In the previous blog post, Phishing assessments Part 1, we
looked at what an attacker is hoping to achieve through a phishing assessment,
the types of attacks that can be performed, how an attacker goes about
performing them and what the end result would be. We also looked at how a
security testing consultancy can replicate this type of attack through an email
based phishing assessment in order to gauge user awareness.
In this blog post, we are going to look at what happens if
an attacker’s emails are being effectively blocked by ant-spam filtering, or
access to a malicious data capture of file download website is being blocked by
web content filters.
An attacker will soon be made aware that his emails are
being filtered through tracking the emails and monitoring the responses, a 50*
error will be returned if anti-spam filtering is in force.
If the emails are being received but no activity is taking
place on the cloned website, then it is likely that an effective web content
filter system in protecting end users from accessing the cloned website.
So what does an attacker do form here?
During the initial reconnaissance phase, the attacker would
have scraped multiple open source repositories in order to gather the names and
emails addressed of potential targets. The telephone direct dial numbers may
also have been disclosed, if they haven’t, the front desk or main public
contact number would have to be made available.
Then it becomes a telephone campaign, titled “Vishing”, or
if mobile numbers have been enumerated, the term can be called “Smishing”
(whereby a malicious SMS is sent, with the same URL that would have been used
in the email campaign, aimed toward the mobile device browser or a mobile
exploit included)
In this blog post, we are going to concentrate on the
various methods adopted by an attacker when completing a telephone or vishing
campaign.
The attacker could use one of multiple scenario’s for the
telephone call’s, depending on certain environmental conditions, IE whether his
emails are being blocked, whether he is attempting to harvest user credentials
with single or multi-factor authentication, whether the end users have access
to a cloned malicious website or not, whether he is looking to install some
form of malware, usually ransomware, the list is endless.
For each of the environmental scenarios, an attacker would
need at least the following information to be able to perform an effective
campaign.
- A list of end user targets
and telephone number (direct line or mainline transferable)
Optionally, an attacker would perform OSINT and harvest as
much information as possible on the environment, it’s users, support staff,
executive level users, technologies in place, third party suppliers etc.
The following information would also allow an attacker to
provide a more enhanced attack.
- A list of IT staff names,
location and numbers
- A helpdesk or Support
number
- Names of Executive level
users and numbers
- Two Factor authentication
methods used
- Third Party Supplier
information (Cable provider, website hosting company etc)
So armed with a good level of information, the attacker can
progress to calling up the various entities and attempting to coach the users
into either providing information over the telephone, entering the information
into his cloned data harvesting website or downloading and installing the
malware.
We have developed a set of typical scripts that can be used
during a telephoned based vishing assessment, that are similar to attacks
adopted by attackers. You will probably recognise these tactics from calls you
have taken in the past.
It should be noted that these scenario’s and scripts have
been developed by us for performing user awareness testing on behalf of our
clients, with full authority from our clients to perform the assessment.
Scenario 1. Two Factor Authentication – VPN Gateway
This scenario works better alongside a targeted email Spear
Phishing campaign, requesting users to log into a spoofed VPN gateway using
their corporate credentials (call 1.1). Although it can also be completed
independently (call 1.2).
The Environment.
The client hosts a corporate VPN gateway that uses two
factor authentication (Username / Password + Secure ID). A spoofed versions of
the Gateway has been cloned and a Phishing email has been sent to the end
users, users may or may not have disclosed credentials.
Pre-requisites.
·
A target list of standard users (Names and phone
numbers)
·
A list of IT staff (Names and phone numbers)
·
A cloned corporate VPN landing page.
1.1
User credentials have been harvested.
A standard user’s (user) username and password have been
captured through the cloned VPN website, although they could not log on (as it
required the two factor ID plus it was spoofed of course). The scene is a call back
from the known IT staff member (Staff), stating they have been alerted to a
failed logon attempt and they the secure ID token needs to be reset.
“Hi (user), this is
(Staff) from the IT department. We have been alerted that you attempted to
logon to the new VPN service but couldn’t. We have investigated the issue and
found that your secure ID token needed to be reset.
Do you have this token
with you (if so ask if it can be done now – if not, arrange a call back)
OK, so the first thing
we need is the current secure ID token code, and then we need the next code
(this is actually how you rest the tokens)
The idea is that you then log in, in real time to the real
VPN, although as a proof of concept, just getting the user to give you the
token would suffice.
1.2
User credentials have not been harvested.
This is when you need to capture the user’s password from IT
(via a password reset request) and the user’s secure ID token in real time from
the user.
