Get started Bring yourself up to speed with our introductory content.

Social Engineering Penetration Testing

In this excerpt of Social Engineering Penetration Testing, the authors outline what phishing attacks are and outline how these attacks work using multiple real-world examples.

Social Engineering Penetration Testing coverThe following is an excerpt from the book Social Engineering Penetration Testing: Executing Social Engineering Pen Tests, Assessments and Defense written by authors Gavin Watson, Andrew Mason and Richard Ackroyd and published by Syngress. This section from chapter nine offers an introduction to phishing attacks and how they work.

An introduction to phishing attacks

What is a phishing attack, and why should it matter? Phishing, from a technological point of view, was initially the act of sending an e-mail to a large number of target e-mail addresses, with the intent of harvesting sensitive data. This data could be a username and password, or bank details. It could even be someone's credit card details that the attackers are aiming for. In order to talk about the true roots of these types of attack, there's a need to go back hundreds of years to look at written letter attacks such as the "Spanish Prisoner" scam, which is in essence the equivalent of today's advance fee fraud.

Phishing attacks are no longer isolated to just e-mails, as other delivery mechanisms have proven to be equally reliable to attackers. As an example, social networking sites are a popular means of distribution when it comes to phishing. Another alternative is in pop-ups and embedded malicious content in web sites. Typically, this sort of mechanism is seen on less than wholesome web sites, such as those with adult or piracy related content. As they say, "if you lie down with dogs, you get up with fleas."

In this chapter, the focus will be on e-mails as a delivery mechanism for the attack.

With almost 100% certainty, anybody who owns an e-mail account will have at the very least seen a phishing e-mail, some even having been scammed by them.

The most common phishing scams can be seen from a mile away. They are badly written and poorly formatted and typically get swiped by any spam filter worth its salt. It is the more professional efforts that are cause for concern. These are the types of attack that will present a very well formatted e-mail, appearing to come from a legitimate organization, such as a bank, eBay, or PayPal. It will look identical to an official e-mail from the real organization, with one very significant difference. It is designed to harvest banking credentials or infect a system with malware.

In the instance of more targeted, or "spear phishing" attacks, the amount of effort expended in creating the attack could be vast. The e-mail would not only be indistinguishable from a legitimate one, but it would also contain a hook specific to its target. In many cases, the target would feel compelled to act upon the e-mail immediately. These kinds of attacks may well have their roots in the less targeted phishing campaigns. It is not uncommon for an attacker to use information gathered in an initial broad-scope attack to build the foundations of a spear phish.

Why phishing attacks work

Why do phishing attacks work, both from a conceptual and practical point of view?

First of all, who are the potential targets? How many people do you know who don't have an e-mail address? I suspect the answer will be "the same amount of people I know who don't have a mobile phone." Google recently released some figures for its GMAIL service. They stated that on a monthly basis, they have 425 million active users! This is only one mail provider, albeit the most popular.

The entire Google posting can be found at:

http://googleblog.blogspot.co.uk/2012/06/chrome-apps-google-io-your-web.html

With a target scope of this size, it's almost like shooting phish(sic) in a barrel. To sum up this point, saturation is what this is all about. Why target an attack at an obscure service that a handful of people use, when hundreds of millions can be targeted? If only a few percent fall for the bait, there is still a lot in it for the attacker.

To put this threat into context, a recent study, by RSA's Anti-Fraud Command Centre, showed that in 2012 consumers and business in the United Kingdom lost an estimated d27 billion to cybercrime. Of the d6 billion consumers lost, d405.8 million were attributed to phishing attacks. According to this study, this makes the United Kingdom the world's most "phished" country with 10 times the phishing loss compared to the United States (Source: http://www.antifraudnews.com/scam-information/).

Therefore, it appears that the vast majority of users do not thoroughly check e-mails before doing anything with them. In fact, if it wasn't for antivirus and antispam, this would certainly be an even bigger issue for the Internet user base, which is currently well over 2 billion people, according to the quoted Google article.

