BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Presentations Live Interview: Phishing Techniques and Mitigations

Live Interview: Phishing Techniques and Mitigations

Bookmarks
39:53

Summary

Joe Gray talks about OSINT and phishing tactics.

Bio

Joe Gray joined the U.S. Navy directly out of high school and served for 7 years as a Submarine Navigation Electronics Technician. In addition to offering Open Source Intelligence (OSINT) training through The OSINTion, Joe is currently a Senior OSINT Specialist at Qomplx.

About the conference

QCon Plus is a virtual conference for senior software engineers and architects that covers the trends, best practices, and solutions leveraged by the world's most innovative software organizations.

Transcript

Voitova: Joe Gray is a Senior OSINT Specialist at QOMPLX, and Principal OSINT Instructor at the OSINTion. The topic of our session is phishing, social engineering, and OSINT, especially right now during the pandemic.

Can you tell us a little bit about your background?

Gray: I'm very passionate about all things dealing with the human aspect of security, notably OSINT and social engineering. Specifically, within social engineering, the psychological perspectives as it relates to getting people to do things they probably shouldn't. The proper ways to actually reinforce the learning as opposed to standing behind a pulpit and pontificating, "Thou shalt not do this," I like to be very transparent as to why something is a bad decision. With regards to OSINT, honestly, OSINT is probably one of the biggest threats that we deal with right now, because it is something that exists en masse due to social media. Then from one country to another and one location to another, just the perspective of information being a commodity, being something that is sold, that has a financial value. Because people have social media, and we are all stuck at home, bored out of our minds, there's an uptick of people, on one hand, sharing a lot of what I like to call casseroles and cat videos. Basically, pictures of their food and pictures of their pets, things along those lines. For someone who is seeking to do harm, that is something that we can use to manipulate. If we're doing it in a malicious sense, I use the term manipulation. If we're doing it as part of a Pen test or a red team engagement, I prefer to use the term influence, because if you look at the dictionary definitions, they're really the same. If you look at definitions from psychological bodies of knowledge, like the American Psychological Association, manipulation has a certain level of malice associated with it that influenced us not.

As we are seeing right now, because everyone's cooped up at home, there's the uptick of all of that. Then there's also the uptick of misinformation and disinformation that is being shared at great scale, partially because of the U.S. election and partially just because it's a day that ends in y.

Security Risks from Social Media

Voitova: Let's imagine I'm an engineer, I work in a huge company. I'm sitting here working from home, so you're saying that when I'm sharing a picture of my food to some social media, to Instagram or to Twitter, this might be a security risk for my organization?

Gray: Absolutely. Because right now we have a lot of people who are sharing how much they love or loathe their employer because of things their employer is doing or allowing them to do while working in the pandemic. As a byproduct, I probably could have already found that information out via LinkedIn. It's a lot easier to find it via Facebook during these times. The other thing is because a lot of people are not in the office and they're working from home, that means that they have their phones at easier disposal, which means that they may find themselves on social media more frequently. Then, using food as an example, if I see someone sharing food quite frequently, and I notice it's a particular type of food, or it is something associated with a particular diet, say, keto or paleo, or something like that, that in itself I could use as part of a phishing engagement to be able to gain unauthorized access. Quite honestly, I could just offer you some recipes, and the recipe might actually be a legitimate recipe, but there may be some special ingredients that you don't necessarily see, per se, in the form of malware or other technical exploitation.

Creating Phishing Emails

Voitova: Let's talk about that. I'm sharing some pictures of food. Based on my preferences, you can build targeted phishing emails, or phishing messages to target me as an employee in a company, to trigger me to go to some link, to some malicious site that looks like a recipe site. What next? Before we jump in into what will happen next, can you give me some real life examples of such phishing emails, something unusual? Because I'm sure everyone knows how a phishing email looks like, usually they look like a phishing email, like spam. You're talking about some sophisticated crafted emails, can you give some more examples how you can use different things to build this?

Gray: From the perspective of phishing, whenever I do those types of engagements, we'll just say, for example, I'm contracted to do a phishing engagement, and I have 10 billable hours of time to do the phishing. The way I would break that time up, in all honesty, is I would automatically scrape one hour off the top for reporting, no matter what. Then probably of the nine hours remaining, at least two-thirds of those would be used collecting OSINT about the organization and the employees of the organization. Then the remaining two hours would be spent building the actual infrastructure, because really, it's not that hard. When I do phishing, I tend to use two distinct domains whenever I send the phish. I have a piece of software that I use to clone websites, and I make modifications to them, altering things like from POST to GET so that I can steal things via the URL and write it to an Apache log as opposed to having to stand up a database on the backside. I will stand up that infrastructure. I will send everything, and I just wait.

