CarderPlanet
Professional
Breaking down 10 simple social engineering recipes.
Social engineering is usually considered part of a targeted attack, but what if such schemes are applied en masse? I developed and tested ten of these scenarios to understand how people will react to them and what the consequences might be.
I often hear that of all types of attacks on organizations, social engineering is supposedly the most destructive and dangerous. But why, then, at each conference on information security, this issue is not assigned a separate block?
At the same time, most of the cases in the Russian-speaking segment of the Internet are cited from foreign sources and the stories of Kevin Mitnick. I am not saying that there are few such cases on the Runet, they just don't talk about them for some reason. I decided to figure out how dangerous social engineering is in reality, and to figure out what the consequences of its massive use might be.
Social engineering in information security and penetration testing is usually associated with a targeted attack on a specific organization. In this collection of cases, I want to consider several ways to use social engineering, when "attacks" were carried out in large quantities (indiscriminately) or in a mass-targeted manner (for organizations in a certain sphere).
Let's define the concepts to make it clear what I mean. I will use the term "social engineering" in the following sense: "a set of methods to achieve a goal based on the use of human weaknesses." This is not always something criminal, but it definitely has a negative connotation and is associated with deception, fraud, manipulation and the like. But all sorts of psychological tricks for knocking out a discount in a store is not social engineering.
I must say right away that in this area I acted only as a researcher, I did not create any malicious sites and files. If someone received an email from me with a link to a site, then this site was safe. The worst thing that could be there is the tracking of a user by the Yandex.Metrica counter.
You've probably heard about spam with "certificates of completion" or contracts that contain Trojans. You won't be surprised by such mailing of accountants. Or pop-ups with "recommendations" to download a plugin for watching a video - it's already boring. I have developed a few less obvious scenarios and present them here as food for thought. I hope that they will not become a guide to action, but, on the contrary, will help to make the Runet safer.
Which is easier to hack - software or human?
"Verified sender"
Sometimes site administrators, through an oversight, do not include filtering the "Name" field in the registration form (for example, when subscribing to a newsletter or when sending an application). Instead of a name, you can insert text (sometimes kilobytes of text) and a link to a malicious site. Insert the victim's address into the email field. After registration, this person will receive a letter from the service: "Hello, dear ...", and then - our text and link. The message from the service will be at the very bottom.
How can this be turned into a weapon of mass destruction? Elementary. Here is one case from my practice. In one of the search engines in December 2019, it was discovered the ability to send messages through the alternate email linking form. Before I sent the bug bounty report, it was possible to send 150 thousand messages a day - it was only necessary to automate the filling of the form a little.
This trick allows you to send fraudulent emails from the site's real technical support address, with all digital signatures, encryption, and so on. But the entire upper part turns out to be written by an attacker. I also received such letters, and not only from large companies like booking.com or paypal.com, but also from less famous sites.
In my test, about 10% of recipients clicked on the link. Comments are superfluous.
And here is the "trend" of April 2020.
Google Analytics emails
I'll tell you about a completely new case - for April 2020. From the Google Analytics mail [email protected], spam started to come to several of my addresses. After digging around a bit, I found the way it gets sent.
"How to apply this?" - I thought. And here's what came to mind: a fraudster can make, for example, such a text.
When clicking on the link, the user would go to a fake site and leave their password.
Such collection of passwords can be carried out not only targeted, but also in large quantities, you just need to automate the process of collecting domains from Google Analytics and parsing emails from these sites.
"Curiosity"
This method of getting a person to follow a link requires some preparation. A website for a fake company is created with a unique name that immediately attracts attention. Well, for example, ZagibaliVygibali LLC. We are waiting for the search engines to index it.
Now we come up with some reason to send congratulations on behalf of this company. Recipients will immediately google it and find our site. Of course, it is better to make the congratulation itself unusual so that the recipients do not flick the letter into a spam folder. After doing a little test, I easily earned over a thousand conversions.
"Fake newsletter subscription"
Here is a very simple way to get a person to go to a website using a link in an email. We write the text: “Thank you for subscribing to our newsletter! Every day you will receive a price list of reinforced concrete products. Sincerely,… ". Next, add the link" Unsubscribe from the mailing list ", which will lead to our site. Of course, no one subscribed to this mailing list, but you will be surprised to find out the number of hastily unsubscribed.
