I’ve had some interesting conversations on the topic of performing social engineering attacks via email and decided to share some of my past lessons learned. The focus will not be so much on the technical side as it will be much more focused on the social aspect. Although much of today’s written social engineering attacks are carried out using email, there are other written communication methods which can and should be used depending on your objectives.
The social aspect for me concerns the journey from the moment the victim receives the email until the moment that your objective is achieved. Whereby the objective often relates to infecting the victim it could also involve having the victim send you some documents or perform other actions. The victim’s social journey is something that can be influenced, but in my experience it is not something that you’ll fully control.
When I started out with attacking organizations and individuals I was often under the impression that everything should work on the first try. This of course is not true. What is true, is that you should assume failure and put some thought and effort into the consequences. One of the more important lessons I learned early on in regards to performing social engineering via written media is:
It really doesn’t matter, nobody cares.
Have you ever looked at your own communication? have you ever worked in a SOC or followed up on incidents? Eventually most companies as well as victims are pretty tired of the endless stream of shit that they receive on a daily basis. So yes, there will be investigations, they might even follow-up on your attack, but then what? It’s not like they can block all senders or block the entire internet or forbid their employees from working and talking to potential customers, partners, vendors right? So yeah, you guessed it right, if you mess up:
You get to try it again, and again and again…
Of course there are some exceptions like when you really mess up and they figure out you’ve been hired to attack them or if you technically have a ‘tell’ which would enable them to block all incoming attacks pretty quickly. Although…how would they block you across all possible communication channels that their employees use?
Anyhow I’m getting ahead of myself, let’s talk about some war stories and I hope you learn as much as I did from them. As usual I garbled up a lot of information, timelines and other details to attempt some anonymization. Oh and yes, the technical part of these attacks eventually matters, specially if you have to get some code execution, but with the proper social engineering context this can sometimes become much, much easier to perform.
Send one SMS, receive one crucial document
The objective for this assignment was obtaining the financial results ahead of the publishing date. Co-incidentally I had just learned about spoofing phone numbers and was intrigued by typosquatting. I set out to do some OSINT on how the financial results were actually published in the past as well as the people involved in the process. I was able to identify the phone numbers of some of the people involved, including the CFO. He happened to be on a vacation in a pretty remote location of the world, but not fully isolated, according to the photos posted on social media. I also found his personal gmail and some phone numbers from other people at the finance department. So here is what I did:
I registered a typosquatting gmail address, or at least similar enough, as the real CFO email. I sent an SMS message to one of the finance people while spoofing the number of the CFO. In the SMS I used a message similar to this one:
Can you send me document X, I was just called by <name> (ceo) that we messed up and I need to go over it. Have no work laptop, use my gmail <typosquatted address>. There goes the vacation, thx!
Done, the day after I received the document. My lessons learned were:
- Just ask for it, it works
- Don’t immediately reach for your favorite implant and dropper technique to obtain a single document
- Don’t discard something just because you would not fall for it
Targetting is overrated
For this assignment we would not only have to do the usual ‘pwn the network’, but the customer was also curious about what the minimum required effort was to breach them. Since the goal was to eventually hack the network, the team and myself decided to try the stupid stuff first. Even though it is frowned upon, you can feel where this is going, we decided to go down the soft-erotic road (yes, we checked with customer, legal etc). This was when Java applets were still awesome. So we built an applet that if accepted would show you several pictures of people in swimming / beach cloths. Hosted this all on a VPS without domain registration. The phishing email then basically became a subject along the lines of: Check out the new me. The content of the email was just the URL.
Now the beatifull thing about applets is that even if the victim doesn’t accept the pop-up warning, you are allowed limited execution and can collect a lot useful information.
Jup, this worked. We did not only collect information, but obtained several infections. My biggest lessons learned was: Why start with super advanced stuff if the easy stuff also works?
Did it trigger detection and as a result an investigation? Yes, it did. Did this harm our operation? Not really, this is what happened:
- two out of the total infections survived the investigation and response
- We continued with our next campaign which was a bit more sophisticated and for which the technical part was fully different
- We obtained new infections
Warned is disarmed (Dutch version: A warned man counts as zero)
The real proverbs are of course: Warned is forearmed (Dutch: A warned man counts as two). On the customer side as well as on the attacker side you often hear remarks along the lines of:
If our targets know that we will attack, it will be more difficult or less effective. So for this assignment, just before we were about to start the operation the customer said something like:
I decided last minute to send a company wide email warning everyone that an attack will take place in the following weeks. Because you know, euhm, just cause I want you guys to try harder, like real attackers.