The client-side attack

Expanding on why phishing attacks works means looking at the technology a little, including traditional defense strategies. The idea of the client-side attack is that inbound traffic to a computer, even when at home, is usually blocked by a router or firewall. However, any outbound connections are rarely subject to the same restrictions. At home, it is likely that there will be full outbound access from the client to any resource on the Internet, be that legitimate or malicious. Even in the corporate setting, it is highly likely that a client will have some outbound access, although that will too be filtered and controlled to some extent by security devices such as firewalls and content filters.

This is why e-mail phishing attacks are so effective. As an example, if an attacker wanted to compromise a system, they might choose to include a malicious file, such as a PDF embedded with a payload in the e-mail. If the payload bypassed the inbound antivirus signatures, maybe through an encoding or encryption mechanism, the chances are that outbound access would allow a return connection to the attacker from the target. In some ways, it's like waiting for the planets to align. Creating a payload that would bypass both perimeter and client antivirus is one thing, the target system still needs to be vulnerable to the attack too. This is why broad-scale phishing attempts against millions of e-mails are successful. They only need to find 1 - 2% of systems in a vulnerable state to be effective and therefore profitable.

The alternative vector, and arguably the more successful method, is not to attach anything at all. These are the attacks that pose the most risk and are the more difficult of the two to detect. It would typically be an e-mail that looks like it is from a financial institution, such as an online banking provider. In the e-mail would be a request of some type, maybe a notification that a large outbound transaction was made from an account, and a link to log into online banking to confirm that it was legitimate. Of course, the second someone clicks on the link to log in, their credentials have been harvested by an attacker using a cloned site. The cloned site will likely redirect the victim back to the legitimate banking site, leaving them thinking that they'd mistyped their password. By the time they log into their actual account, it will be empty. Unfortunately, not all online banking providers have taken up two-factor authentication devices, which just compounds the issue. That being said, even two-factor systems are not the silver bullet if the authentication is intercepted. It would still be possible to replay the captured credentials against the legitimate banking site and log in; the only difference would be the restricted time frame that the attacker would have to authenticate. This is because most two-factor systems generate a time-limited one-time use password. This process could be automated, by an attacker, so the time limit would rarely be an issue.

To sum up, Phishing attacks work because of the vast number of targets, the less than ideal client-side defenses, and people's willingness to click more or less anything they are sent.

Spear phishing versus trawling

Trawling
When talking about e-mail based attacks, trawling is certainly the most common. These are the very so slightly suspicious e-mails that are received on a daily basis that have been sent to millions of people. They are not at all crafted to target an individual and, as such, can easily be identified before the recipient has even finished reading them. That is assuming they make it to the inbox in the first place.

In terms of targeting an organization during an assessment, the principal still stands. A generic e-mail would be sent to all of the corporate addresses that were harvested during the reconnaissance stage. Often this would be down to strict time frames or because the client wanted to test that internal systems and policies were working as intended. The fact remains that while these exercises can offer value to a client, they are more than a little clumsy and will often trigger wide-scale alerts within a business. The content of the e-mail would still be somewhat tailored toward the organization, but would certainly not have the depth of detail that a more targeted approach would.

Spear phishing
Spear phishing is going to employ a more personal approach to the attack. Specific departments or individuals within a business would be targeted to ensure that a suitable response is achieved.

As an example, someone working in a business environment that routinely deals with large volumes of e-mails on a daily basis, such as a recruitment consultant, would be a very good target for a spurious e-mail containing a malicious CV attachment. They are likely to receive e-mails of this nature regularly and as such, assuming the body of the e-mail is well written, are likely to open the attachment. The reconnaissance for this exercise could have been performed exclusively using LinkedIn, as covered in the chapter on Open Source Intelligence. The e-mail does not have to be complicated, simply stating that they are looking for employment in the chosen role, and ask that your CV be kept on record in the event that a position becomes available.

The attack vector can be far more personal than this however. During the reconnaissance phase of a past engagement, it was noted that an employee of the target organization had used their corporate e-mail address for a local squash league. The e-mail addresses in question had been discovered using "theharvester," and the team had tracked it back to its source. The site had a full breakdown of past and upcoming matches to be played, including some that the employee was due to play in.