What makes my approach very unique in that regard, as opposed to what I would consider commodity phishing, which would be phishing en masse from exploit kits, because, for example, when I first got into social engineering back in 2016, I was working on a PhD. I never finished it. We were told to identify a problem within our specific discipline, mine being security, and try to identify a solution. At the time, Locky was all the rage. Part of Locky's exploit kit, it would automatically phish people to propagate. That was a big problem. Then, secondly, I had to use purely academic resources. By using social engineering, I was able to not only use technology journals, but I was able to use psychology and sociology journals. That's an example for that.

Fast forward to the actual execution and how I would go about doing it. When I say I use two domains, the way I do it is I host the actual web infrastructure on a cheap 88 cent domain, something like a .tech, a .info, something like that. It doesn't have to be anything fancy, unless the organization is blocking those cheap domains. Even if they're blocking those, there's others that you can come across. The domain that I actually send the phish from will be a more legitimate domain. I'm a huge fan of squatting. I'll buy the .us or .co.uk to their .com. That's my typical approach. Then I will typically use something like G Suite or O365 to send it. To take it a step further, I will go as far as to set up a Sender Policy Framework, SPF, DomainKeys Identified Mail, and Domain Message Authentication Reporting Conformance, DMARC, which are all email reputation and security protocols. I will set those up because it will make my sending domain look more legitimate. That's on the technical side.

On the non-technical side, I'm going to go digging through Instagram, Facebook, LinkedIn, public filings, historical DNS stuff. I'm going to use websites that marketing and sales professionals use to get leads lists to build my list. Furthermore, the things that I tend to look for, I try to find out what they call their employees. An example of that would be Walmart. Walmart and Kroger both call their employees, associates. Disney calls their employees, cast members. Nucor calls their employees, teammates. Verizon Media calls their security team, The Paranoids.

Where to Learn Industry-Specific Phishing Lingo

Voitova: How do you learn these terms? Where do you read about that?

Gray: Honestly, it's typically via the career site, or HR blogs, or it's typically something within the actual website. Because, think about it, if I were phishing Disney, and I called their employees, employees instead of cast members, that's game over right out the gate. Going back to a scenario based upon something Christina put in the chat about a 20% coupon on your next keto meal delivery. Using food as an example, what I might do is I might try to find out who your employer's HR vendor is, like ADP or TriNet. I'll find out who that vendor is. I'll find a way to spoof them. Spoof is a bad term. I don't like to use the term spoofing because of the prevalence of SPF and DKIM and DMARC these days. Spoofing is not as effective. It tends to get caught a lot faster.

I would squat something associated with that domain. I would send an email to those targeted employees and say, "Your employer has partnered with us for this and that, and as a byproduct, we have frequently set up a partnership with this organization, ketomealstogo.coffee. As a byproduct, because you are an employee or a cast member of your company, you get an introductory 40% discount and 20% discount all along. We have set up single sign-on for this, please input your company credentials." I'm going to go as far as to get a high resolution logo to put there. I'm going to make this look as official as possible. I'm going to make every effort that I can to convince you that not only does your employer know that this is happening, but also that the HR vendor or whatever platform is aware of as well, using those hi-res logos. Because I'm telling you it's single sign-on, I am now able to steal your corporate credentials.

Phishing Trigger

Voitova: As a trigger, you would use something you learn about this employee's like food preferences. Then you would add something that people do, especially people working in large companies like HR company, like some contractors, or something, like security department, help desk, some part of the entity, and basically create the email with some savings. Like, register right now and you will get some savings, some money back, or special program because you're an employee, so put your credentials to have this discount.