Call 1 – User to Staff
“Hi, this is (User)
from (Department) again…, I have called a few times about this last week and I
am started to get a bit frustrated. You should be able to see from my call logs
(these won’t be present but doesn’t matter) that my user account is being
locked and I keep needing to reset my password. I am out of the office today
and I can’t log into the VPN, although I have my secure ID with me.
Could you please reset
my password for me so that I can log onto the VPN, I will then rest it.
Call 2. Staff to User
“Hi (user), this is (Staff)
from the IT department. We have setup a new VPN service this week and have had
some users reporting that they cannot log in using their credentials and secure
ID. Therefore, we need to reset some users secure ID tokens so users can log
in.
We have investigated
the issues and have a list of problem tokens and found that your secure ID
token needs to be reset.
Do you have this token
with you (if so ask if it can be done now – if not, arrange a call back)
OK, so the first thing
we need is the current secure ID token code, and then we need the next code
(this is actually how you rest the tokens)
If successful, you should have both the username and
password for the user (or maybe just password) and a current secure ID token.
Scenario 2. Webmail Credentials
This scenario works when there is no two factor
authentication, just a simply corporate username and password needed to access
a site, such as a corporate webmail system.
A cloned version of the website can also be adopted, although it is not
essential.
The Environment.
The client hosts a corporate webmail portal that uses single
factor authentication (Username / Password). The idea here is for an attacker
to spoof the user into disclosing credentials so that the attacker can access
the corporate webmail system as the user.
This can be completed by sending a user the standard email,
with a link to a cloned version of the webmail site, or by coaching the user to
access the site and enter credentials over the phone.
Pre-requisites.
·
An Executive User (Spoof this users)
·
A list of standard users (Names and Phone
Numbers)
·
A list of IT staff (Names and phone numbers,
ideally a manager’s name also)
2.1 Harvesting User Credentials – Executive User
This is when you need to capture the user’s password from IT
(via a password reset request).
Call 1 – Executive User to IT Staff
“Hi, this is
(Executive), I have been speaking to (IT Managers name) regarding problems with
my account, the password seems to keep locking. I am at an important conference
and only have access to my laptop and need to access an email but cannot log
onto the webmail system.
(IT Managers name) has
said for me to call you guys to help by resetting my password for me, can you
do this and let me know what it is, it’s really important that I get this email
sent to a client as soon as possible.
Sorry but I don’t have
much time as the conference is just about to start, can you please help me?
Call 2 – Standard User to IT Staff.
“Hi, this is (User) from
(Department) again…, I have called a few times about this last week and I am
started to get a bit frustrated. You should be able to see from my call logs
(these won’t be present but doesn’t matter) that my user account is being
locked. I am out of the office on annual leave today and I can’t log into the
Webmail, although I have an important email sent from my manager that I need to
reply to, I can’t believe I am being asked to work on my day off.
Could you please reset
my password for me so that I can log on and reply to this email, it’s really
important.
2.2
Coaching user to enter Credentials (Spoofed
site)
Only use this when the email campaign has failed to coax a
user to enter their credentials (could be due to mails being blocked, web
content filtering etc) or no email addresses are provided and it’s a Telephone
only campaign.
Call 1 – IT Staff to User.
“Hi (user), this is
(Staff) from the IT department at (Client name).
We have recently setup
a new Corporate web mail service this week and have had some users reporting
that they cannot log in using their Corporate credentials.
We have investigated
the issue and believe we have now fixed the problem, would it be possible for
you to logon and confirm if you can see your emails?
If yes,
Please logon to (URL
of Cloned site) with your corporate email address and usual password and you
should see your emails?
It won’t work and they will see an error stating
unavailable, but the credentials will be logged.
OK no problem, we will
continue to investigate the problem, we are very sorry, have a great day.
Scenario 3. Change Password
This scenario works for capturing usernames and passwords
through a spoofed corporate change password landing page has been setup. This
would usually be run via an email campaign, although the email may have been
blocked or could be a telephone only campaign. The spoofed site will be a clone
of the corporate site and would be more effective that asking the user to
provide you with their details directly over the phone.
The Environment.
This is aimed at a client user who may be based remotely or
not have the ability to rotate their passwords in the usual way.
Pre-requisites.
·
A list of standard users (Names and Phone
Numbers)
·
A list of IT staff (Names and Location)
·
A data capture landing page (corporate clone)
rotate password version
2.1 Harvesting User Credentials – standard user
Call 1 – IT Staff to User.
(Option1)
“Good morning /
afternoon (user), this is (Staff) from the IT department at (Client name). As
part of (Client name) commitment to your IT security and protection of
sensitive information, (Client name) requires you to regularly change your
password.