The attack vector is now straightforward enough. There's not even a need to register a fake domain for the e-mail. By simply posing as one of the upcoming opponents in the league and using a generic GMAIL account, an e-mail can be created to target the victim. The e-mail would contain information regarding upcoming matches that have had to be rescheduled, at short notice, and providing some helpful links containing details on the new dates. Of course, these links will display the dates when clicked, as this needs to be as realistic as possible, but it will also load a malicious Java applet that compromises their systems. Picking the right time for this attack is essential. Obviously, this e-mail needs to be sent within office hours, to increase the chances of compromising a corporate machine. This also reduces the risk of compromising a noncorporate machine, which is definitely not the intention here.

Building a good spear phishing e-mail is extremely reliant on what intelligence has been gathered during the reconnaissance phase. It may be that nothing usable is identified so that the entire organization has to be trawled. As identified during the Open Source Intelligence section, tracing back each corporate e-mail address to where it was found on the Internet can often open up some avenues of attack, much like the squash example above. Don't forget to check the Facebook Graph Search results here too -- "people who work at xyzcorp" is exceptionally useful. Perhaps, being able to drill down into people's interests and find something that can be leveraged at this stage!

Real-world phishing examples

Having discussed what phishing is, and its various forms, it would be extremely useful to provide some real-world examples, however, there are wealth of online resources (http://www.hoax-slayer.com, http://www.antifraudnews.com, http://www.securelist.com/en/, etc.) that the readers can use to develop their understanding and appreciation of the threats.

American Express -- drive-by-download
They say a picture paints a thousand words, so take a look at Figure 9.1. This is an example of a recently received e-mail. On the face of it, it doesn't look terrible. In fact to a casual observer, it might appear completely legitimate. The branding looks ok, as does the layout.

Figure 9.1: Drive by phishing e-mail.
Figure 9.1: Drive by phishing e-mail.

This was in fact a drive-by-download phishing scam that was first noted in 2012 and was quite widespread. A drive-by-download is basically the download of malicious software to a target machine without the targets knowledge. Typically these are delivered through malicious links.

The actual recipient of this e-mail does not nor have they ever had an American Express card. Clearly it has been crafted to be sent to a lot of potential targets in the hope that a few percent click through one of the hyperlinks within the e-mail. Diving into the links reveals that they all go to the same malicious URL. In this instance, the site was probably hosting malicious Java Applets or ActiveX controls which would allow for total compromise of any vulnerable system.

It's always worth having the rollover functionality enabled in a browser and mail client. These show the real URL when the pointer is hovered over the link.

Dr. Atanasoff Gavin -- advance fee fraud
This is a classic example of advance fee fraud, and for a change is actually reasonablywell written. That doesn't make the store any more believable of course. Advance fee fraud (otherwise known as the 419 scam or Nigerian Scams) is basically the process of enticing a victim to spend a little, with the promise of a big payout down the road. They are as old as time itself, dating back to the nineteenth century and the "Spanish Prisoner" con. Further information regarding this type of scam can be found at http://www.hoax-slayer.com/nigerian-scams.html (Figure 9.2).

Social Engineering Penetration Testing

Authors: Gavin Watson, Andrew Mason and Richard Ackroyd

Learn more about Social Engineering Penetration Testing from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

There are a multitude of angles on this con, but most involve some sort of misplaced inheritance, or at the very least a rich individual in peril. Of course, of the 2.3 billion people currently using the Internet, the target might be the only person who can save them.

Figure 9.2: Advance fee fraud e-mail.
Figure 9.2: Advance fee fraud e-mail.

Let's not kid ourselves, these e-mails are entirely unbelievable, but somebody, somewhere must be falling for them. Why else would they exist? As has already been pointed out, the scam is at least well written. This is not something that is common among phishing e-mails. This is likely down to the fact that the hotspots for this kind of activity usually don't speak English as a first language.