Gray: Exactly. Any person who's worked for a company that uses someone like ADP as their HR information system, knows the exact emails I'm talking about. You already get spammed and bombarded from the platform giving you all of these deals. This is just exploiting that capability. Honestly, a lot of this is made possible via OSINT. That's why I tend to spend 60% to 70% of my time in such an engagement doing the OSINT analysis, because I want to know specific phrases associated with a company. At the same time, I want to be able to speak intelligently to it with those phrases. In the past, I was able to get access to the CFO of an organization, assigned a personal computer. It belonged to the company, but it was assigned to the CFO. I accompanied a voice phish. I spoofed a number and called him, and fed him a whole line of stuff using the most important phrase within social engineering, of, can you please help me? To get him to click the link. Once he clicked the link, I had embedded some malicious code to go alongside what it was that I was working on. Because this person was in the C-suite of the company, he had local administrator, which then allowed me to escalate my privileges and take over the entire domain internally.

The Most Effective Phishing Method

Voitova: What is more effective from your perspective, to send written email or to call, to have this influence using voice?

Gray: I tend to like to do both, to be honest, because if someone expects an email, they're more apt to act upon it. If you can have the conversation with them, you can make them expect it. Obviously, for companies of varying sizes, like if you're dealing with a company that has 100 employees, it's a lot easier to call those employees and grease the skids about the incoming email. Whereas if you're dealing with a multinational company with half a million employees-plus, you're not really going to be afforded that luxury. The best thing to do in that perspective would probably be to assess employees using OSINT. The stereotypical employee that I would tend to look at for that would be someone in line that doesn't really employ access controls on social media. You can tell that if they see it, they share it. They post it. They believe it. It's on the internet, it must be true. That gullible employee, that's who I'm going to tend to look for. Even within those gullible employees, I'm going to try to triage to find employees in sensitive roles, like HR, accounting, or security, or even help desk, someone that may have elevated access or access to something that may be lucrative to a criminal.

Weak Links in Phishing Attacks

Voitova: The weakest link are people that share a lot, that engage a lot in social media, and at the same time, have some privileges in their organization.

Gray: I look at the organizational perspective of it. Obviously, some roles within an organization mandate the use of social media, sales, marketing, HR specifically. I won't target someone's personal account. I will never try to phish someone on their personal Facebook or Instagram. That's not to say that I will not read everything that they've posted and use it against them. With that, you tend to have varying types of people. You have some that are adamant that they won't use social media. You have the ones that are more judicious with their use of social media. They won't be as active about talking about work, it's all personal stuff. There's a group I'm in online, and we came up with personality types about the various members of the group. Personality type number 17 is the chronic oversharer. For that, I'm always on the lookout for number 17s, because they tend to tell me things that I can't find any other way. There's no public filing that's going to tell me this. There's no technology implementation that I can find via DNS. I'm not going to be able to do my favorite trick and put in the company's headquarter address on Instagram. I'm not going to be able to look and see the posts there to find out what is hanging out there. It's something that you typically find via happenstance. If we think about, prior to the social media era, it's the reason why foreign countries would send spies to bars in Washington, D.C., in the Northern Virginia area, because they could overhear conversations about work. Basically, social media takes the necessity of a bar out of that equation.

Social Engineering Attacks Exploiting the COVID-19 Pandemic

Voitova: You can read all of these things. We have actually a question regarding the pandemic. Have you produced or come across any social engineering attacks that have taken advantage of the current situation of increased anxiety in media, all the things going on right now, especially, with those personality types, especially with those number 17s? Have you noticed something, like their behavior changed maybe?

Gray: I've seen a lot of intelligence about attacks taking advantage of it. Me, personally, I've not been doing much active social engineering in the past few months. In that regard, I personally haven't. Even if I were, I don't think I would particularly use COVID as a ruse, because it's just too much of a hot button topic. I do understand that the malicious actors, the bad folks will, because they don't always play by the rules, obviously. That's something that I personally wouldn't do. There is a whole swath of information related to adversaries and attackers using that particular vector. Same thing right now with the election. Me, personally, no.

The Work from Home Exploit

Voitova: Now I see that for some people, the election and the pandemic can be a trigger. It also means that it can be like a background, because of a lot of people working from home, because we start receiving all these things. From my perspective, people become less cautious and they're easier to manipulate, especially from the calls. Someone will call me and say, "I'm from your IT department. We want to help you with VPN," these kind of things.

