Companies will spend thousands of dollars on advanced email security products. Security engineers and IT admins may spend countless hours configuring spam filtering policies, tuning their whitelisting/blacklisting controls, and may even go through advanced training to learn the ins and outs of premium services that guarantee to block every malicious email from the beginning of time! These security controls are great, and oftentimes effective, but they’re still not resolving the single core reason why phishing attacks are so damn successful — the people. So why do we continue to treat this problem with a band-aid fix?
Every Social Engineer’s Go-To: Phishing
We were recently on a social engineering engagement that started out rough. We were completely blackbox, meaning we were not provided any information about the client other than their domain. We had no phone numbers, no email addresses, and didn’t even know the email scheme used by the company. During the OSINT phase, we were able to identify a handful of email addresses from some public data breaches, but none of the credentials were still valid. Next, we turned to LinkedIn to identify the names of some employees. Finally armed with the email address scheme along with employee names, we started crafting our first phishing campaign.
Fast forward a couple hours, and we now had a custom domain name that closely represented the target, a company branded landing page, and a convincing pretext that was certain to yield some results! We got everything set up and launched the campaign, eagerly waiting to have a flood of credentials coming our way, but.. they never came. In fact, our emails never even got opened and definitely no links were ever clicked. Half of our messages even returned a bounce error that the recipient was not allowed to receive external email communication. It seems all of the time and money the target invested in their email security posture worked out for them after-all! We have been thwarted!
If You Can’t Beat Them, Join Them:
But instead of packing our bags and heading home, we decided to tie up our boots and hit the ground. A couple fake badges, a hardhat or two, and some shiny reflective vests later we were now certified construction workers that desperately needed to survey the inside of the target’s building and ensure their network runs were secure (yeah I know, it sounded funny to us too). While we only expected this disguise to get us close to the building, we were shocked to find that not only did security let us in, but we were practically given unattended access to any part of the building we desired.
We took this opportunity to snap as many photos as we could and see what we could access. Three hours later, we decided to head back to our hotel and look through the treasure trove. While most of my photos turned out blurry — I really need to learn how to walk and take pictures better — we did manage to capture a single sticky note on a monitor that had some juicy email credentials waiting for us.
Great! We’ve got an email account! But phishing didn’t work last time.. How can we use this to our benefit? Luckily these construction workers know how to use PowerShell and were able to export the entire address book for the company (more to come on this, make sure to follow the blog). Wouldn’t it be a shame if this address book included phone numbers and extensions?
Introducing Our Hero: Vishing
From zero information, a single sticky note was all it took to give us access to every employee name, title, location, phone, extension, and email address. Where our problem originally was finding the information, now we had to deal with sorting through a list of over 7,000 contacts and choosing who to call.
Phone list in hand, we spun up our call spoofing software and started war dialing. A simple pretext (the same one we attempted in our phishing campaign actually) and an hour later, we had over a dozen active sessions to employee mailboxes, and yes, they were using MFA. I guess people don’t know you’re supposed to keep the MFA code secret?
I hope that this story resonates with you some. Is this an extreme example of what you could expect to see in a social engineering engagement? Unfortunately, it’s actually not. In fact, we were very impressed to see how strongly the company took their email security protections as it caused us to rethink our approach. What this story does show however, is that your technical controls are only a single piece of your security posture and should not be considered your entire preventative plan. People should have never let us through the gate, inside the building, and in front of computer screens. Furthermore, people should have never been willing to give us their password on the phone and/or go to a link we provided. Until your people change, your company will forever be at risk.