Apple ID scam -- credential harvesting
This is actually a genuinely well-crafted phish. The premise is that an e-mail is received requesting that an Apple ID be verified, by logging in at the link provided. Clicking through to the link, you are presented with a very professional looking replica of the Apple ID login page. All of the other hyperlinks on the page go back to legitimate Apple pages, other than the "Forgot Password" and "Create Account" links. These links instead go back to the attackers site, which actually presents a 404 error page. The scammers clearly haven't quite worked out the kinks, as yet (Figure 9.3).

The first giveaway is that Apple would never send an e-mail, requesting the verification of login details. The second indicator is the URL, which is not related to Apple at all. Have a look at Figure 9.4 to see how well-crafted these scams can be.

Figure 9.3: Apple ID scam.
Figure 9.3: Apple ID scam.

Clearly, it is difficult to tell this apart from the real thing. Lately, Apple ID phishing scams are on the increase. This is likely due to most of them being linked to a credit card for quick purchases on iPhone and iPad. The creation of clones, similar to this one, is covered later in the chapter. Anyone not having created one before will be shocked just how point-and-click the whole process is and how this will be up and running in seconds!

Nobody falls for this one. Nobody. Ever.
This is about as low rent as it gets. Even the spam filter caught this one. Consequently, this example has only been included, so as to demonstrate the contrast between the Apple example and this poor excuse for a scam.

Figure 9.4: Low rent e-mail scam.
Figure 9.4: Low rent e-mail scam.

Yep, ccunit@zhot.net. Seems legit. Did anyone really ever fall for it? They have to be in circulation for a reason. Maybe it was for entertainment purposes only? In fact it was very tempting to personally respond, in the name of science. Especially having read the following content:

DO REPLY THIS MAIL SO I CAN GUIDE YOU ON HOW TO GET YOUR AMOUNT.

Clearly, enough time has been spent discussing this example; in fact, there's been probably more time spent discussing it than the scammer actually spent creating it.

Active e-mail reconnaissance
Although the reconnaissance phase of our social engineering engagement has already been extensively covered, there is still always room to probe for further information. To put it in its simplest terms, e-mails are going to be sent to the target organizations, and the responses can form the basis of further attacks.

This is most definitely a more intrusive method of gathering information, which also means riskier. What this also means is that with the risk comes potentially greater reward. Little nuggets of information can be discovered that can be incredible useful to any ongoing e-mail attack and an engagement in general.

Even the seemingly innocuous pieces of information can provide an attacker with a wealth of resources. As an example, almost everybody in the business world uses automated e-mail out-of-office replies, but should this be the case? Does this open the door to potential breaches? Read on to find out.

Nondelivery reports
Here the subject of nondelivery reports (NDRs) is briefly touched upon, as they can often contain, at least, a little information about an organizations estate, especially if they host their own mail server.

The process is fairly straightforward and is certainly worth the 5 s it takes to perform. Simply send an e-mail to an address at the target organization, that is known not to exist. That's all there is to it.

Seconds later, an NDR is returned. What is of interest here is the X-Received and X-Originating-IP values within the SMTP header. These fields can sometimes include internal IP address space, which can always be useful to an attacker in the right place!

MIME-Version: 1.0
X-Received: by 10.68.254.42 with SMTP id
af10mr2443747pbd.154.1378061024083;
Sun, 01 Sep 2013 11:43:44 -0700 (PDT)
Received: by 10.70.28.225 with HTTP; Sun, 1 Sep 2013 11:43:44 20700 (PDT)
Date: Sun, 1 Sep 2013 19:43:44 10100

This is certainly worth the small outlay if a part of an assessment requires a plug-in and hack, once the organization's HQ has been physically breached. At least some of the internal IP address space will be known.

Out-of-office responses
A great deal of businesses encourages their personnel to use them, but what information is disclosed through their use? Are people opening themselves up to an attack by including too much information? In most cases, the answer is a resounding yes. People are opening themselves up by giving away seemingly harmless pieces of information.

Out-of-office responses are an absolute gold mine of intelligence during an engagement, even when not performing a direct e-mail attack.

What can be found and how can this be used?

