Saturday 22 October 2016

Phishing Assessments Part 2.



In the previous blog post, Phishing assessments Part 1, we looked at what an attacker is hoping to achieve through a phishing assessment, the types of attacks that can be performed, how an attacker goes about performing them and what the end result would be. We also looked at how a security testing consultancy can replicate this type of attack through an email based phishing assessment in order to gauge user awareness. 

In this blog post, we are going to look at what happens if an attacker’s emails are being effectively blocked by ant-spam filtering, or access to a malicious data capture of file download website is being blocked by web content filters. 

An attacker will soon be made aware that his emails are being filtered through tracking the emails and monitoring the responses, a 50* error will be returned if anti-spam filtering is in force.
If the emails are being received but no activity is taking place on the cloned website, then it is likely that an effective web content filter system in protecting end users from accessing the cloned website.
So what does an attacker do form here?

During the initial reconnaissance phase, the attacker would have scraped multiple open source repositories in order to gather the names and emails addressed of potential targets. The telephone direct dial numbers may also have been disclosed, if they haven’t, the front desk or main public contact number would have to be made available. 

Then it becomes a telephone campaign, titled “Vishing”, or if mobile numbers have been enumerated, the term can be called “Smishing” (whereby a malicious SMS is sent, with the same URL that would have been used in the email campaign, aimed toward the mobile device browser or a mobile exploit included)

In this blog post, we are going to concentrate on the various methods adopted by an attacker when completing a telephone or vishing campaign. 

The attacker could use one of multiple scenario’s for the telephone call’s, depending on certain environmental conditions, IE whether his emails are being blocked, whether he is attempting to harvest user credentials with single or multi-factor authentication, whether the end users have access to a cloned malicious website or not, whether he is looking to install some form of malware, usually ransomware, the list is endless. 

For each of the environmental scenarios, an attacker would need at least the following information to be able to perform an effective campaign. 

  1. A list of end user targets and telephone number (direct line or mainline transferable)
Optionally, an attacker would perform OSINT and harvest as much information as possible on the environment, it’s users, support staff, executive level users, technologies in place, third party suppliers etc. 

The following information would also allow an attacker to provide a more enhanced attack.
  1. A list of IT staff names, location and numbers
  2. A helpdesk or Support number
  3. Names of Executive level users and numbers
  4. Two Factor authentication methods used
  5. Third Party Supplier information (Cable provider, website hosting company etc)
So armed with a good level of information, the attacker can progress to calling up the various entities and attempting to coach the users into either providing information over the telephone, entering the information into his cloned data harvesting website or downloading and installing the malware.
We have developed a set of typical scripts that can be used during a telephoned based vishing assessment, that are similar to attacks adopted by attackers. You will probably recognise these tactics from calls you have taken in the past. 

It should be noted that these scenario’s and scripts have been developed by us for performing user awareness testing on behalf of our clients, with full authority from our clients to perform the assessment.
Scenario 1.   Two Factor Authentication – VPN Gateway
This scenario works better alongside a targeted email Spear Phishing campaign, requesting users to log into a spoofed VPN gateway using their corporate credentials (call 1.1). Although it can also be completed independently (call 1.2).  

The Environment.
The client hosts a corporate VPN gateway that uses two factor authentication (Username / Password + Secure ID). A spoofed versions of the Gateway has been cloned and a Phishing email has been sent to the end users, users may or may not have disclosed credentials. 

Pre-requisites.
·         A target list of standard users (Names and phone numbers)
·         A list of IT staff (Names and phone numbers)
·         A cloned corporate VPN landing page.

1.1   User credentials have been harvested.
A standard user’s (user) username and password have been captured through the cloned VPN website, although they could not log on (as it required the two factor ID plus it was spoofed of course). The scene is a call back from the known IT staff member (Staff), stating they have been alerted to a failed logon attempt and they the secure ID token needs to be reset. 

“Hi (user), this is (Staff) from the IT department. We have been alerted that you attempted to logon to the new VPN service but couldn’t. We have investigated the issue and found that your secure ID token needed to be reset.
Do you have this token with you (if so ask if it can be done now – if not, arrange a call back)
OK, so the first thing we need is the current secure ID token code, and then we need the next code (this is actually how you rest the tokens) 

The idea is that you then log in, in real time to the real VPN, although as a proof of concept, just getting the user to give you the token would suffice. 

1.2   User credentials have not been harvested.
This is when you need to capture the user’s password from IT (via a password reset request) and the user’s secure ID token in real time from the user. 

