Rachel Tobac (@racheltobac) is a ‘white hat hacker’. Her role is to help companies and individuals protect their data by raising their awareness of the dangers of social engineering. She twice was a winner of the ‘DEFCON Social Engineering Capture the Flag’ and is now CEO and co-founder of ‘SocialProof Security’. Rachel accepted to share with us her experience and some advice about social engineering and how to avoid it.
What is social engineering?
Social engineering is the act of persuading somebody to take an action that may or may not be in their best interest.
Three main techniques commonly used by social engineers are:
- Phishing: Attempting to get someone to click on a malicious link via email, social media or texting. A popular type of phishing is ‘spear phishing’: When you look up specific information about your target and use that to convince them to click on the link. ‘What do they comment on social media about purchasing on Amazon?’ If you know what they purchased, you can send a spoofed email making it look like you’re sending it from Amazon to build trust and ensure that they click on the link you sent.
- Vishing: Voice phishing over the phone. It’s easier to build rapport with people when you have tone and you can have a conversation. It helps me infiltrate a system even quicker than sending out emails because I can get them to type in a malicious link over the phone in under 30 seconds.
- On site attack: Somebody in person attempting to bypass a system by pretending to be a vendor or a member of the team. It’s easier to pretext as somebody (pretend to be someone) who belongs there than as somebody that doesn’t belong there. As social engineers we often say:Which means if you are holding a box of donuts, somebody who’s coming out of the door is likely to open the door and hold it for you, even if you don’t have your badge. That’s a common method of attempting to bypass a badge system or entry point. From there we can do things like ‘USB-drops’ or just getting access to machines and taking control of them in person.Busy hands open doors.
What kind of information are you collecting as a social engineer?
Before I do any type of social engineering, I have to collect a lot of information about how I would want to penetrate that system. This is called ‘OSINT collection’ – Open Source INTelligence collection.
I choose my targets based on how much information I can find on them online. If I know who they are, who their friends are, who their bosses are, what their job is, what type of language or verbiage they use in their everyday life, it makes it more likely for me to choose them as a target because I can create a believable pretext and when I give them a call, it would be easier for me to build trust with them and get them to do what I need them to do.
A pretext is who you’re pretending to be, it’s more than just a lie: It’s an entire new identity that you’re building based on the information found on LinkedIn, Twitter, Instagram or Facebook.
So I find out information about somebody who has the authority within the company or someone who would make sense to ask a lot of questions and pretend to be them on the phone with real reasons to call.
If you were calling a control engineer at a power plant running, let’s say a Siemens automation, what kind of information would you try to gather?
First, I probably would not call a control engineer because they would likely not be used to picking up the phone, because they might not be client facing. I would call somebody who is client facing (somebody in sales, a hiring manager, somebody in HR or Tech support). I would pick one of those attack vectors: ‘What type of software are they running?’, ‘Do I already know that they are running Siemens?’. If not then I’m going to want to confirm that on the phone, or probably pretend to be a vendor manager of that company. I would call and say: ‘We’ve had some quirkiness on the network for Siemens and we wanted to make sure your software is still up to date’. And if they say ‘Oh we’re not running Siemens software!’, then I would know that they’re running Emerson!
If I already know their role, then I would get them to confirm it, and I would want to get as much information about the automation software as I can get so that I can take control of the power plant: ‘Which specific products are they using?’, ‘which versions of those products?’. I need to know this to look for known exploits of those products so I can replicate the system myself, and look for vulnerabilities that I could exploit.
I would also want to know about their update process. ‘Do they connect their system to the internet for updates?’. This could be something that my team could exploit if they’re connected to the internet because that makes them more vulnerable. If it’s always connected to the internet or to an internal network it would be helpful for me to know their machine’s IP address or ‘hostname’ so that one of my technical partners could get access to their internal network. If they’re already connected to the internet then we would know that machine’s address and how to reach it. I would also want to know if the machine I’m trying to get access to has any other services that are running. Maybe the Siemens service doesn’t talk to the internet but there’s another program that talks to the internet or talks to other computers on the ‘corporate network’, or I could get in the network from there. If I can get some presence on that machine, then I can look for a vulnerability that would give me privilege escalation and take control of their automation software.
In the case of a control system, people tend to think that their system is not connected. So how would you convince them to take an action that allows your team to access the system?
Even if they’re not usually connected to the internet or an internal network, there’s likely a time that they will have to get updates to their system, and have to connect to the internet or some type of internal network. I would attempt to gain access to that schedule, so that I know when their system is most vulnerable and I could gain access to it then.