First of all, it provides confirmation that the account exists and that somebody is using it. This is probably the first point during the engagement that this can be verified. It also confirms the corporate naming convention for e-mail addresses. This of course means that any e-mail lists can be adapted based upon a best-guess.

It is also common to include "who to contact in my absence" information within the out-of-office response, which at the very least provides more confirmed contacts for the rest of the engagement. This could be used when calling in, along with a name-drop of the absent employee. As an example, "Hey, I was speaking with Tom last week, he said he would be away on leave this week, but mentioned it was ok for me to drop In and work from his desk. Can I ask for you when I get to reception?" Or if it is felt that this may be a little risky, "He said he had arranged a meeting room/hot-desk for me, can you tell me who I need to speak with when I arrive?" Again, this builds plausibility by not only knowing the name of an employee, but also that they will be away at the time that they are being called. A common belief is that the target will immediately link this intelligence to the out-of-office response, but, in truth, most people just don't think twice about it.

Read an excerpt

Download the PDF of chapter nine to learn more!

The next, and probably most useful piece of information in the response, will be the signature. The signature is filled with juicy morsels such as direct dial phone numbers, mobile phone numbers, and let's not forget the signature itself. The entire signature is then copied and used when communicating with other members of staff at the target organization. This will be as a result of registering a domain similar to the targets. It is surprising how effective this can be! This will be looked at, in greater detail, later in the chapter.

What else would we expect to see in the response? An obvious and common thing to include is the date that the office was left and the expected return. This can be incredibly useful during the physical portion of testing, especially where there may be little else to go on. There are a couple of reasonable options when approaching this scenario.

The nonexistent meeting
The first option is to turn up to a meeting with the individual that is away. However, this is strongly linked with the ability of the engineer being at ease with playing dumb and acting surprised when the receptionist discovers that the target is away. At this point, it is common to think that it's game over, and to walk away, but if played right further exploitation of the receptionist's sense of guilt can be utilized, such as "we have come such a long way to meet him, and were assured that he would be available, are you certain he won't be back today?" At this point, the reception staff could be encouraged to double-check, at all times projecting an attitude of courtesy and professionalism, although reacting impatiently can often pressure an individual into a positive response. Once the targets absence is confirmed, the receptionist could be asked if there is a quiet area where some private calls could be made, to confirm what is going on, maybe a meeting room? With luck, this may end up with a way into the building, but in the worst case, the engineer can walk away clean without having raised any suspicions. An alternative to the meeting room is to ask if the target has a canteen so as to grab a bite to eat and a drink before hitting the road again. This is,of course, more useful if it has been previously established that the canteen area is beyond the physical security controls. On past engagements, it has been known for the social engineers to have been given passes and to be waved toward a door that led to the canteen area. On the way to the canteen was a row of meeting rooms, each with active patch ports in. It's not hard to guess what happened next!

Impersonating the absent staff member
This one can be trickier to pull off but has worked for us on multiple occasions. The premise is simple, you call into a contact, preferably reception, pretending to be the absent staff member. You tell the receptionist of a meeting with contractors who were attending to carry out some vital maintenance work, that had been overlooked that you are away on leave, but that you forgot that you had some contractors coming in to perform some work on your behalf and that they can't be met. At this point, clarification is made as to you ask what the protocol is for arranging passes so that the contractors can carry out the work, in such a situation? Additionally, this could be supported by trying to book a meeting room at this point so that the contractors had a place to work from. This is a surprisingly effective, yet simple method for gaining unauthorized access to the premises. Frequently, it is discovered that if the consultant can act flustered and imply that you have been really dropped the balla huge error on this, there is more likely chance of eliciting sympathy from the target. You could even think about turning up the sympathy ticket by dropping in some information about how expensive it had been to arrange the work, and trying that you really wanted to avoid your boss finding out that you had made such a rudimentary mistake. This would have two effects for your engagement. First of all, you are adding a little pressure by name dropping a person in authority. Second of all, the receptionist is less likely to tell anybody internally what is going on. When this scheme comes off, it is a really nice, clean way in and out. The critical part is being able to pull off the face-to-face side of things with reasonable style. However, having already arranged for passes over the phone, the face-to-face side of things could not be easier. It's the same as having real belief in your pretext, which also makes turning up that bit easier. There must be a strong belief that there's a legitimate reason for being there.

