Wednesday, 14 August 2019

Spot the Bait: a Lesson About Phishing

Written by Adrien Souyris

We’ve all experienced phishing - those annoying, sometimes dangerous emails attempting to trick us into giving away money or sensitive information. Most of them are clearly scams, but some are smarter and more difficult to spot. 

Symantec identified in 2018 that 54% of all emails were malicious (spam or phishing). As well as this, an average user receives 16 suspicious emails per month. More astoundingly, Verizon reports that 90% of breaches involve phishing.

So, who's behind these phishy emails? In short, anyone from amateur scammers to Russian GRU operatives and skilled cybercrime groups. Phishing is a cybercriminal's favourite tool, but why? Well, IT departments understand how important it is to build a cyber castle around the company's network; firewalls are everywhere which make it harder to attack company networks. And because we built castles, attackers invented a Trojan horse: phishing emails.

It is nearly impossible for machines to automatically distinguish between a legitimate and a well-crafted malicious email. IT and security departments can’t guarantee a phish-free inbox, and with each malicious email displayed to users comes the risk of someone inadvertently giving away the castle's keys. 

What are the remaining options, then? If they are informed and trained, staff make up a company's immune system by reporting phishing and helping the company fight back. 

Phishes of all sorts and colours

There are several types of phishing - angling, spear phishing, vishing, to name a few. The most common one is mass, automated phishing, which consists of creating generic phishing emails aimed at the largest possible number of recipients (usually millions). Even if only 1% of the recipients fall for it, that’s still 10,000 victims.

More targeted attacks are called spear phishing. These consist of selecting high-value, well-researched targets, finding out information such as their online habits, relations and hobbies, and then carefully crafting a high-quality phishing email to be sent to this recipient only. These methods are usually employed by skilled cybercriminals or state-sponsored hackers. Intermediate steps exist between these two, for instance by targeting a specific company, department, or group of people. And what is the intention behind phishing emails? Usually one of two things: assets (information or money) going out or malicious content going in.

In preparation for the former, a cybercriminal will attempt to lure the recipient into giving away the asset. The most basic method is the scam; for instance, the criminal masquerades as a legitimate service - PayPal, Gmail, OneDrive, SharePoint, etc. By disguising the email as a notification or security notice, the sender lures the recipient into clicking on a link. 

Behind this link hides a fake login page where the victim then gives away their credentials. To avoid suspicions, the fake login page relays the almost-identical page of the legitimate service. 

To perform the latter, phishers may include a malicious attachment to the email like a Word or Excel file with macros or a script file. Both macros and script files are a form of coding which can be abused to download malware onto a computer. Alternatively, the cybercriminal may use a malicious hyperlink; behind it hides a web page which will attempt to install malware on the device. From there, the cybercriminal can gain access to the user's files, emails, or use his position in the network to compromise other company assets. 

Avoid taking the bait: stay aware

Phishers use social engineering, the art of hacking people using predictable human behaviour, to trick email recipients into performing an action in their favour. Social engineering in phishing emails can take many forms, but the following techniques are usually employed in phishing: 
  • Masquerading: most of the time, phishing emails will be crafted to be misleading and impersonate something or someone else. For this purpose, the email will make use of attributes which are usual for the stolen identity, including writing style and font appearance, colour schemes, and URLs.
  •  A believable scenario: building on the stolen identity, phishing emails create a story. For example, HM Revenue & Customs sending an email about your latest tax return or a colleague reaching out about a project.
  • Sense of authority: by masquerading as an authority figure, such as a professional body or manager, cybercriminals attempt to pressure the recipient without causing suspicion.
  • Sense of urgency: cybercriminals will usually build up on this false authority with pressure and urgency to achieve the result before the recipient becomes suspicious. Using terms like ‘the request is urgent’, ‘a lack of action will result in <insert threat here>‘, etc. encourages the recipient to act fast.
  • Sense of trust: some phishing emails may attempt to look like they originate from someone/something you trust like a friend or colleague.

Spotting phishing URLs

One of the easiest ways of spotting phishing emails is to check the structure of the URL to which the email is trying to redirect you. Let's take our previous fake URL and introduce how domain names work. We'll read the URL from right to left.

A domain name is just like a Russian doll, each ‘.’ represents a layer of doll. Here, the ‘.org’ is the largest doll, and ‘myaccount.’ is the smallest one.

The best way to read a domain name is to spot the rightmost ‘.’ (before the succession of a ‘/’ if applicable). This is usually a ‘.com’, ‘.org’ or ‘’. The domain name is to the left of this. Here, our domain is ‘ml-security’. The URL confuses users by introducing a misleading ‘’.

