Spear Social Engineering PDF

Summary

This presentation discusses spear social engineering techniques, including methods like spear phishing and the creation of phishing websites. It details how to choose a domain name, build a story, and implement the necessary back-end functionalities. The presentation covers several tactics like client-side exploits and custom Trojan backdoors, offering examples for delivering the Trojan software. It emphasizes the importance of reconnaissance and crafting the presentation with a focus on the target audience.

Full Transcript

Spear Social Engineering
PART 2
Spear-Phishing Methods

 When it comes to spear phishing, you might immediately think
this involves sending an e-mail with a malicious attachment or a
link to a malicious website.

 E-mail spear phishing is one of the most effective weapon, but
not the only method

 We can use any number of methods to spear phish an individual
Spear-Phishing Methods

 Some of the spear-phishing methods available:
 E-mail
 Snail mail
 Phone calls
 Text messaging
 Instant messaging (Twitter, Facebook)
 Watering hole websites
 Malicious websites
 CB radio
 Walkie-talkie
 Post-It notes
 Carrier pigeon
Spear-Phishing Methods

 It sounds strange we mentioned Walkie-talkie, Post-It notes, or
carrier pigeon as methods

 There are companies use them for internal communications

 Keep you eye and mind open for potential phishing

 Such internal communication could be part of the vulnerability
we need because they are trusted to be used internally.
Spear-Phishing Goal

 The ultimate goal is:
 To compromise our target individual’s computer
 Obtain the user’s credentials to an important applications (ex.
Banking log-on, or portal log-on)

 There are three main methods of exploitation to meet this ultimate
goal:
 A phishing website to grap credentials
 Client-side exploits
 Custom Trojan backdoor
Technical Spear-Phishing Exploitation
Tactics
 Several tactics can apply to any chosen exploitation method
 You do not want social-engineer many people at once or to do it
quickly
 You only social engineer your target user
 Do it in a way that they are not made aware of the attack
afterward.

 One method for a successful social spear-phishing is to have
more interaction with the target user to build trust
 This interaction to be done under a guise (someone fake)
Technical Spear-Phishing
Exploitation Tactics
 This interaction is an extension of the reconnaissance phase.

 This is best method for collecting information on target

 Need to collect as much technical and non-technical capabilities
Building the Story

 Correct story builds rapport is important to:
 Interact with you phishing website
 Install the software you send

Do not get tied down by convention
Think outside the box

You must answer one question: “What story is most likely to elicit the
response I need from this specific user?”
Building the Story

 Examples of stories that work well in many contexts include:
 You work with a partner organization, sister company, or parent
company
 You are a salesperson for an internal organization and you would like
to offer a free trial of your software
 You think they would be interested in joining your group with a
common interest or hobby
 Your company would like feedback on some trial software for the
target user’s industry and is willing to pay for the feedback.
Phishing Website Tactics

 The traditional approach to using a website as part of a spear-phishing
attack involves:
 Copying an existing website
 Directing the target to the fraudulent site
 The site will look exactly like a legitimate website (complete with legitimacy
triggers)
 That will collect credentials the user enters into the website
 This approach is powerful but only one of the methods
 There are many tools available to automate copying a website.
 You can use the Social Engineering Toolkit’s Site Cloner where:
 You automatically copy existing website
 Configure it to harvest credentials.
Phishing Website Tactics

 When copying a website sometimes dependent files will be
missed.
 Examples of missing files is the CSS (Cascading Style Sheet) or
JavaScript files
 You will have to search the included files if you use a website for
phishing.
 Must test to make sure it looks and functions correctly
 Do not make mistake of having a perfect executed attack, but the
website does not render correctly when the user attempt to view
it.
Website: Look and Feel

 This is basically very relevant
 Remember to incorporate the art of social omniscience when you
create your phishing website
 Make sure it looks exactly as the user expect as to not alert the
user
 Keep everything looking as familiar as possible, right down to the
font.
Website: Domain Name Options

 An important piece of a phishing is choosing a domain name that not
raise any suspicious from your target.
 You can create an entirely new company as your story, but if you are
claiming an existing company then there are few options.
 You can register a domain name that is a subtle misspelling of the
target domain name.
 If the website we are copying is Softwarex.com, you can register
S0ftwarex.com (with the second letter being a zero). Many times, you
can replace the letter I with the letter L or vice versa.
 The second option (and the option I typically favor) is to register a
domain that just includes the actual domain name and makes it
seem like a secondary domain
Website: Domain Name Options