Creating plausible e-mail scenarios
So now that we have seen how much useful information we can acquire with these techniques, how are we going to avoid getting busted when sending the e-mails? We will need scenarios that are generic enough to fly under the radar in terms of suspicion, yet specific enough to get responses from people.

In this section I will present some usable examples that we have had success with in the past.

Remember, you are not necessarily going to need to play this pretext out; you are just looking for responses from employees or the out-of-office message. Don't overthink it, just come up with scenarios under which you have been contacted in an unsolicited nature and shape it into your own.

That is not to say that you cannot turn the initial reconnaissance into an attack. It just depends on the type of responses you get. If you feel that you can build rapport with someone or that you may have found an easy mark, go for it.

If you send the e-mail to a lot of individuals, ensure you blind copy all targets into the e-mail. A mail coming into a hundred internal contacts is always going to raise a red flag at your target organization

Work experience placements
This is one of the most straightforward ploys and can usually be sent to any number of e-mail addresses within the business. Just ensure that each target is in the BCC field as opposed to the recipient field. Try to split the list of e-mail targets up into groups to try and avoid burning every bridge, with a single attempt.

The idea is simple, set up a fake mail account with the provider of choice, for instance GMAIL. Consider setting up the account with a female name to exploit the fact that the IT industry is perceived to be a male-dominated environment and, as a result, people are less on-guard than they would be if it were a male. This can be tailored to match a specific target if there is more known about them.

Therefore, consider sending an e-mail that may look something like this:

Good morning,
I am currently seeking a work experience placement as a part of my University degree. I was searching for local businesses, and noticed that your organisation is very prominent in my chosen field of Marketing. Could you let me know if you are taking on work placements, or if you will be looking to do so in the future? Any assistance you can provide relating to this would be gratefully received.
Best regards, Joanne

Avoid overcomplicating or overthinking the approach. No need to kill it with a wall of text, which is more likely to hit the recycle bin the second the target sees it. Now, it's just a case of kicking back and waiting for the responses.

Typically, it is expected to get a handful of out-of-office replies to the messages, and their usefulness has already been covered. It is almost inevitable that there will be a response from somebody with more information or providing information that this e-mail will be forwarded on to the relevant department. Occasionally, this e-mail may have the relevant department copied into the e-mail, providing another valid target.

Weaponizing the scenario
Weaponizing this approach is fairly straightforward, but relies on responses from people within the organization that you can build rapport with. If you can keep a conversation going across several e-mails, the target is going to let their guard down in its entirety. Don't underestimate the sense of thinking that you know somebody that you communicate with electronically. That is the age which we live in!

At this point the realistic way to go would be to attach your CV, or a link to your web site that has examples of your work. Of course, the CV will have a payload embedded within it, and the portfolio would deliver a malicious Java applet. I would say that given the current state of play, the link to a web site has got more chance of evading security systems.

The college project
This is another nice simple approach, and it works in much the same way as the "Work Experience Placement." The idea is to use either a school or college, project relating to the target business, and have enquired if there was anyone within the business that is in a position to help. It usually helps to pick an educational establishment that is in the area, who they may have been likely to have contactwith before.

Good afternoon,
I am currently studying at XYZ college, and I'm working on a project relating to the use of advertising within the field of Aerospace. A friend of mine noted that you were based in the region, and are well regarded in the industry. I was wondering if you would be able to give me some pointers or provide the details of somebody who be able to help? I'm a little behind on the project so any help would be very much appreciated.
Warm regards, Rob Smith

Again, it's just a simple e-mail, the sort of thing that businesses are likely to receive on a reasonably regular basis. Impersonating a student provides reassurances, and the fact that nothing is out of place within the e-mail provides a guaranteed clean exit, if needed.