Call 1 – User to Staff
“Hi, this is (User) from (Department) again…, I have called a few times about this last week and I am started to get a bit frustrated. You should be able to see from my call logs (these won’t be present but doesn’t matter) that my user account is being locked and I keep needing to reset my password. I am out of the office today and I can’t log into the VPN, although I have my secure ID with me.
Could you please reset my password for me so that I can log onto the VPN, I will then rest it. 

Call 2. Staff to User 
“Hi (user), this is (Staff) from the IT department. We have setup a new VPN service this week and have had some users reporting that they cannot log in using their credentials and secure ID. Therefore, we need to reset some users secure ID tokens so users can log in.
We have investigated the issues and have a list of problem tokens and found that your secure ID token needs to be reset.
Do you have this token with you (if so ask if it can be done now – if not, arrange a call back)
OK, so the first thing we need is the current secure ID token code, and then we need the next code (this is actually how you rest the tokens) 

If successful, you should have both the username and password for the user (or maybe just password) and a current secure ID token.

Scenario 2.   Webmail Credentials
This scenario works when there is no two factor authentication, just a simply corporate username and password needed to access a site, such as a corporate webmail system.  A cloned version of the website can also be adopted, although it is not essential. 

The Environment.
The client hosts a corporate webmail portal that uses single factor authentication (Username / Password). The idea here is for an attacker to spoof the user into disclosing credentials so that the attacker can access the corporate webmail system as the user.
This can be completed by sending a user the standard email, with a link to a cloned version of the webmail site, or by coaching the user to access the site and enter credentials over the phone. 

Pre-requisites.
·         An Executive User (Spoof this users)
·         A list of standard users (Names and Phone Numbers)
·         A list of IT staff (Names and phone numbers, ideally a manager’s name also) 

2.1 Harvesting User Credentials – Executive User

This is when you need to capture the user’s password from IT (via a password reset request). 

Call 1 – Executive User to IT Staff
“Hi, this is (Executive), I have been speaking to (IT Managers name) regarding problems with my account, the password seems to keep locking. I am at an important conference and only have access to my laptop and need to access an email but cannot log onto the webmail system.
(IT Managers name) has said for me to call you guys to help by resetting my password for me, can you do this and let me know what it is, it’s really important that I get this email sent to a client as soon as possible.
Sorry but I don’t have much time as the conference is just about to start, can you please help me?

Call 2 – Standard User to IT Staff.
“Hi, this is (User) from (Department) again…, I have called a few times about this last week and I am started to get a bit frustrated. You should be able to see from my call logs (these won’t be present but doesn’t matter) that my user account is being locked. I am out of the office on annual leave today and I can’t log into the Webmail, although I have an important email sent from my manager that I need to reply to, I can’t believe I am being asked to work on my day off.
Could you please reset my password for me so that I can log on and reply to this email, it’s really important. 

2.2   Coaching user to enter Credentials (Spoofed site)

Only use this when the email campaign has failed to coax a user to enter their credentials (could be due to mails being blocked, web content filtering etc) or no email addresses are provided and it’s a Telephone only campaign. 

Call 1 – IT Staff to User.
“Hi (user), this is (Staff) from the IT department at (Client name).
We have recently setup a new Corporate web mail service this week and have had some users reporting that they cannot log in using their Corporate credentials.
We have investigated the issue and believe we have now fixed the problem, would it be possible for you to logon and confirm if you can see your emails?
If yes,
Please logon to (URL of Cloned site) with your corporate email address and usual password and you should see your emails? 

It won’t work and they will see an error stating unavailable, but the credentials will be logged.
OK no problem, we will continue to investigate the problem, we are very sorry, have a great day.

Scenario 3.   Change Password
This scenario works for capturing usernames and passwords through a spoofed corporate change password landing page has been setup. This would usually be run via an email campaign, although the email may have been blocked or could be a telephone only campaign. The spoofed site will be a clone of the corporate site and would be more effective that asking the user to provide you with their details directly over the phone.  

The Environment.
This is aimed at a client user who may be based remotely or not have the ability to rotate their passwords in the usual way. 

Pre-requisites.
·         A list of standard users (Names and Phone Numbers)
·         A list of IT staff (Names and Location)
·         A data capture landing page (corporate clone) rotate password version

2.1 Harvesting User Credentials – standard user

Call 1 – IT Staff to User.  (Option1)
“Good morning / afternoon (user), this is (Staff) from the IT department at (Client name). As part of (Client name) commitment to your IT security and protection of sensitive information, (Client name) requires you to regularly change your password.
Our systems indicate that you have not changed your password recently, therefore, we would be grateful if you could update your credentials on the following page as soon as possible. 

