Bishing web scan. Bishing plus malicious site and an infected file. We contact by phone to the objectives to request basic information establishing a relationship of trust to ask them to visit a website in which they must log in with their corporate credentials. follow the instructions of their technician, download that file and install it on their computers. So let's check out this last example. Was said, can we call the Pope? And they both marked the Vatican. Was pretended to be Henry Kissinger and asked to speak to the Pope, who at the time was sleeping because it was four in the

morning.

Blue Box, Steve Wozniak, California, 1971. - Bitching web scam in a black box context. Impersonation technical support, objective obtaining corporate credentials, phone contact client reserved. So the heat of the pandemic, an empty city, the vast majority working from home, with no means of immediate identity validation. Many do not have a security measures they have at the office. So we ask ourselves what we do. One of our team says, I know, let's call the contact phone number on the website and ask them to transfer us with the objectives. So let's do it. Let's call.

Hello, I will appreciate if you can call enter to the technical support site? Yes please. So you can log in with the same credentials as the corporate email. Did you enter, miss? Okay, so click start please and then download and then click accept. Meanwhile at the warren all the rats are waiting to the target login. download and install the file so they can make a remote control of the computer. I know, this one goes too fast. Let's see the step by step of this attack. Nice one, it's very fast. We do not spoof the phone identity. Instead, we use the number itself to contact the target. We look for the company contact phone number on the website.

Once connected, we ask to speak to specific people associated with critical areas. Then the central desk transfers us immediately without validating our identity or the reason for the call. This way, the user, when seeing the call, will see the company's phone number. The impersonation is totally effective. The objective, then trust. delivers the request information, executes the actions independent of the equipment raising alerts. These are deactivated by the user who trusts in the technician and generates a remote connection to his equipment. So this was our presentation of this very vintage, classical, socially engineering format and still being cool in in these days oh i have a last one t-shirt for the presentation hope you like it

you can add us in twitter i want i tell me if you like this t-shirt So it's been very cool to be here. I hope to answer some questions. I have this last clip. Okay, I'm going to stop sharing. Hi. You went live man, that was absolutely brilliant. Yeah, nice shirt Gerard. I think this shirt is better. The props and everything was absolutely brilliant. I was hooked all the way through. And there was some great examples and it's nice to see examples where stuff didn't work, like where the you know the Mac one was was great it was like I've heard of that kind of thing done before but also that was one of actually there's something you can't quite account for when you're when you're kind of

doing these these campaigns where you see it sometimes and there's just something you can't you can't possibly have known through on it. Out of curiosity when you've done these kind of engagements? Have you ever found that things, those were quite nice engagements where you're kind of going into an office and that, but have yourself or your team ever come into a situation where it's been a bit more dangerous? Where you're being stopped by security, however security are armed, or you get so far into the building and suddenly the alarms go off and they're actually hunting you through in the room. Is that something that kind of comes, has happened to yourselves in the past? Yeah,

most of the guards, they have trainings in classical robberies. They don't wait for a journalist, like a very nice girl or an IT guy. We work with the status. We have these characters with very low status. very shy so we don't have too much problems with the guards we have more like questions from assistants they they ask more stuff the guards they are waiting for a guys with a mask so we we have a lot of services with guards with guns and electricity stuff but We never have problems with them. They never question our presence there. It's always good to hear some stories from people. I suppose it's the techniques you're using keeps your people

safe as well as you're going through. Thank you very much. We'll get your credentials out in the Slack and that to share with everyone. I'm out on Twitter and that. That was brilliant. That was really entertaining. Thank you very much for that. Awesome. Hope to go to Newcastle next year, like to present in person. Yeah, yeah. I think you're great. Well, that's brilliant. You've got the jersey as well. You'll be able to catch a game at the same time. I will practice more my English for next year. Like yourself, your English is better than my Spanish. So awesome. Thank you to you guys.