Weaponizing the scenario
Given that help and critique is being sought with a project, this scenario lends itself well to including a link to the work, which of course could be malicious in nature. Better yet, if there is a member of the social engineering team who is young enough to pull it off, why not see if a face-to-face meeting can be arranged, with somebody within the business. Turning up and having an escort, passes and a reason to be there is as good as it gets. A really basic web site could be fleshed out in very little time, in order to add credibility. Additionally, consider having some questions ready to ask that may reveal information about internal systems.

For example, one of the questions could be:

How do you monitor what competitors are doing with regards to Advertising, and how do you stay ahead?

If they answer that they use the Internet to research their chosen field, then without realizing, they have provided much needed information about them having outbound Internet access. This could come in useful for payload deployments later. Obviously, given that a face-to-face visit had been arranged, the original link will not have been malicious, so as to avoid the risk of getting busted. It could have been a clean site that logs all access, so that the level of web access can be understood, as well as the types of browser they are using.

Another interesting idea for a nonmalicious web site is to include a few links to other pages that actually exist on different ports. For example, TCP/22 for SSH. If the link works for the target, it will be able to tunnel traffic out of the network.

So, having covered a couple of examples, and how you would use them in an actual engagement, let's round up the section with a few more examples for you to build on. I won't devise an example e-mail, will let you think up a scenario for that.

The recruitment consultant
Again, the key here as always is that unsolicited e-mail from recruitment consultants is commonplace; therefore, this is not going to raise alarms.

The premise is that there are several candidates, in varying roles, that need to be placed, and that some of them would be ideal for roles available within the business. Flesh the e-mail out with some details on the candidates and their skill sets and make it look plausible.

Again, there's likely to be out-of-office replies, NDRs, and genuine responses. Hopefully, within the genuine responses will be somebody willing to deal with the e-mail or at the least provide the details of somebody who will. The CV, containing the embedded payload, can then be introduced.

Salesperson
This would be a good scenario for getting information about internal systems. For example, if the mission was to ascertain whether the target organization used Cisco switches; e-mail under the pretext of being a hardware vendor, with some good deals on Cisco switches. They may, inadvertently, provide information that they already have a preferred supplier for Cisco gear -- Result! From here, a rapport can be developed over the course of several e-mails and gradually gleaning more information that may even lead up to a call into the target. This scenario can be applied to any technology to get information about the infrastructure. For the kinds of tech that are in plain-sight for end users, perhaps even get responses from them. A classic example here would be antivirus. Remember, anydirect responses received are a bonus. This is purely looking for the NDRs, Signatures, and out-of-office replies that can be used in further attacks.

These kinds of e-mails, when crafted with a little time and effort, can yield great results for an assessment.

About the authors:
Gavin Watson is the Professional Services Manager at RandomStorm and is responsible for devising and also delivering innovative testing services offered to clients, including the full range of penetration testing and social engineering engagements. Gavin has worked in IT for many years, focusing for the past five years on delivering internal and external penetration tests and social engineering engagements for multiple clients across all verticals.

Andrew Mason is the co-founder and Technical Director at RandomStorm and is responsible for the formulation and execution of strategy for the technical department within RandomStorm. Andrew has over 20 years experience in IT with recent years focused on Internet security, offering board-level consultancy to numerous enterprise customers within disparate geographical regions. Andrew has authored several infosec titles for McGraw Hill and Cisco Press. His most recent publications have been focused on Firewalls and Threat Mitigation from common vulnerabilities. Andrew has also contributed to several books on networking topics as well as writing numerous articles for online and print trade journals and newspapers including the Sunday Times. Based in the UK, RandomStorm is a global infosec services consultancy providing turnkey solutions to organizations of any size. RandomStorm has offices in UK, US, Canada, Jordan and UAE.

Richard Ackroyd is a Senior Security Engineer for RandomStorm and is involved in the conducting penetration testing and social engineering assessments for clients across all verticals.

Next Steps

Learn more about combatting phishing attacks from SearchSecurity

Gain insight into mitigating vishing attacks

This was last published in December 2014

Dig Deeper on Social media security risks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close