Our systems indicate
that you have not changed your password recently, therefore, we would be
grateful if you could update your credentials on the following page as soon as
possible.
Provide URL for landing page
Thank you for your
assistance, have a great day.
Call 2 – IT Staff to User. (Option 2)
“Good morning / afternoon
(user), this is (Staff) from the IT Security department at (Client name). We
have had an alert raised regarding potential data breach on our systems, which
may have disclosed your current account details.
We are currently still
investigating whether we have a security issue, however, in the mean-time and
in order to prevent any further problems
We would be grateful
if you could update your credentials and change your password on the following
page as soon as possible.
Provide URL for landing page
Thank you for your
assistance, we will update you once we have completed our investigation, have a
great day.
Scenario 4. System
Unstable
This scenario works when there is no cloned site, but there
may be issues on the network with system stability – there probably isn’t, but
a user wouldn’t know either way. The
idea is to gather some of the user’s password (for further brute force of a
weak password) and their username. It kind of works as the user isn’t divulging
their entire password, which is common when talking to a bank etc.
The Environment.
The idea here is for an attacker to spoof the user into
disclosing credentials so that the attacker can access a corporate system as
the user.
Pre-requisites.
·
A list of standard users (Names and Phone
Numbers)
·
A list of IT staff (Names and Location)
4.1 Harvesting User Credentials.
“Good Morning /
Afternoon (User) my name is (IT Staff name) and I am calling from (Client name)
Internal IT based in (Location). We have had a number of stability issues today
with the operation of the IT network and are concerned that some of the staff,
including yourself, may have lost some data.
We are obviously
concerned so want to verify that your account data has not been corrupted, for
security reasons, could you confirm your username and confirm the first four
characters of your password?
Scenario 5. Important Security Update
This scenario is based on a benign malicious file download
and run. This is typical of the ransomware attacks that are common. The
downloaded file can also be sent as an email attachment, or via a link included
in the email to a website with the file available to download.
In this instance, either the email was blocked (most likely)
or you do not have the users email address, or they failed to open / download
the file included in the email. Or it could simply be a telephone only
campaign.
The Environment.
The client runs a corporate network that would usually be
made up of a mixture of Windows systems and Linux. Windows systems are
constantly being updated, it is not uncommon for a Windows system to need an
important security update. Clients must
have internet access, the file type will be a benign trackable file, which
should bypass client based AV.
Pre-requisites.
·
A list of standard users (Names and Phone
Numbers)
·
A list of IT staff (Names and Location)
·
A File Type Scenario based landing page (AV
friendly)
5.1 Malicious file download and run
Call 1 – IT Staff to User
“Good Morning / Afternoon
(User) my name is (IT Staff name) and I am calling from (Client name) Internal
IT based in (Location).
We have had a number
of reports that certain systems have not received the really important security
update from Microsoft, which was released last week.
Could you please
confirm your system hostname so that I can check whether it has been updated?
Talk the user through right clicking my computer, to provide
you with the name of the workstation, laptop etc.
OK, it looks as though
this system hasn’t had the updated, we will need to do this right away. Could
you please open your browser and enter the following into the address bar (URL
of landing page)?
Talk the user through downloading and running the file, the
file will make a call back to the Phishing command and control server.
Once the file has made the call back.
Ok that seems to have
been updated now, thank you for your assistance, have a great day.
Conclusion
So how do you protect yourself against a vishing attack?
There isn’t a great deal that you can do with regard to
technical mitigation techniques, you cannot really implement any form of
inbound call filtering to all staff, as with anti-spam for inbound email.
You could block calls originating from known rogue telephone
numbers or withheld number sure, but then there is always a risk of blocking legitimate
sales or support enquiries and an Attacker would always find a way to get
around any block.
Web content filtering would certainly prevent the users
being tricked into accessing a malicious website, if set up correctly. However,
an attacker could create a very legitimate website that would pass all web
content filtering checks and then subtly change a minor piece of code
specifically for the attack.
At the end of the day, as with all forms of social
engineering, it comes down to user awareness training, humans are always going
to be the most commonly targeted entity by attackers.
Including both phishing, vishing and smishing assessments (be
mail based and telephone / mobile) into your security testing programme is
essentials. The security consultancy performing the assessments needs to remain
up to date with modern social engineering attack techniques also, including where
a client is using the latest client-side security technology, how to bypass
them using custom malware.
In the next blog post we are going to look in
more depth at the client-side technology, aimed at preventing the exploitation
of a phishing attack payload and how custom malware or poor configurations can
be exploited by a skilled threat actor.