A Phishy Tale: Click and I’m Inside your Network
Greetings to the latest in our Breakfast Series by Perspective Risk’s (PR’s) Red Teamer Abdul Ikbal, where he advises on network security and share insights in the life of an ethical hacker.
In this blog he tells how he – and the bad guys – can access your network and how to improve your security.
You can catch up on the series here: How I break into your building, Can I has your password? and I Can See You! (OSINT)
Want to check how good your organisation’s security is? Click here.
Red Team Goal: Finding the holes in your security
The objective of a Red Team is to access your infrastructure and sensitive data by any means necessary. A Red Team exercise simulates a real-life attack on your organisation.
The ‘attack’ exposes the weaknesses in your defences and equips you with actionable, prioritised intelligence for shoring them up. Those weaknesses may be human, technology related, or both.
Using the intelligence gleaned from an earlier phase (OSINT – Open Source Intelligence, at the top of this post) I will target specific employees in your organisation and entice them to click on a link or open an attachment, giving me direct access to their workstation/laptop.
This simple action will open the doors to your infrastructure and all the sensitive data you care about.
Red Team Tactics
On your website you shared your Head of Finance’s name, their assistant, their email addresses and direct dial phone numbers. I checked LinkedIn and found all the staff members working under him/her, in fact for your entire organisation.
Since this is not an opportunist Phishing assessment, I formulated a plan, each element of which is carefully executed. No space for ummings and ahhings when quizzed on who I am or what my intentions are.
Red Team Attack
Let’s say your website is http://acmefinancial.co.uk. I buy a domain that looks like yours and register a like-for-like domain called http://acme.financial. Whilst this is a fictitious example, .financial is a valid TLD (top level domain).
I applied my HTML and PHP skills to clone your website (or used PR’s SecAware platform which cloned your website with a few clicks). Now I have a domain which looks similar to yours and a website which looks exactly like yours, ready to dupe my target.
I choose to masquerade as your Head of Finance’s assistant and target someone in your account management department. Why that department? They work in sales and are most likely to submit monthly expenses.
My Way In To Your Sensitive Data
I ring my victim and say there’s a problem with their latest expense claim which requires their confirmation. If they allow me a few moments, I’ll email them a copy.
You may now be thinking that I don’t have access to your mail server or know what your company’s email signature looks like. However, I took care of this earlier when I rang your sales team, said I was interested in your services, and they emailed your firm’s brochure to my Gmail registered (or suchlike) account.
With that, my fake domain is now equipped with three things:
- Your company email signature
- Your company email address format
- Your technical mail server details
Of course I don’t know what your organisation’s expense form looks like, so I advise my target that their claim has been placed in the finance team’s password protected internal spreadsheet. For extra authenticity, I’ve even copied your logo and document theme from your brochure.
Why password protected? It adds a level of credibility that “I have to supply it securely and separately over the phone” and is the reason behind the yellow macro warnings displayed through Microsoft Excel requesting the user to enable/accept them. Can you guess what happens next?
Yes, your team member enabled the warnings and opened the attachment they believed was from your Head of Finance’s assistant. In the space of a two minute phone conversation, I’ve gained entry to your environment and sensitive data.
How to protect your business from sophisticated spear phishing attacks
Here are some steps you can take to ensure that the above scenario doesn’t become a reality for your business:
- Staff Awareness and Vigilance. Educate your employees on:
- The tactics used by cyber criminals
- The dangers of email links and attachments – take a step back and think first!
- How to manage cold approaches
- The mindset of a hacker, for whom everything is an opportunity
If you would like PR’s help with the above, we offer innovative online and workshop based training. We can also act as your Red Team, which extends to fixing any element of your underlying infrastructure as necessary.