Who is most likely to fall victim to targeted phishing?
"Mining emails"
To build your own database, you don't even need to write your own crawler and crawl sites in search of poorly lying addresses. A list of all Russian-language domains, of which there are now about five million, is enough. We add to them info@, check the resulting addresses and, as a result, we have about 500 thousand working mails. Likewise, you can assign director, dir, admin, buhgalter, bg, hr, and so on. For each of these departments, we prepare a letter, send it out and receive from hundreds to thousands of responses from employees of a certain field of activity.
"And what is it written there?"
To lure users from some forum or site with open comments, you don't need to invent tempting texts - you just need to post a picture. Just choose something more attractive (some kind of meme) and press it so that it was impossible to distinguish the text. Curiosity invariably makes users click on the picture. I conducted an experiment and got about 10 thousand transitions in this way. And I also know a case when guys adapted this method to deliver Trojans via LJ.
"What is your name?"
It is not so difficult to force the user to open a file or even a document with a macro, even though many have heard of the dangers lurking. With mass mailing, even just knowing the person's name seriously increases the chances of success.
For example, we can send an email with the text "Is this email still active?" or "Please write the address of your site." In at least 10–20% of cases, the reply will contain the name of the sender (this is more common in large companies). And after a while we write “Alena, hello. What's with your site (attached photo)? "Or“ Boris, good afternoon. I can't figure it out with the price list. I need 24th position. I attach the price. "Well, in the price list - the banal phrase" To view the content, turn on macros ... ", with all the ensuing consequences.
In general, personally addressed messages are opened and processed an order of magnitude more often.
"Mass Intelligence"
This scenario is not so much an attack as a preparation for it. Suppose we want to know the name of some important employee - for example, an accountant or a security chief. It is not difficult to do this if you send a letter to one of the employees who may have this information: “Please tell me the director's patronymic and office work schedule. We need to send a courier. "
We ask for the opening hours to blur our eyes, and asking for a middle name is a trick that allows us not to give out that we do not know the first and last name. Both, most likely, will be contained in the victim's response: the full name is most often written in its entirety. In the course of my research, I managed to collect the names of more than two thousand directors in this way.
If you need to find out the mail of your superiors, you can safely write to the secretary: “Hello. Have not communicated with Andrey Borisovich for a long time, is his address [email protected] still working? And then I did not receive an answer from him. Roman Gennadievich. "The secretary sees an email invented on the basis of the director's real name and contains the company's website, and gives the real address of Andrey Borisovich.
"Personalized Evil"
If you need to force a large number of organizations to respond to a letter, then the first step is to look for pain points. For example, shops can send a complaint about a product and threaten with litigation: “If you do not solve my problem, I will complain to the director! What is it that you delivered to me (I am attaching a photo) ?! Archive password 123 ". In the same way, you can send a photo with a breakdown and a question whether they can repair it on the base of car services. According to the builders -" house project ". In my small study, at least 10% of recipients responded to such letters.
"The site is not working"
It is easy to turn the base of sites with the mailing addresses of the owners into referrals to any other site. We send letters with the text "For some reason, the page of your site www.site.com/random.html does not work!" Well, and a classic trick: in the text of the link, the victim sees his site, and the link itself leads to another URL.
"Multilending"
You will need to prepare for this method. We create a one-page website, design it for a news resource. We put a script that changes the text on the site depending on which link the person has followed.
We make a mailing list using a database consisting of addresses and company names. Each letter contains a unique link to our news resource, for example news.ru/?1234. Parameter 1234 binds to a specific company name. The script on the site determines which link the visitor came from, and shows in the text the name of the company corresponding to the mail from the database.
Upon entering the site, the employee will see the heading "Company ... (the name of the victim's company) is rampaging again." Then comes a short piece of news with some fables, and in it - a link to an archive with exposing materials (trojan).
Conclusions
It is clear that mass mailing will not help in attacks on large organizations - an individual approach is needed there. But small businesses, where they have never heard of any social engineering, can easily suffer from such attacks.
Social engineering is usually considered part of a targeted attack, but what if such schemes are applied en masse? I developed and tested ten of these scenarios to understand how people will react to them and what the consequences might be.
