When I Attack, Part 3 – Special Delivery
In my last two posts, I’ve walked through the steps an attacker would take when performing reconnaissance and then weaponization. Today we’re going to continue our climb up the Cyber Security Kill Chain as we utilize social engineering to deliver our malware to the victim.
During reconnaissance I compiled a list of names at one of the retailer’s smaller corporate offices. Judging from what I was able to find on LinkedIn, they only have about 2-3 IT people in the office, which I’m hoping will allow me to gain a foothold without also gaining attention.
One of the buyers that I’ve singled out for this attack is a woman that, for now, I will refer to as Jenny. I chose Jenny mostly because of what I found on her public facing Facebook profile. She really was a social engineer’s dream. Single, talked a lot about her job and the new “fall handbag line,” and best of all were the posts about her “computer getting all of these pop-ups again.” The one thing that I didn’t have for Jenny was a phone number. I had no choice but to work through email first.
Here’s what my first email to Jenny looked like:
My name is Keith, and I’m an account manager for Totally Awesome Bags. We’ve got a new line getting ready to come out that I think you would love and would be a perfect fit for your store.
I’ve attached a brochure, please let me know what you think.
I was pleasantly surprised when I saw her email in my inbox, but was soon discouraged when I read it.
Thanks for your email. I tried opening the brochure you sent, but it was blank. Maybe it’s just this darn computer. Can you please resend the brochure? Also, I think it would be a good idea to talk to you on the phone to get a better idea of pricing. What’s a good number? Alternatively, feel free to give me a call.
I hadn’t planned on actually having to talk to her on the phone. I just wanted to deliver the exploit, let it run, and get the credit card numbers I was looking for. The PDF didn’t work for her because I had sent her a blank file. This was intentional. I need her to be outside of her network when I send her the malicious attachment. The phone call was actually an opportunity in disguise. Something I never took into account when doing reconnaissance was if the person I was targeting used a laptop that would even leave the target network. Asking a few questions on the phone helped me get the information I needed.
After picking up a burner phone, I gave Jenny a call. I complimented her on her “cute southern accent.” Hey, you never know when the “charm to disarm” approach will work. We talked a bit about the bags – this was the hard part due to my lack of fashion knowledge, which is apparent in my wardrobe. I tried to slip in some innocuous questions like “So, do you ever travel for work?,” “Do they let you work from home?,” and “Sorry to hear you couldn’t open the file. What kind of laptop do they give you there?”
I wrapped up the call by telling Jenny the problem with the brochure might have been on my end. I would send her a new one later. I asked her if she thought she might be working late tonight, because I really wanted her to try and take a look at the bags. With a sigh, she told me she would be and promised to look at my email.
I’ll come back to report on the actual exploit after I send it out later. Too bad I have to do this to Jenny. She really was nice, and I did enjoy her accent.
So, what can we do to protect against an attack like this? One word – Education. Education is key to preventing social engineering. Advising employees on what information can be damaging to your organization can help prevent them from disclosing this information to strangers. As part of your educational program, you should remind employees that even questions like “Do they let you work from home?” can have a huge impact on your enterprise. Verifying phone numbers and the legitimacy of an unknown person can go a long way in keeping your company safe. Getting a blank .pdf file from a stranger should have triggered some sort of low level alarms in Jenny’s head and maybe should have made her consider talking to IT about the situation.
Of course, education isn’t the end of your security solution. Monitoring beyond your perimeter for behavioral anomalies is one of the best ways to catch a compromised host. However, that doesn’t come until after a breach occurs. For this post we are looking explicitly at the delivery of a targeted attack. An attack of this nature that occurs outside of your network and has been crafted to avoid your anti-virus will be difficult to fend off with technology alone.
*As a reminder, the social engineering activities outlined above represent a fictitious scenario used to illustrate attacker behavior, and were not actually carried out by Lancope.