Gray: Absolutely. That's a very viable thing. Honestly, I don't think using COVID in particular is a useful tactic with that. You could still use the way we work from home. You could still use that. That being said, that's not to say that I can't exploit the workflow, because at the end of the day, my philosophy with security is, sure, finding technology flaws, that's a very awesome thing to do. The real meat and potatoes of doing anything security related is to find the flaws in the processes. If I can find a process flaw, that's more powerful than any technology flaw that I can exploit. Solely on the fact of, we have IDS as we have SIMs, we have all sorts of technology sensors to find technical exploitation. You don't really have those types of sensors to watch for when the technology or the process itself as defined by the company is broken. You typically don't find those things out until something goes wrong. If I know that it is common for someone from the help desk to call and assist people in setting up their VPNs, or that you use multi-factor authentication, like Duo. If I know that you have to provide a six digit code to be able to talk to a help desk, I'll ask for the code. It doesn't matter what code you give me, it's going to work. You can tell me 123456, and for that one I might actually question you. It would have to seem like it would actually be something generated from the app. At the end of the day, that's something that I would totally go for if I know that there's a specific process in place, and I can replicate part of that process. Absolutely.

That's something that I've used via Instagram in the past. I found where employee ID numbers are printed on company badges, and I found the company badges on Instagram. Whenever I call someone, I come up with my own employee ID number. The specific use case I'm thinking of was during Derbycon 2017, when I won the Social Engineering Capture the Flag. I was calling a large publicly traded company in Kentucky, and they asked for my employee ID. I threw in a random letter. The letter I gave them was A. They were like, "There are no letters in your employee ID number." I was like, "I'm sorry, let me put my glasses on. I'm sorry, that's a 4." I was able to test the waters with that. In using that ambiguity, it works really well to your favor for that.

The Employee ID Number Phishing Vector

Voitova: This is great, because literally A looks like a 4. You tricked those people?

Gray: Exactly. The thing is, when you're dealing with employee ID numbers, you don't know if it's going to be A through Z, or not. I tend to stick only with A through F. The only numbers that I really play with in terms of making those claims might be 0, 1, 2, 4, with 2, I might claim it's a Z. I don't really use 2 that much, I use 0, 1, 4 more often than not, so I could say it's either I, L, A, or O. Doing something along those lines, it works really well. It was all because it was posted to Instagram. When I surveil a company, the first thing I do is I get their physical address for headquarters. I immediately type in that address on Instagram, and I see what people have posted. Inevitably, you've got that new employee that is super excited. They've just started their new job. It's like, "New job workflow, look at my badge." Obviously, this is not a legit badge, except for I am the state password inspector. They'll post that to Instagram, and now I know that state password inspectors have badges that look like that, or Stark Industries badges look like that, or ININTECH. Any of these fake badges. Fsociety, they have their own badges. Granted, these are all satire fake badges that someone made for me at conferences, but for me to go get a picture off Instagram and go and get a badge printed for it, that's not hard.

Using Company Dress Code as a Security Exploit

Another thing, back when I used to do physical Pen tests, and I would try to sneak into a place, I would always try to find out what their company dress code and uniforms look like. Obviously, I'm not going to go sneaking into any companies right now with a Mohawk. In the past, I would go to thrift stores like Goodwill and buy up old t-shirts, polos, and button ups for companies. Because, where I live, there's one particular trash company that pretty much serves all companies in the area. If you show up in a white pickup truck with a yellow and green logo on the side, and a green polo shirt with a yellow font on it, you're probably going to be able to convince them that you at least need to look at the dumpster. With that, you can either use that to pivot to gain access to the building, or you can steal a few bags of trash and take it off-site for further analysis that way.

Voitova: They won't be suspicious because this is how people usually look like, so it's expected.

Gray: Using the dumpster analogy, if you say that if I can't inspect your dumpster, we may not be able to pick up your trash. They are going to let you inspect that dumpster because the worst thing that can happen to them is the trash to pile up.

How to protect from targeted Phishing Emails

Voitova: You provide some motivation. You basically push people to agree. Let's talk about defenses, because I imagine that if I got an email from HR department, like email that you send me, I can fall into. I'm not sure if I will see single sign-on, I might be suspicious on this tab, but still, I might provide some information. If you are an employee and the company, how will you protect from especially these targeted phishing emails?

Gray: First and foremost, buy up all of the adjacent domains that are possible. It can get pricey, but if you have the .com, the .us, the .net, the .org, you might want to go ahead and buy up as many of the others as you can. Obviously, that's going to do some protection on the inside, in terms of squatting from that, but that necessarily doesn't protect you from someone squatting as your vendors. The biggest thing, honestly, is training and awareness. If someone comes across something phishy, I would expect them to hop on the phone and make a phone call and say, "I just got this email, it's coming from such and such. I'm not so sure about it. Can you please verify this? I know you didn't send it but it came from ADP. Can you call out to ADP and verify this?" During the verification, if someone calls you, implement some necessity of urgency. Just be like, "I'm sorry, I've got to jump on another call.