I often hear that of all types of attacks on organizations, social engineering is supposedly the most destructive and dangerous. But why, then, at each conference on information security, this issue is not assigned a separate block?
At the same time, most of the cases in the Russian-speaking segment of the Internet are cited from foreign sources and the stories of Kevin Mitnick. I am not saying that there are few such cases on the Runet, they just don't talk about them for some reason. I decided to figure out how dangerous social engineering is in reality, and to figure out what the consequences of its massive use might be.
Social engineering in information security and penetration testing is usually associated with a targeted attack on a specific organization. In this collection of cases, I want to consider several ways to use social engineering, when "attacks" were carried out in large quantities (indiscriminately) or in a mass-targeted manner (for organizations in a certain sphere).
Let's define the concepts to make it clear what I mean. I will use the term "social engineering" in the following sense: "a set of methods to achieve a goal based on the use of human weaknesses." This is not always something criminal, but it definitely has a negative connotation and is associated with deception, fraud, manipulation and the like. But all sorts of psychological tricks for knocking out a discount in a store is not social engineering.
I must say right away that in this area I acted only as a researcher, I did not create any malicious sites and files. If someone received an email from me with a link to a site, then this site was safe. The worst thing that could be there is the tracking of a user by the Yandex.Metrica counter.
You've probably heard about spam with "certificates of completion" or contracts that contain Trojans. You won't be surprised by such mailing of accountants. Or pop-ups with "recommendations" to download a plugin for watching a video - it's already boring. I have developed a few less obvious scenarios and present them here as food for thought. I hope that they will not become a guide to action, but, on the contrary, will help to make the Runet safer.
Which is easier to hack - software or human?
- Software. You can study it at least bit by bit, without arousing suspicion, and find new vulnerabilities yourself.
- Human. Exploits quickly become obsolete, and humans have standard vulnerable behaviors.
- The hybrid attack is more effective. We take popular software and think about how to use it to play on human weaknesses.
"Verified sender"
Sometimes site administrators, through an oversight, do not include filtering the "Name" field in the registration form (for example, when subscribing to a newsletter or when sending an application). Instead of a name, you can insert text (sometimes kilobytes of text) and a link to a malicious site. Insert the victim's address into the email field. After registration, this person will receive a letter from the service: "Hello, dear ...", and then - our text and link. The message from the service will be at the very bottom.
How can this be turned into a weapon of mass destruction? Elementary. Here is one case from my practice. In one of the search engines in December 2019, it was discovered the ability to send messages through the alternate email linking form. Before I sent the bug bounty report, it was possible to send 150 thousand messages a day - it was only necessary to automate the filling of the form a little.
This trick allows you to send fraudulent emails from the site's real technical support address, with all digital signatures, encryption, and so on. But the entire upper part turns out to be written by an attacker. I also received such letters, and not only from large companies like booking.com or paypal.com, but also from less famous sites.
In my test, about 10% of recipients clicked on the link. Comments are superfluous.
And here is the "trend" of April 2020.
Google Analytics emails
I'll tell you about a completely new case - for April 2020. From the Google Analytics mail [email protected], spam started to come to several of my addresses. After digging around a bit, I found the way it gets sent.
"How to apply this?" - I thought. And here's what came to mind: a fraudster can make, for example, such a text.
When clicking on the link, the user would go to a fake site and leave their password.
Such collection of passwords can be carried out not only targeted, but also in large quantities, you just need to automate the process of collecting domains from Google Analytics and parsing emails from these sites.
"Curiosity"
This method of getting a person to follow a link requires some preparation. A website for a fake company is created with a unique name that immediately attracts attention. Well, for example, ZagibaliVygibali LLC. We are waiting for the search engines to index it.
Now we come up with some reason to send congratulations on behalf of this company. Recipients will immediately google it and find our site. Of course, it is better to make the congratulation itself unusual so that the recipients do not flick the letter into a spam folder. After doing a little test, I easily earned over a thousand conversions.
"Fake newsletter subscription"
Here is a very simple way to get a person to go to a website using a link in an email. We write the text: “Thank you for subscribing to our newsletter! Every day you will receive a price list of reinforced concrete products. Sincerely,… ". Next, add the link" Unsubscribe from the mailing list ", which will lead to our site. Of course, no one subscribed to this mailing list, but you will be surprised to find out the number of hastily unsubscribed.
