In recent columns, I have written about the importance of being vigilant with e-mail attachments and web links you don’t know, and the importance of making sure employees are educated in the threats that social engineering may pose.
I think it is important for security professionals to be aware of the types of tools that they are up against. If the sheer number of attack vectors outlined below doesn’t prompt you and your coworkers to be extra-vigilant about what is opened in an email or clicked on, it is only a matter of time before your organization is a victim.
Understanding and vigilance about social engineering attacks are the low hanging fruit in cybersecurity – on both sides of the ball.
Social engineering is an approach where people are compromised via e-mail, telephone, infected USB stick or in person. It can render the best technical defenses useless as access can be cleverly gained to the most hardened network.
Spear-phishing attacks are a form of social engineering that use targeted email attacks using points of familiarity from public information, social media or other sources. A group of emails can be sent based on harvested information from lists or scans, or individuals can be directly targeted. The emails can send malicious files or links, and the sender’s email address can be spoofed.
Among the suite of tools I have been exposed to is the Social-Engineer Toolkit (SET), or setoolkit, available as an open source download at www.trustsec.com.
How I Went "Black Hat"
This summer, I had the chance to take a course in Penetration Testing, which is designed to teach you how to hack – so you know how to prevent getting hacked.
One exercise we performed was to clone a website in order to set up a phony phishing site. Entering login credentials on the phony site allowed my listener site to capture the data – a technique known as Credential Harvesting.
Using a Website Attack, we also demonstrated how to use the phony site to get a user to download and run a file – in this case a keylogger.
Other types of phishing-based website attacks are based on getting a victim to click on a web link. Using the Metasploit framework (see sidebar), a web server can be set up on the attacking machine to host various exploit payloads. Clicking the link directs the victim to this server, whereupon the payload – for example, a keylogger – is delivered.
A Java Applet attack will spoof a Java Certificate and deliver the payload, and techniques exist to digitally sign these certificates.
The TabNabbing Method waits for a user to move to a different tab, then refreshes the page to something different.
The Web Jacking attack method uses iframe replacements to make a highlighted URL link appear legitimate; however, when clicked, a window pops up and is replaced with the malicious link (iframe is the technique to display information from another web page within the current page and is commonly used in social media).
All of this occurs through the use of port 80 (http) on the attacking machine which is commonly allowed through firewalls. If a browser has not been fully patched, known exploits – many of which are found on Internet Explorer – can take advantage.
More Social Engineering Attack Vectors
Here are some of the other options the Social Engineer Toolkit provides a hacker to easily compromise a careless victim. Note that hackers may deploy multi-pronged attacks using multiple attack vectors.
- Infectious Media Generator: This USB/DVD creator develops a payload that, when placed on a USB port, will trigger an auto-run feature to compromise the system.
- Mass Mailer Attack: This allows multiple customized emails to be sent in a mass phishing attack.
- SMS Spoofing Attack: Allows the creation and sending of customized text messages. The SMS source can be spoofed and there is a choice of predefined or make-your-own templates.
- Wireless Access Point Attack Vector: Creates an access point from a wireless interface card on the attacking machine and leverages DNSSpoof to redirect a victim’s browser requests to the attacker.
- QR Code Generator Attack: Generates QR codes so that, when scanned, redirects the victim to the attacker’s site.
- PowerShell Attacks: PowerShell provides easy access to all major functions of an operating system. It is a framework based on .NET that offers a command line shell and a scripting language for automating and managing tasks. Installed by default on all new Windows machines, its management features can also work with virtual or Linux environments. It is attractive to hackers for many reasons, including stealth, obscurity, forensic resistance, and hacker community tools and support. It has been the go-to choice to attack banks, governments, and corporations.
Sidebar: About Metasploit and the Social Engineering Toolkit (SET)
The Metasploit Framework is an open source penetration tool used for developing and executing exploit code against a remote target machine it. First released in 2003, Metasploit has the world’s largest database of public, tested exploits and has become the de facto standard for penetration testers. Owned by Rapid7, its development is largely driven by the security community. As new vulnerabilities are discovered, its architecture helps developers develop working exploits around them. While public repositories of exploit code may be available, code delivered through Metasploit has been pretty well vetted. It is available for Mac and Windows, but It’s probably safest to run this on a dedicated Linux machine, if you get serious about delving further, Kali Linux is a free download from www.kali.org that contains a host pf pre-installed security tools. For less than $100 for VMWare or VirtualBox, you can set your machine up to run virtual machines, including Kali Linux. Metasploit and SET can be run from this platform.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Contact him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter: @RayCoulombe.