Sentryo published a report about what happened on the Ukrainian power plants. What could you tell us about that?
In that scenario they did do spear phishing and that email contained an attachment with a malicious document. The attackers actually spoofed the sender’s address to appear to be from Rada, the Ukrainian parliament. The document itself looked very convincing and it convinced the person to run macro in the document, which is a microsoft script. his is like having someone hand you the key and unlocking the door yourself because you have remote access to their machine at that point. Once inside the network they were able to pivot and shut down the power stations, causing a blackout in Ukraine.
Do you have a “public case” example that illustrates social engineering risk for people?
In 2015, the ‘ubiquiti networks’, american service providers of networks for business, were hit by a cyberattack where they actually lost 39.1 million dollars. Social engineers wrote emails introducing themselves as executives of that company and they asked employees in the finance department to transfer millions of dollars to a bank account that the cyber criminals had control of. This technique was just regular phishing. They didn’t know much about the company, they just found the name of the executives online and went from there. This takes advantage of a human willingness to comply with authority.
Another case is Stuxnet, which happened in 2010. Stuxnet was delivered by a double agent by means of a USB stick drop which is a classic social engineering attack that was used on the Iranian side. This USB drop used unpatched Windows vulnerabilities to get inside the SCADA at Iran’s enrichment plant. They injected code to make an industrial computer grind the centrifuges motors and it destroyed 400 of those machines.
Another less well known case: In 2013, hackers sent a phishing email to the Associated Press in America, and someone clicked the link in that email, giving them control of their machine, which they used to get credentials to the Associated Press’s Twitter. The hackers sent a tweet from the Associated Press that said: “Breaking: two explosions in the White House, Barack Obama injured.” This caused the stock market to steeply fall. For this specific scenario I think the social engineers probably thought of it as a prank but it caused a serious stock market fall.
One more really interesting case: A 15 years old gained access to plans for intelligence operations in Afghanistan and Iran. He did all of this by vishing: calling and pretending to be the directors of the CIA, then the FBI, calling helpdesks and service providers, like his cell phone company, until that company changed his credentials, changed the password, giving him access to the CIA and FBI directors’ services and machines.
If I were a power plant manager director, how could I prepare my team to face a social engineer?
We found through our work with SocialProof Security that trainings that change the behaviors the most are the ones that are hands on. By having employees actually step into the shoes of a hacker and figure out ‘how we would social engineer the target company?’, ‘who we could call or email?’, ‘ how I would make the call?’, ‘who I would pretend to be?’, ‘what I would talk about?’, ‘what does my script sound like?’ and demonstrate it. We give the group a chance to try to simulate hacking a real life company themselves. I like to split them into teams, give them a target and say: See what information you can find on social media, look for all of this OSINT flags (OSINT), look for workstation photos, ‘can you find pictures of computers?’, ‘software versions in the background?’, ‘helpdesk tutorials?’. Then I give them the chance to think about ‘who would you call?’, ‘who would you pretend to be?’ now that they gathered enough information online to develop their own script. It’s very hard to forget what you’ve learned when you’ve tried to hack someone yourself. We have teams tell us that their groups go back and scrub their social medias of all posts and pictures and they bring it up often.
If you think that you leaked something what should be the reaction?
If you think you gave away sensitive information: tell the cyber security team of your company. If you gave away business information: tell anybody that could be affected by that… because a social engineer is going to call several people in the company. It’s important to work with your cybersecurity team and your HR team to send out communications to all employees of that company to let them know if you have someone call you out of the blue…
The most important thing you can do to protect yourself and your company is to tell your cybersecurity team. They’re likely to quarantine your computer, save important files but then wipe your machine. They could look at the traffic logs to see what information was taken, see what the attack looks like and make signatures or indicators that will alert the team if it happens again, to keep the rest of your company safe.
How could the people be warned that they are facing a social engineer instead of a real vendor?
If someone is calling you out of the blue, or emailing you with unexpected links, if they have odd or urgent requests, if they have money transfer requests… you always want to double check. It never hurts to call that person if they’re emailing you, or email that person if they’re calling you… to make sure that the person is who they say they are. It’s totally okay to ask for more clarification. If you’re trying to clarify with me and say ‘I’m sorry who are you again?’ I’m very likely to stop trying to social engineer you because there’s no point: That’s just more dangerous for me.