Speaking at Black Hat Europe in London, Joshua Crumbaugh, Chief Hacker and CEO at PeopleSec, gave live red teaming tips and recorded examples of how to successfully hack into a company using only a confident manner over the phone.
In a series of examples of audio recordings, Crumbaugh demonstrated how to get a target to install malware, bypass anti-virus and how he won the confidence of the target with a friendly manner.
“Good reconnaissance can blind your target to security risks and things they pay attention to”, he said. In his example, he targeted users of a small ISP where he found multiple forum posts in which people had complained about email not working. So he posed as a member of staff from the ISP on a day when the target was known to expect a phishing attack, pretended to be from quality assurance and targeted the person needed to sign off a software update to move forward.
Crumbaugh gave a number of tips to success, including creating an “us versus the world” scenario and to try to have teamwork and do cooperation, create a world, always have someone to blame (the my boss rule) and apologize for taking their time up. He said that he was ultimately able to achieve the trust of the target, and eventually get control of their PC “as people are inherently lazy.”
This culminated with Crumbaugh being invited into the company, where he was in a position to be able to compromise every machine, and he was able to walk into an open vault and take a selfie with a stack of money.
On the blue team side, he recommended creating a way for staff to identify a vendor, such as a passphrase to provide a way to for members of staff to identify them as a vendor. He also highlighted statistics which showed that users click on more educational emails than phishing emails, and sales people will typically click on phishing emails the most, so education should be tailored to be more effective.
He also recommended tailoring training using social media rules with short but effective messages, and integrate training everywhere to keep it at the front of mind and understand that ‘mass customization’ and the ‘one size fits all’ approach doesn’t work.
“Social engineering is your biggest risk,” he said. “Why be in the DMZ when you can be in user land? By targeting people I can bypass almost all security controls and trick a user to troubleshoot a payload and get it working. With social engineering you need to fix the human first or have low hanging fruit in the perimeter.”