 For example, if the target organization has the domain
weaktarget.com, we can register some of the following domains:
 Portal-weaktarget.com
 Benefit-weaktarget.com
 Login-weaktarget.com
 www-weaktarget.com

This can also worked because many end users don’t understand how
the Domain Name System (DNS) works.
Website: Domain Name Options

 As a third option, you can reverse the system slightly. For example:
 Weaktarget.com.myportal.com
 Weaktarget.com.benefitsacess.com
 Weaktarget.com.notevil.com

By registering our own domain name, we can obtain:
- completely valid Secure Socket Layer (SSL)
- Certificate for our website
- register any e-mail address you need, and be less likely to be picked up
as spam based on source IP or source address
- Need to make the e-mail message pass spam filters, but that should be
much less of a concern as this is a targeted e-mail to one user.
Phishing Website: Back-End
Functionality
 After registering the look and feel of the innocuous-looking
domain name, you will want to implement the proper features on
the back end to perform the actions being helpful
 You can choose any language that suit you.
 We will assume the HTML form has two fields, “username” and
“password,” unless otherwise noted.
 The user credentials which was logged in the website has to be
stored in a file with.txt.
 We can not only log the user name and password, but also IP
address.
Phishing Website: Back-End
Functionality
 We want to decide what the user should experience after logging in
or attempt to log in. There are four main approaches to choose from:
 Redirect the user to a legitimate page on our website
 Redirect the user to a “static” page on our website
 Redirect the user to a malware deployment page
 Act as a proxy between the user and the legitimate website.

We can simply record whatever credentials the user entered and
redirect the user to a legitimate website (not ours). We can redirect
them to another page on our website, informing the user whether the
login was a failure or success
Phishing Website: Back-End Functionality

 If we coping a legitimate website, we probably want to test the
credentials by attempting to log in to the legitimate website and
react based on whether they appear to be valid or not.
 Another method is to only return a “failed login” message to the
end user. This can cause the user to attempt to log in with a few
passwords, essentially giving you their history of passwords and
potentially a really good set of passwords to understand how
they choose their password.
PHP-Phony (Phishing Proxy)

 Our final option is to configure our phishing web server to act just
like a proxy.
 We will take the requests from the user, pass them to the remote
system, and then return the results all the while logging all the
activity.
 Beyond jut logging everything the user is doing, we don’t have to
worry about any of the real functionality of our website, which is
an added benefit.
Phishing Website Watering Holes

 Watering holes are essentially any common point we can expect our user
to visit based on their industry.
 Think about the items we can obtain from a user if they create an
account on a system we own. We can expect to get at least the
following:
 Their choice of a user name (which might be used on other systems)
 A password they have reused on other system (or at least insight into how
they choose passwords)
 A valid e-mail address (to verify the account)
 An alternative e-mail address (in case they have ever locked out of their
account)
 Any plausibly necessary information based on our system ( e.g., phone
number, home address, college, membership or club affiliations, etc.)
Phishing Website Watering Holes

 Selecting the content of purpose of our watering hole should be
easy based on reconnaissance we performed earlier
 As always get creative
 We can create a website and give the appearance of a public
forum, even better if private forum to make interesting to join the
forum. This guarantee people will join by sending an invitation
Client-side Exploit

 This is exploiting vulnerabilities present on a software on an end-
user end point system such as workstation.
 The most common popular choices are within common user such
as
 Office productivity
 Email clients
 Multimedia software
 Examples include:
 Microsoft Word
 Microsoft Excel
 Adobe Acrobat
 Browser based (Internet Explorer, Mozilla Fairfax, Chrome)
Custom Trojan Backdoor

 This is by far the most effective choice of sending and delivering
a backdoor
 The software we choose to bundle our backdoor with is
dependent on the story we have to built with our target user. Our
options our backdoor depends on;
 Bundle with pirated software we have downloaded
 Bundle with trial software obtained from a legitimate vendor
 Bundle with legitimate software we have purchased from a vendor
Custom Trojan Backdoor

 A fewer example for delivering the Trojan software to one target
include:
 Send download link to software housed on a website
 Housed on public file sharing software
 Sent visa snail mail or Fed Ex with CD or USB

Providing the user with a download link to the software is a good option
for quick delivery
When sending the software to our target user, whether via the Internet
or removable media, we have to ensure the code is executed.
We have to construct.exe folder layout to ensure the user will run
the.exe file which will run our.exe program and then load the
legitimate program