Purposeful social engineering. Non-standard deception techniques
In this article, we will look at several social engineering techniques that can be used in a targeted manner, that is, in cases where a specific victim (person or company) is selected. It is believed that targeted attacks take longer to prepare. From experience, I know that provoking a hundred random people to do something is easier than provoking one specific person in a particular organization.
In the
previous article, we covered massive attacks, but their applicability is limited. For example, they are poorly suited for penetration testing. A pentester cannot afford to base himself on the theory of probability and send out his traps to all employees of the audited organization in the hope that someone will be caught. One or two alert users will alert security, and the attack is over. Plus, you need training for a specific infrastructure and the specifics of the customer, and the techniques of a social engineer should be non-standard.
(!) The article is intended for "white hackers", professional pentesters and information security executives (CISO). Neither the author nor the editors are responsible for any possible harm caused by the materials of this article.
White hats, pentesters and CEH holders generally understand that their actions play not only a technical, but also a social role. It was no coincidence that I mentioned the CISO, since their task is to constantly train all employees in the basics of information security. If a valuable specialist is fired because he opened an infected file, then this is also part of the fault of careless security personnel.
Security rules are always written after the fact, and therefore are inert and weakly protect against modern threats. Banks no longer need to be robbed in masks with automatic machines - now e-mail is enough, but in many financial institutions old stereotypes are still alive. They focus on physical security, considering information less essential. Suffice it to recall the recent story of the robbery of PIR Bank and the comment of its chairman of the board: "... with the greatest probability the virus entered the bank through a phishing letter."
A long-standing paradox remains relevant: IT professionals never tire of proclaiming that social engineering is the ultimate evil. At the same time, many "security guards" continue to believe that ingenious software and once written instructions for personnel are enough to resist cyber threats.
Trusted site as a gateway
Does your firewall formally have URL blacklists and whitelists? Then we go to you! Here are some examples when a well-known CMS with an unclosed redirect is used on the bank's website:
If the firewall only looks at what comes after the first http (s), then it's time to tweak it. But this article is not about setting up a firewall, but about human weaknesses. So just give the employee such a link and check how alert he is and whether he looks beyond the first http (s) encountered.
What kind of dog?
This method will not work with attentive employees, but if everyone was attentive, then social engineering would not exist as a phenomenon.
Developing the previous method for those who are used to looking at what comes right after
http://and thinking the URL is safe: this link
https://bank.ru@zloysite.ru will not lead to anything good either.
Why it happens? The characters allowed in the URL are documented in the RFC 1738 standard. The character is @ used in the URL as a special delimiter when you need to give rights to access the page directly in it. The design type httр://<login>:<password>@<host>before @ you can specify practically anything. The browser will still send the user to the host specified after @.
What kind of gibberish?
Let's add some Cyrillic characters encoded in UTF-8 → HEX to the malicious URL to make it look incomprehensible to humans and at first glance safe:
http: //bank.ru@%D0%B7%D0%BB%D0%BE%D0%B9%D1%81%D0%B0%D0%B9%D1%82.%D1%80%D1%84
.Рф encoded domain in URL
Or we can combine simple techniques (redirect + coding):
http://www.moscow-bank.ru/bitrix/re...ww.moscow-bank.ru@%D0%B7%D0%BB%D0%BE%D0%B9%D1 % 81% D0% B0% D0% B9% D1% 82.% D1% 80% D1% 84
When you hover the mouse over the encoded URL, desktop browsers decode the characters (which is not the case for Outlook and mobile browsers). Therefore, to completely hide the malicious address, you can register the address of the server on which the phishing site is located:
or simply
http: //www.moscow-bank.ru@178.248.232.27
Instead of the domain in the URL, we use the server IP
Do not forget to fasten HTTPS to the server so that the browser does not swear, but more on that later.
Overflow preview
Surely you already know that the real file extension can be hidden using the limitation of the displayed length of the extension column in Explorer or the archiver (or remember from the ICO.
- Approx. ed.).
Trying to hide file extension in archive
Now let's try to hide the evil part of the URL in a similar way at the preview stage in the browser.
If the employee knows that the anchor of the link may not be equal to the target URL, then he will hover the mouse over the link and see where it actually leads. If this is their only way to check links, then the safety instructions at such a company should be updated.
An evil link might be like this:
Instead of aaaa and bbbb, we write different keywords that are usually used on the original site.
When you hover the mouse in Firefox, we will see the site address shortened in the middle, which is why the part is zloysait.ru not displayed. Only the unsuspecting part of the link is visible:
...
Shortened URL in Firefox
For larger screens, make the phishing link longer.
If we hover over such a link in Internet Explorer or Edge, we won't see anything at all. Apparently, they are confused by the repeated colon in the address, which suits us perfectly.
Chromium browsers from Google and Yandex display the final URL zloysait.ru/bbbbbbbb...bbbbbbbb.html, so this method is suitable for a targeted attack when the victim's browser is known.
"Russian Post" to help you!
If the victim is in a leadership position in the target company, you can try to play on their sense of self-importance.
A fake one-page conference (business event, business forum, etc.) is being created.
Now the victim needs to be lured to the resource. Why not send a paper letter to her at work? Here you will definitely bypass all the digital and hardware protection in the organization and even the neural network firewall in the form of a secretary, because, in her opinion, if she throws such a letter into the trash, her boss will not be happy. The content looks very attractive - a beautiful invitation to participate in a pretentious event as a speaker (member of the jury, laureate of a prestigious award).
Then everything is standard: it is proposed to download and fill out the participant's "questionnaire". You can even print a QR code (kind of like taking care of your convenience, dear victim).