Another deception to keep in mind is best illustrated through another example:

In the URL above, is disguised as If you click on a link, you should always make sure it sent you to a legitimate place.

Taken the bait by mistake?

All human beings are vulnerable to social engineering. By hitting the right spot, a skilled cybercriminal can hack anyone. If you suspect you’re a victim of phishing, here are the steps you should follow: 

  • Don't panic, this can happen to anyone.
  • Send an email without delay to your IT helpdesk or to your security team. A point of contact should always be available in your organisation for these incidents.
  • Do not delete anything, unplug anything or turn your computer off, unless instructed by security or IT personnel, as the evidence may be needed. You can flag the suspicious email as spam or phishing.
  • Pay attention to and report any further suspicious behaviour on your laptop and applications, such as freezes, slower performance, emails or files disappearing, mouse stutters, etc.

Take the test

Google created a tutorial test that shows the typical techniques used in phishing. Don't worry, it isn’t a phishing link.

You can find it here.

Thursday, 1 August 2019

The Power of Social Engineering Part Three; First Line of Defence

Written by Stuart Peck

In the previous two articles, we covered the fundamentals of social engineering and techniques used by attackers to great effect to gain unauthorised access to sensitive information. In this post, we are going to outline some of the defensive techniques you can develop to reduce your exposure to social engineering. Note that I did not say mitigate or remove risk, because the reality is that even the most hardened security professional can be social engineered; it’s a matter of timing and a well-researched and crafted pretext, that could lead to an attacker striking gold.

What this article aims to provide is a range of tactics that reduce the exposure from simplistic to advanced techniques used by attackers on a regular basis.

People-Centric Attack Vector Requires People-Centric Defence

If you are reading this then you may have spent years learning about infosec, attended a few training courses, maybe you hold a few certificates, and consider yourself adept at dealing with phishing and other social engineering attacks. Now let’s talk about compliance based “Security Awareness” training; on average, this is an annual or biannual exercise, usually online or through a Learning Management System, and derives little engagement from the employees. The key here is that infosec professionals spend many years learning their tradecraft, and yet we expect users to change behaviours, become adept at spotting and reporting phishing emails and other attacks in a 1-2-hour CBT (Computer Based Training) course.

Changing behaviours takes time; on average, over 3 months before new habits form and become normal working procedures. The key to affect change is to get user buy-in, which usually is very difficult unless your training is highly engaging and preferably face to face. It’s made even more difficult given security departments are typically small in comparison to the rest of the IT team and verses the actual headcount of the business. This is where developing programs that encourage champions is vital, where the security team can increase their footprint within each of the business units with a person who takes an active interest in promoting information security, training, and is essentially the human sensor for the infosec team.

Defence is Much More Than Just Training

Specifically identifying your high-risk groups of people in your organisation that are likely to be targeted by social engineers, and providing targeted training is a quick win, but it’s also important to provide a wider and longer term strategy that does not just involve annual Computer Based Training activity. Social engineering defence is the balance between Education, well enforced Policies and Technology. Here are a few ideas:

1)      Know who your targets are and invest in regular face to face training. Everyone is a potential target for social engineering, however, here are some high-risk groups:

·         Executive Assistants
·         Customer facing employees
·         IT / Developers
·         Marketing / social media
·         Finance / Payroll

2)      Understand the risks of oversharing; are your employees making themselves an easy target?

·         Monitor social media, especially Instagram / Facebook and provide guidance on what could expose the employees and the company to risk of being targeted
·         Make employees aware of the exposure and provide regular training on the risks of oversharing

3)      Specific and regular training on the risks of social engineering is vital, but in addition:

·         Provide policies that do not penalise those who report, but actively encourage engagement. Buy-in is a must!
·         Principles of trust but verify destabilise social engineering and can be highly effective
·         Segregation of duties for high-risk targets is vital!

4)      Technology, people, and process need to work in harmony; without this, social engineering will always be a risk

·         Ensure everyone has multi-factor or U2F to reduce risks from phishing and credentials stuffing
·         Put in place processes and technology that allows employees to easily report potential phishing scams
·         Gamification and simulated attacks work but naming and shaming does not

5)      Understand the risks and exposures

·         Policy and procedure review - does everyone know their responsibilities? How can you prove this?
·         Data Risk Assessment and Discovery - where is the critical data? How well protected is it? Who has access?
·         Incident Response – how effectively can you detect, react and respond to a social engineering attack?

6)      Attackers Don’t Care About Compliance

·         Prevent social engineering attacks by conducting risk assessments to spot & remediate potential weaknesses
·         Regularly test for weaknesses in people, process and technology. Test, remediate, repeat
·         Compliance training does not drive lasting change! Make training fun, engaging, and about the employee; give them the skills and tools to improve their own personal security posture, therefore massively reducing risk

In Summary

Social engineering has been around for an extremely long time, but technology has enabled it to scale at a rate never seen before. Existing strategies of annual training, unclear policies and reliance solely on technology to fix what is a very human problem, are clearly not working.