Can I call you back as soon as the call is over?" Because my power only lasts as long as I can keep you on the phone. If you have a reason to hang up, then you are either going to have to call me back, and if I've spoofed a number, it's not going to work. Or, I'm going to have to try to call you back. Whenever people use that response for me, I tend to have to tiptoe and tap dance to find an excuse or a time to call them back. That makes it more difficult as well.

Also, from a company perspective, I cannot evangelize multi-factor authentication enough. I know a lot of people like to hate on SMS, text based multi-factor. While it is not my favorite, it's better than nothing. Then I would follow that with the applications like Duo and Google Authenticator, stuff like that, followed by the physical RSA token type things. Then my most favorite, honestly, is the YubiKey UTF hardware token, because with that, you actually have to physically have the token in hand and be able to push the sensors on it to make it work. That creates a problem in and of itself, because of the fact if you lose it, you're out. You have to make that consideration and have your workarounds for that.

The other thing from a personal perspective as well as a company perspective, I don't agree with companies telling employees what they can and cannot post, in general. What I do like for companies to do is to say, this is an example of something that is appropriate to be posted, this is something that's inappropriate to be posted. Obviously, we want you to paint us in the best light possible. If you're having a bad day, and you need to vent, all that we ask is that you button up your access controls and don't post things publicly. When I was director of IT security a few years ago, for a company, I knew that there were things that I was going to implement that employees were going to hate. I knew that they were going to go home, they were going to hop on Facebook, and they were going to complain about it. I told them, I'm not the person that's going to tell you not to do that. It's not within my role. Honestly, you have every right to do so. The only thing I ask is that you set the access controls away from public, make it friends or connections only. At the time, friends of friends was a thing, so you could do this as well but you don't know who's there. I always like to use the whole toothpaste analogy. Once you squeeze it out, you can't put it back in the tube. The part that you can get back in the tube, it's not going to be the same. You'll never get it all back in there.

This is something I talk about in my OPSEC courses, encrypted messaging apps and encrypted emails like ProtonMail, that's all the rage right now. That works for a particular vector in terms of sophisticated adversaries and governments spying on your stuff. The thing people fail to realize is once the information is decrypted and on someone else's device, nothing is stopping them from taking screenshots, from transcribing it, from taking pictures or screen recordings. There are so many ways that I can gather that information and still make it go public. The same exists for anything, because I might post something in haste and I may accidentally have the wrong access controls for it. It may be set to public. That could be that very moment that an adversary is surveilling my site, and they see it, and they take a screenshot of it. Even though I've deleted it, it's still there.

Summary

Voitova: As a company, the things you can do to prevent phishing, or at least to protect as much as you can. You can buy domains, so phishers won't buy those domains. You can implement a lot of security awareness training, and especially awareness training regarding phishing, with examples, with these public posts, how they can be used and misused. You can implement MFA rules. Please implement MFA everywhere. Basically, you can teach your employees if they see something suspicious, if they receive some suspicious email, call to the department, or IT department, or security department, and say that it happened and ask them to verify the source.

Gray: Another thing with that is set up an internal email address, like phishingatyourdomain.com. Encourage people, "If you're in doubt about this, forward this email to phishing at, and we will analyze it, and if it's a legit phish, we may reward you with something like a Starbucks gift card or a $5 Amazon gift card or something. It's not going to happen every time you report one, but from time to time, we will reward those, if it is a legitimate thing." Then that way, number one, everybody knows exactly where to report it to, because if people don't know where to report, or they fear that they're going to get in trouble if they click on something, or report, they're not going to do it. I don't want to fall down this rabbit hole, because there's a lot of rabbit holes that one could fall down on this, specifically.

I have an entire talk about phishing metrics and what actually matters. Whenever I do phishing engagements, I don't really care how many people open it, or how many people click it. Obviously, I care more about people clicking it than I do opening it. The thing that I care most about would be how many people actually report it, because that gives an organization an idea of how much time between an event occurring do they have to respond to something before bad things happen.

 

See more presentations with transcripts

 

Recorded at:

Apr 30, 2021

BT