Provide URL for landing page

Thank you for your assistance, have a great day.

Call 2 – IT Staff to User. (Option 2)
“Good morning / afternoon (user), this is (Staff) from the IT Security department at (Client name). We have had an alert raised regarding potential data breach on our systems, which may have disclosed your current account details.
We are currently still investigating whether we have a security issue, however, in the mean-time and in order to prevent any further problems
We would be grateful if you could update your credentials and change your password on the following page as soon as possible. 

Provide URL for landing page

Thank you for your assistance, we will update you once we have completed our investigation, have a great day.

Scenario 4. System Unstable
This scenario works when there is no cloned site, but there may be issues on the network with system stability – there probably isn’t, but a user wouldn’t know either way.  The idea is to gather some of the user’s password (for further brute force of a weak password) and their username. It kind of works as the user isn’t divulging their entire password, which is common when talking to a bank etc. 

The Environment.
The idea here is for an attacker to spoof the user into disclosing credentials so that the attacker can access a corporate system as the user. 

Pre-requisites.
·         A list of standard users (Names and Phone Numbers)
·         A list of IT staff (Names and Location) 

4.1 Harvesting User Credentials.
Good Morning / Afternoon (User) my name is (IT Staff name) and I am calling from (Client name) Internal IT based in (Location). We have had a number of stability issues today with the operation of the IT network and are concerned that some of the staff, including yourself, may have lost some data.
We are obviously concerned so want to verify that your account data has not been corrupted, for security reasons, could you confirm your username and confirm the first four characters of your password?

Scenario 5.   Important Security Update
This scenario is based on a benign malicious file download and run. This is typical of the ransomware attacks that are common. The downloaded file can also be sent as an email attachment, or via a link included in the email to a website with the file available to download.
In this instance, either the email was blocked (most likely) or you do not have the users email address, or they failed to open / download the file included in the email. Or it could simply be a telephone only campaign. 

The Environment.
The client runs a corporate network that would usually be made up of a mixture of Windows systems and Linux. Windows systems are constantly being updated, it is not uncommon for a Windows system to need an important security update.  Clients must have internet access, the file type will be a benign trackable file, which should bypass client based AV. 

Pre-requisites.
·         A list of standard users (Names and Phone Numbers)
·         A list of IT staff (Names and Location)
·         A File Type Scenario based landing page (AV friendly)
5.1 Malicious file download and run 

Call 1 – IT Staff to User
Good Morning / Afternoon (User) my name is (IT Staff name) and I am calling from (Client name) Internal IT based in (Location).
We have had a number of reports that certain systems have not received the really important security update from Microsoft, which was released last week.
Could you please confirm your system hostname so that I can check whether it has been updated?

Talk the user through right clicking my computer, to provide you with the name of the workstation, laptop etc.

OK, it looks as though this system hasn’t had the updated, we will need to do this right away. Could you please open your browser and enter the following into the address bar (URL of landing page)? 

Talk the user through downloading and running the file, the file will make a call back to the Phishing command and control server. 

Once the file has made the call back. 

Ok that seems to have been updated now, thank you for your assistance, have a great day. 

Conclusion

So how do you protect yourself against a vishing attack? 

There isn’t a great deal that you can do with regard to technical mitigation techniques, you cannot really implement any form of inbound call filtering to all staff, as with anti-spam for inbound email.
You could block calls originating from known rogue telephone numbers or withheld number sure, but then there is always a risk of blocking legitimate sales or support enquiries and an Attacker would always find a way to get around any block. 

Web content filtering would certainly prevent the users being tricked into accessing a malicious website, if set up correctly. However, an attacker could create a very legitimate website that would pass all web content filtering checks and then subtly change a minor piece of code specifically for the attack. 

At the end of the day, as with all forms of social engineering, it comes down to user awareness training, humans are always going to be the most commonly targeted entity by attackers.
Including both phishing, vishing and smishing assessments (be mail based and telephone / mobile) into your security testing programme is essentials. The security consultancy performing the assessments needs to remain up to date with modern social engineering attack techniques also, including where a client is using the latest client-side security technology, how to bypass them using custom malware. 

In the next blog post we are going to look in more depth at the client-side technology, aimed at preventing the exploitation of a phishing attack payload and how custom malware or poor configurations can be exploited by a skilled threat actor.

No comments:

Post a Comment