*sigh, no comment* We decided to not change a single thing. Because of course we received this message after our customer had approved our phishing templates, texts, payloads etc. Risky, but it paid off. We obtained several infections and euhm no detection. Weird right? Turns out most employees were like: ah another test, too busy to report if I see weird stuff, since it isn’t a real attack anyways. Lesson learned: Don’t be too scared if your targets are ‘aware’ or recently suffered an attack. Sure your chances might be lower, but how much it really matters….who knows. Maybe a good time to remind you as a reader of something:
Awareness does not equal change of behaviour
Do what you do normally, but then maliciously
Common attack patterns in regards to written social engineering are usually like:
- Receive communication out of the blue
- Asked, forced, scared into performing requested action
- Sometimes follow regular process like the hiring process for example
- Become infected
Which is also how most awareness programs that I’ve seen are setup, they attempt to teach users how not to perform that action. So, what happens if we have the user ask us to perform that action instead? For this assignment I decided to just email their info@<company>.<tld> address with a random report of something not working correctly on their website. Took some time for them to react, but eventually they asked for details as well as a screenshot. So being the helpless non-technical person that I am, I answered that I had no clue on how to do those technical things. They then proceeded to send me a Word document with instruction, including an open spot in which I could paste my screenshot.
Jup, I followed their instructions and of course added some macros. When I emailed them back with the attachment I informed them that I had issues with the file and that it only seemd to work when I accepted all kinds of error message. A couple of hours later I had my infection. Lesson learned: How about I just act like every other regular citizen instead of trying to be malicious? I mean the opportunity might just arrise our of nowhere.
Curiosity killed the cat
So I have to admit, this one was really a long shot and we got really lucky. We wanted to avoid URLs or attachments and instead lure the victim to our malicious website on their own initiative. So we created a website where every single link went to the same malicious file download. This file contained previous articles written by this person. We pretended to be a journalist and we emailed multiple employees of a company with the exact same email, something along the lines of:
Hi there, your name has come up in my investigation of your employer. I’m wondering about your side of the story. Please let me know if you are interested in having a chat before we publish the article. Kind Regards, <name>
We had chosen a name that was unique when entered into google and which showed our website as one of the results. Yes, we also created the fake linkedin profile, but no other social media. So as you would expect, that was an odd email to receive. Since the email didn’t have the usual ‘malicious patterns’ of having the victim click links or open attachments, most of our victims just continued with the request. They emailed us back, which is what all corporate normal people do. They email back and forth with known and unknown people on a daily basis.
What they also did was google the name and some of them downloaded the file with the previous article, to get an idea of what they were dealing with. This landed us like 1-3 infections. A more fun lesson to learn: Even longshots can work, or phrased differently: Don’t be afraid to experiment.
Email history, everyone believes it
Everyone needs a little help once in a while, even attackers. So during this assignment we decided to ask the victim for help. We decided to have the victim help us gain access to their network. So after some OSINT we learned that one of the managers was enjoying his holidays and that they had recently started a partnership. So we created a typosquatted domain of the supplier with the sole purpose of sending and receiving emails. We also created a fake linkedin profile of a ‘junior’ that just joined the supplier of our target company. With all this setup, we started to email the helpdesk to request access.
Of course the helpdesk followed their processes and we followed along nicely. Until they started with the usual ‘takes time, approval, etc’. We then forwarded them our conversation with our supposed point of contact that was on holidays. Because like we all know….if you markup your emails correctly, outlook will display them like a nice back and forth conversation, even if everything is spoofed. This allowed us to convey sense of urgency as well as ‘proof’ that we already had the correct approval. Eventually this resulted in full remote access to the network, without needing an infection. What we all learned during this assignment is that sometimes the low-tech tricks, which we as technical people tend to ignore, work just fine.
First of all I hope that you learned that doing social engineering is actually pretty fun! The benefit of doing social engineering via written channels is that it provides ample time to think before you answer. The slow down has a potential risk of you being detected due to the victim starting to get suspicious, but it mainly has the benefit that you are just one of many with which the victim communicates.
When you are writing you can still apply regular social engineering techniques like building rapport, using emotions and seducing the other party to unknowlingy execute your actions, except you actually have time to think about how to do that.
A big caveat is that you will be tempted to ‘read their communication as what you think it sounds like’. This means that any sentence or word that might indicate failure or detection you’ll immediately jump the gun. Avoid this, keep it business as usual. Of course this also works the other way around. Initially you’ll write and hope that the other side understands and ‘feels’ the intention of your communication. This also takes some getting used to. Clear and precise written communication is always a challenge, just think about your latest email to your colleague ;)
Above all keep your goal in mind, not everything warrants an infection and not all social engineering needs to start with an email. Use Linkedin, marketing platforms, Twitter, Whatsapp or w/e your victim uses on a regular day to day basis. Don’t be afraid to split your communication over multiple channels, after all, isn’t that what we all do in our regular day to day life?
- Ghost in the wires
- Social Engineering the Art of Human Hacking
- The Art of Deception
- The Art of Intrusion
- The Art of the Con: How to Think Like a Real Hustler and Avoid Being Scammed