Saturday, January 30, 2016

How to make friends and make them click on links

Introduction

A while ago I had some fun with the attacker of a hacked e-mail account.

I will call the victim Mary so I can guarantee her anonymity. I know Mary for a couple of years now and as most people you exchange email addresses at some point.

The initial message

Mary's Yahoo account was hacked and I got contacted by the attacker with the following message in French
Hello,

Can you reply to this address I have something important to tell you but I want you to be discreet.

Kiss

Social Engineering the Attacker

This didn't match our style of communication but it came from her account so I replied with the simple phrase "No Problem" and "Or you can call me, I am at the office.".

About 10 minutes later I had a reply but interestingly it came from a mail.ru mailbox but the name was an exact copy of Mary's. The content of the email was:

Thanks for having replied to my email. I am currently in Portugal for important business. I am here for a couple of days and did not have the time to tell you about it. I got into a taxi and forgot my handbag that contained my phone, credit card, money and other stuff in that taxi. The only thing that I still got is a TransCard that I would like to put some money on. I would like you to buy for me some vouchers so that I can at least deal with the hotel costs and transport. If I can count on your help, I will instruct you what you need to do.

Kiss
Mary
Now this was funny because Mary would first of all contact her family and she doesn't do business trips abroad as far as I am aware. But I wanted to know more about my new friend. Let's call this person from this point Bob, just for clarity.

I contacted the real Mary and explained her what was up with her account and she got contacted already a couple of times that morning by her circle of family and friends.

I replied to Bob:

Hello Bob,

I fully understand you are going through some hard times but don't worry we got you your back. I am sorry but for the next couple of hours I will be in a meeting and will not be able to reply to you.

In my next email I asked Bob for detailed instructions since I am a good friend and will provide 500 EUR. This made Bob eager to reply. In his reply he explained me that he wanted me to by e-vouchers and send him the codes so he could do the rest.

Figuring out where Bob is

To figure out where Bob is I had set up a web page with a copy of an error 503 page. There was nothing wrong with the server of course, it responded with an HTTP 200 but the page looked like an Apache 503.

To "obfuscate" a bit the URL I made a bitly url and crafted my email for Bob:

Dear Mary,

As promised I bought a 500 EUR voucher at the store, I've uploaded it to a web server since I have sports tonight. Here is the url. If you need more money let me know.

Cheers,
Erik

The URL text showed in the mail as a regular URL ending in scan.jpg. The HREF of the a-tag was set to the bitly address.

Bob clicked a couple of hours later and was located in a Nigeria. He got back to me to tell me that something was wrong with my scan. This clearly illustrates to me that he only knows how to phish but lacked the technical knowledge to analyze my bait-mail

The clean up

It seemed the criminal had taken over her account and set up mail forwarding to the mary @ mail.ru account. Besides cleaning that up, Mary added two-factor authentication so that it will become harder to hack her account again.

The reason why Mary's account got hack was an easy to crack password. When she told me the original password it was clear that it was a word that appears in dictionary lists and the number at the end was a classic too. Now she has picked a more complicated password. A good thing was that the original password only gave access to her mailbox.

Saturday, January 16, 2016

Is red a critical issue?

A couple of weeks ago I was giving a training and somebody made the remark that if something has the color red it is critical. The logic she used was parallel to the traffic lights but there is a problem with this. It starts with the idea that everybody can see colors and this is not the case.A good friend of mine is color blind for red and green and that is how I became aware of the issue.

When we are talking about a traffic light what color is lit actually, since we agreed upon the fact that the colors are in an order and it is thus actually the order of the light that matters and not the color. This is why color blind people are able to drive.

When we are talking about incident response this becomes an whole other issue since the color tag of an incident is pointless to a color blind person. If my friend would have a look at a dashboard tagging one incident red and another one green they would both be grey-ish. This means he has a 50% chance of starting to work on the incident with the least priority.

The solution is actually pretty simple, you use a defcon-type scale where 1 means it is your number one priority and the lower on the scale the incident is rated the less attention it will get. The classification of your incidents will influence greatly the value it gets on this scale.

Monday, January 4, 2016

That is not hacking ...

Lately I have been doing a couple of social engineering attacks . One of the attacks I did was fairly simple. I had access to a big screen showing me a nice typical Windows background.

When I checked out the back of the screen I found a USB port so as one does when something is in scope, you start having fun with it. I plugged in a USB keyboard and hit the Windows+R combination. A nice window popped up and I opened a notepad so I could write a nice little message to the system administrator with my contact details. I unplugged the keyboard and continued what I was doing.

Later in the afternoon when the message got enough attention I took the message down. It had had the attention of the managers and I was already looking with the infosec-team for solutions.

Funny enough one person from the IT staff came up to me and said that it wasn't a hack since it required physical access to the machine. I pointed out that to a threat agent it doesn't really matter how it gets done, the only thing that matters to a threat agent is that his or her job gets done.