Who is most likely to fall victim to targeted phishing?
- Ordinary employees. They don't understand IT (65%)
- Security Service. They consider themselves smarter than hackers and break their own rules (21%)
- Leaders. Their accounts open access to trade secrets (14%)
"Mining emails"
To build your own database, you don't even need to write your own crawler and crawl sites in search of poorly lying addresses. A list of all Russian-language domains, of which there are now about five million, is enough. We add to them info@, check the resulting addresses and, as a result, we have about 500 thousand working mails. Likewise, you can assign director, dir, admin, buhgalter, bg, hr, and so on. For each of these departments, we prepare a letter, send it out and receive from hundreds to thousands of responses from employees of a certain field of activity.
"And what is it written there?"
To lure users from some forum or site with open comments, you don't need to invent tempting texts - you just need to post a picture. Just choose something more attractive (some kind of meme) and press it so that it was impossible to distinguish the text. Curiosity invariably makes users click on the picture. I conducted an experiment and got about 10 thousand transitions in this way. And I also know a case when guys adapted this method to deliver Trojans via LJ.
"What is your name?"
It is not so difficult to force the user to open a file or even a document with a macro, even though many have heard of the dangers lurking. With mass mailing, even just knowing the person's name seriously increases the chances of success.
For example, we can send an email with the text "Is this email still active?" or "Please write the address of your site." In at least 10–20% of cases, the reply will contain the name of the sender (this is more common in large companies). And after a while we write “Alena, hello. What's with your site (attached photo)? "Or“ Boris, good afternoon. I can't figure it out with the price list. I need 24th position. I attach the price. "Well, in the price list - the banal phrase" To view the content, turn on macros ... ", with all the ensuing consequences.
In general, personally addressed messages are opened and processed an order of magnitude more often.
"Mass Intelligence"
This scenario is not so much an attack as a preparation for it. Suppose we want to know the name of some important employee - for example, an accountant or a security chief. It is not difficult to do this if you send a letter to one of the employees who may have this information: “Please tell me the director's patronymic and office work schedule. We need to send a courier. "
We ask for the opening hours to blur our eyes, and asking for a middle name is a trick that allows us not to give out that we do not know the first and last name. Both, most likely, will be contained in the victim's response: the full name is most often written in its entirety. In the course of my research, I managed to collect the names of more than two thousand directors in this way.
If you need to find out the mail of your superiors, you can safely write to the secretary: “Hello. Have not communicated with Andrey Borisovich for a long time, is his address [email protected] still working? And then I did not receive an answer from him. Roman Gennadievich. "The secretary sees an email invented on the basis of the director's real name and contains the company's website, and gives the real address of Andrey Borisovich.
"Personalized Evil"
If you need to force a large number of organizations to respond to a letter, then the first step is to look for pain points. For example, shops can send a complaint about a product and threaten with litigation: “If you do not solve my problem, I will complain to the director! What is it that you delivered to me (I am attaching a photo) ?! Archive password 123 ". In the same way, you can send a photo with a breakdown and a question whether they can repair it on the base of car services. According to the builders -" house project ". In my small study, at least 10% of recipients responded to such letters.
"The site is not working"
It is easy to turn the base of sites with the mailing addresses of the owners into referrals to any other site. We send letters with the text "For some reason, the page of your site www.site.com/random.html does not work!" Well, and a classic trick: in the text of the link, the victim sees his site, and the link itself leads to another URL.
"Multilending"
You will need to prepare for this method. We create a one-page website, design it for a news resource. We put a script that changes the text on the site depending on which link the person has followed.
We make a mailing list using a database consisting of addresses and company names. Each letter contains a unique link to our news resource, for example news.ru/?1234. Parameter 1234 binds to a specific company name. The script on the site determines which link the visitor came from, and shows in the text the name of the company corresponding to the mail from the database.
Upon entering the site, the employee will see the heading "Company ... (the name of the victim's company) is rampaging again." Then comes a short piece of news with some fables, and in it - a link to an archive with exposing materials (trojan).
Conclusions
It is clear that mass mailing will not help in attacks on large organizations - an individual approach is needed there. But small businesses, where they have never heard of any social engineering, can easily suffer from such attacks.