What’s required is a long term strategy where regular face to face training is invested in; safe behaviours are championed; reporting is encouraged; policies are clear, well defined, and presented in a way that normal employees can understand; and technology is used in a way to help deter, detect, react and respond to attacks that target the human.

For more on this follow ZeroDayLab on Twitter or Linkedin.

Monday, 22 July 2019

Configuration Reviews: Ensuring Security in the Cloud

Written by Charlie Clark

What is a configuration review?

As businesses increasingly move their critical business processes into cloud services, ensuring the security of those services is ever more important. It can be easy to brush off the responsibility of the services’ security onto the provider, but this isn’t the best idea. While the provider is responsible for the security of the platform, the platform is highly configurable by design and, as with most network devices, many default configurations are insecure.
As with traditional infrastructure, it is commonplace for system administrators to sacrifice security for convenience. Additionally, this technology is still relatively immature and, therefore, the security of it is less understood than traditional infrastructure; this highlights why reviewing the configuration of these services is important. It should also be noted that with the cloud, certain services must be exposed to the internet (for example, authentication to the cloud account that controls access and privileges) which would usually only be accessible from the internal corporate network.
ZeroDayLab provides configuration reviews for all three of the major cloud services (Amazon’s AWS, Microsoft’s Azure, and Google’s G Suite). These configuration reviews provide the customer with a level of assurance that their account(s) are configured securely and in line with industry best practice. This is ideal as it ensures any data hosted with these providers is secure - not only from outsider compromise but also from insider threats originating from the provider.

Configuration reviews and penetration tests

Configuration reviews can be coupled with infrastructure penetration tests; combining these two security assessments enhances the result of each. With access to the cloud account the consultant can retrieve all the information related to the account and use that to target the infrastructure; this is very useful as penetration tests must be performed in a limited timeframe. With permission to attack the infrastructure, certain attack paths and methods can be fully tested. Being able to attack the infrastructure also allows for the assessment of the services being hosted on the virtual instances, the result of which can affect the risk of related findings, for example traffic filtering and segregation (which are generally discovered during a configuration review).
During a previous configuration review and combined infrastructure assessment, ZeroDayLab discovered overly permissive network access control lists in place, allowing anyone on the internet access to a docker registry service, being hosted within one of the virtual instances to deploy containers. After further testing, this docker instance was found to be configured insecurely and could be used by any unauthenticated attacker to upload malicious images. These could have then been used to deploy containers within the victim company’s cloud infrastructure, leading to a complete compromise of the infrastructure, with the possibility of pivoting to internal corporate systems, resulting in the theft of sensitive customer data.
The scenario described above is a specific example of how an insecurely configured cloud service can cause serious damage to services and put customer data at risk, while demonstrating the importance of combining a configuration review with a security assessment of the infrastructure.

Wednesday, 17 July 2019

The Power of Social Engineering, Part Two: In the Crosshairs of an Attacker

Written by Stuart Peck

In the previous blog post we covered the fundamentals of social engineering, from Cialdini’s 6 Principles of Influence through to how attackers leverage social engineering. In this article we will cover the techniques and tactics used to profile a target using Open Source Intelligence, and how this information can be used to generate highly effective pretexts. We will also briefly cover some of the other types of social engineering attacks. In the final article we will cover how you can detect and, more importantly, protect yourself from a range of attacks that use social engineering.

What is OSINT?

To understand how attackers build profiles on their targets, we must first dive into the wonderful world of open-source intelligence or OSINT.

“Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context. In the intelligence community, the term ‘open’ refers to overt, publicly available sources (as opposed to covert or clandestine sources). It is not related to open-source software or collective intelligence.” -Wikipedia

There’s a saying that goes, “if you have nothing to hide, you have nothing to fear.” The reality is that everyone has something they want to hide from the general public or, more aptly, an attacker. The key is identifying what form this information is in, how well protected it is, and if compromised, what the personal / professional impact would be.

Attackers are constantly profiling targets, looking for potential weaknesses in security and, from personal experience, it can take less than 1 hour of online recon using manual and automated OSINT techniques to gather enough information on a target to learn their:

·         Full Name
·         Location
·         SSN / NI number
·         Date of Birth
·         Email Accounts and Passwords
·         Mother’s Maiden Name
·         Online Digital Footprint
·         Employment Information
·         Financial Information
·         Mobile / Work Telephone Numbers
·         Social Media Information / Posts
·         Family / Friends / Colleagues
·         Interests
·         Work ID / Passes
·         Online Usernames for Third Party Sites / Forums

Armed with the above information, a motivated attacker could do some serious damage – especially as many people reuse passwords, and the same email as a login for multiple web apps or use an email / username that can identify something about you, such as year of birth.