Private or public?
The following several methods relate to attacks on the organization through the use of facts about the employee's personal life. Talking about protection from social engineering, I insist that a person should know the safety rules, not for the sake of the organization, but first of all for himself.
While some security officers think that a smartphone brought to work with a trojan caught at the weekend cannot be used to eavesdrop on intra-office events, we will find such employees and make them more competent.
Not a single checkin
If you are testing a personal email of an employee or his social media account, then look at where the person has been on vacation lately.
Do you see the name of the hotel? Feel free to write on behalf of the hotel administration and ask for a surcharge for the service. In the letter, add an inscription that this message is generated automatically, and to answer you need to use the form on the official website in the customer support section. After giving a fake link, invite him to register. Who knows, maybe he uses this login / email and password on other resources.
I wanted to show off and got myself into trouble
Potential victim flying Aeroflot planes? Write that you urgently need to activate bonus miles, and then their number will double! You need to do this using your fake link with the landing page of the action.
An air ticket is a godsend for a social engineer.
Has the victim recently attended an event? Ask her to register using your link to get all recordings from the conference + bonus content and a discount on participation in the next one!
A post on a social network that makes life easier for a pentester
To prevent the victim from suspecting anything, after registering, he can be shown an error message (for example, "404. Oh, something went wrong, try to repeat your request later!") Or sent to the main page of the site.
In approximately this vein, you can contact a person based on fresh data from his accounts in social networks. Here we used mostly phishing methods, and this is enough for us to check the vigilance of the employee. The real villains, of course, will not stop there and will use browser vulnerabilities and malicious files to infect the victim's device. This is already a technical part, not a social one.
SMS redirect
You've probably already heard the story that $ 23 million was stolen from a Bitcoin investor with a suitable surname Turpin using a banal request to transfer a mobile number to a new SIM card. But what if you fantasize a bit and see how you can use phishing to gain access to an employee's Internet services protected by two-factor authentication? What if one of the mobile operators makes it possible to get a SIM card without stealing the number?
An SMS or email is sent to the employee's personal phone (or corporate mobile) with a call to do something in his personal account. It is better to choose a scary reason (which is why you need to go there right now) or put pressure on greed so as not to induce a person to call technical support. You just need to know which operator its number belongs to and provide a suitable phishing link. After gaining access to the office, a person with malicious intent puts his phone to receive SMS in the section "Forwarding messages".
Most operators have a variety of scenarios for setting up redirects to choose from.
Description of the service on the website of the mobile operator.
One email - one bank
If you found the following line on the website of a large bank:
src = '//
www.googletagmanager.com/gtm.js?id='
then imagine the following scenario:
- With the help of social engineering and phishing, you get access to the @ gmail.com account of the marketer.
- Using the Google Tag Manager service, insert any JS script (for example, New Year's greetings) using this link and press “Save”.
- Now your script will wish your visitors a Happy New Year (if the security service does not mind and does not stop using foreign services).
Google Tag Manager is a service that simplifies the placement of information on the site, including JS scripts. Accordingly, if you have access to the account from which the Tag Manager settings are made, you can inject your malicious code into the site.
Note for marketers
By the way, here's one of the ways to spoof the email marketer in charge of the site.
If an organization is serving ads on AdWords, then this scenario is possible. Here:
https://ads.google.com/aw/preferences - write the name of the fake account. Something like:
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... .. ... ... ... ... To receive extended statistics on the account of such and such, confirm your participation in the Beta-testing:
www.bad-ad-google.com
We indicate the name of the account
Let's go here:
https://ads.google.com/aw/accountaccess/users - and write the recipient's email.
Choosing the access level
The user will receive a letter on behalf of
ads-noreply@google.com.
Sample post from
ads-noreply@google.com
This is followed by a phishing login form, an exploit download, and the like.
Google said: social engineering and evil, we will not remove the ability to send such messages. Let's just tweak it to make it harder to send spam through this form. This is enough for a social engineer, he is not a spammer.
If you didn't work with the marketer, take a look at the
previous article . In it, we mentioned how to attack a webmaster using Google Analytics. True, after my message to Google, they screwed up the captcha, but you can still use the service for personal gain.
Bonus
Finally, I will give a few life hacks.
- If you write to the victim, pretending to be the same name as hers, then the response will be greater.
- You send a letter to any corporate mail of the company, receive a response and see how the correspondence is processed in this organization. Then you copy the design in your phishing mailing list on behalf of that company.
- Having heard the message from the answering machine that an employee is on vacation, you can write letters to other employees on his behalf (supposedly from a personal, not corporate email), as well as post on social networks from his “other account”.
- Many users believe that if they come to a resource with a "lock" in the address bar, then the resource can be trusted. Let's Encrypt will help a social engineer since it increases conversions.
- After sending an email, there is nothing worse than the response of the mail daemon: “The message was not delivered, the address does not exist. MORE ABOUT THE ERROR (and here is a link to your site and demonic laughter behind the scenes). "
- The trend of the future in SI is Find trap, a way when a person is given an information bait, and he himself searches for details in search engines. Finds your resource (since the bait is made up exactly so as to lead to it), and then - only a flight of imagination limits your possibilities. There is nothing better than an interested user. By the way, it is in this way that we catch corrupt employees in organizations.
Instead of conclusions
You probably know better about technical means of protection against social engineering. Unfortunately, they are not enough. As the founder of Group-IB Ilya Sachkov said: "... whatever the technology ... everything becomes meaningless if employees open suspicious files and click on phishing links ... and everyone has the same passwords everywhere." Therefore, next time we will talk about how to train employees not to fall for the tricks of social engineers.