A lot of the aforementioned information can be gathered with ease by using Google (or DuckDuckGo, Bing, etc.) but combine this with a powerful set of Open Source tools, it can be automated to perform at scale, even with manual verification. Below is a diagram depicting the tools and methodology for performing recon on an organisation.

All this information is extremely useful in the hands of a skilled social engineer, as it can be used to create a highly effective pretext or provide context for building an ongoing campaign against an organisation and its key employees / stakeholders.

What Is Pretexting?

Pretexting is a form of social engineering where the attacker uses information already obtained through OSINT or other sources to build a fabricated scenario to convince a target to disclose information or perform an action that is not in their own best interest.

Capable social engineers will often convince their targets to perform actions that enable the attacker to gain unauthorised access to information or physical access to restricted areas of a building. There are many times where I have gained unauthorised access to buildings in a range of industries such as financial services, e-commerce, gambling, pharma, and retail by using very simple pretexts and plenty of confidence. The key to good pretexting is in the research conducted beforehand and looking / sounding the part; without this any decent security guard or employee will easily see through the scenario and deny access.

There are many case studies on pretexting, but the most notable is the cybergang group Crackas With Attitude (CWA) who, in 2016, used social engineering to impersonate their victims by calling their cell phone carrier using basic verification such as the last 4 digits of the victim’s social security number. CWA were able to gain access to sensitive information, including emails, using this to further compromise their targets. In more than one case they accessed secret information from the CIA and FBI, and even John Brennan’s (the then CIA Director) personal email, and cell phone accounts. It was reported that the attackers also leaked information about 20,000 LEA (Law Enforcement Agency) officers, though this was never fully proven.

Although the attackers were caught and then subsequently prosecuted, it shows how effective vishing using basic pretexting and OSINT can be, even in the hands of high school kids.

Pretexting utilises most of the core principles of influence, but is weighted more on Authority and Social Proof, to build credibility with their targets.

What is Baiting?

Baiting, as the name suggests, is used to exploit a target’s peaked curiosity; an attacker will offer something (usually free) to lure a victim into clicking a link or running a malicious application. Classic examples of baiting include USB drops, or more recently, competitions on social media where malicious apps are found to steal login tokens or cause information leakage. Memes are also used for baiting, as many popular memes found on the internet have been found to contain some form of adware or malware.

If it seems too good to be true, then it probably is.

Baiting is heavily weighted on the use of Social Proof and Scarcity / Urgency to manipulate targets.

What is Quid Pro Quo?

In the simplest term possible, quid pro quo means “something for something” in Latin; today this means the exchange of goods or services, or a favour for a favour, and it’s the latter we will focus in on this article.

Today, quid pro quo is used in highly effective marketing campaigns, especially at conferences, where exhibitors will offer free merchandise, usually for the exchange of information (say, a business card or scanning a badge - which will contain valuable contact information). The exchange is definitely weighted in the favour of the exhibitor, but the attendee is still getting what they want - the free t-shirt or some branded lightsaber (talking from recent con experience here).

Social engineering scammers, especially Tech Support scammers, use quid pro quo to great effect. They call an unsuspecting victim and tell them they have a virus, but because they are from Microsoft, they can fix the issue. Usually this is either a free service as the objective is to drop a banking trojan, or there is a fee payable to have ongoing “support” (because they “fixed” the non-existent issue). The victim (usually a vulnerable person), then feels obliged to pay for the service not received.

I know of a close friend whose parents were scammed out of £25,000 using a similar scam, but under the guise of a BT fraud department working with their bank. They convinced the victims to transfer the money to a temporary holding, so they could investigate the compromised router and to protect their bank account which had been compromised; they felt obliged because the attacker fixed an issue on the work laptop and router. It was a basic but convincing scam; unfortunately, the money was lost and unrecoverable by the bank, even when the victims finally realised the mistake and contacted the bank. The scammers called for 2+ days even after they scammed the victims, still using the same pretext.

Attackers using quid pro quo leverage the use of Reciprocity and Commitment in their attacks.

In Summary

There are many types of social engineering attacks, such as phishing, spear phishing, whaling, and tailgating. Each attack vector is highly effective given the right amount of research conducted by the attacker. The attack surface for social engineering is huge within most organisations. However, defending against these attacks relies upon a fine balance between training, technology, and the correctly implemented policies and procedures. This is a subject that will be covered in detail in our final post in the series.