Reconnaissance for Social Engineering: Tales from the Road
A case study in shoulder surfing; intelligence, risk and mitigation
When it comes to reconnaissance and open source intelligence, research often seems like a digital battle. Using endless pieces of software, sites and APIs, we use technology to fight for the data we want. It is easy to forget how much valuable information is out there in the real world, being given away unwittingly, if you just stop and listen.
As those of you who read my boarding pass article know I do a lot of travelling and as a result I often take the National Express coach to London Heathrow - you always get a seat and there are very few stops.
I boarded the coach and found my seat. A long journey awaited me, Bristol to Shanghai. A couple took the seats in front of me, for the purpose of this article we’ll call them Gary and Linda. The coach set off.
I read the last remaining articles in my copy of The Economist and then started getting bored. This is dangerous territory for me because as you probably know, boredom often leads to “experiments”!
INTRODUCING GARY AND LINDA
Gary and Linda are discussing their trip. Linda asks Gary to check the Emirates app on his phone to make sure their flight to Dubai isn’t delayed. Like all coaches and trains there is a gap between their seats large enough for me to see through. Gary gets out his iPhone X, very smart indeed. He reassures her there is no delay. Linda starts reading her magazine and Gary gets his laptop out.
He logs in and opens up his Outlook email. An email that is flagged as important gets opened first. My travel boredom has now magically disappeared. The email is from someone called Jon who appears to be his business partner. Jon has sent an attachment that is marked “HIGHLY CONFIDENTIAL: PLANT MATERIAL PROFIT RATES”. Gary opens it. It contains a list of construction equipment and machinery that is for sale in Dubai, along with their corresponding prices, mark-up and profit. As I already know that Gary is flying to Dubai today, perhaps he is off to negotiate the price for purchasing this equipment?
I Google Gary’s company name which I can see in his email signature. They provide a wide range of services to the construction industry including a legal team who negotiate commercial leases for large businesses. Interesting.
I do a quick search on Companies House and I can see the company has been going for 10 years and, apart from the first few years where they made a loss, they have been making a very healthy profit every year since.
Gary starts writing a reply to Jon. By marking the email as “HIGHLY CONFIDENTIAL” it immediately sparks my interest. I already know that he owns a profitable company and this is likely to be a lucrative business trip to Dubai.
“Linda and I will arrive in Dubai tonight, we are staying at Atlantis The Palm. We are having the day to ourselves tomorrow but we can still meet for dinner on Friday night. I emailed Benihana Restaurant to see if they have a table for 3 on such short notice. I haven’t heard back yet. If I don’t hear back from them tomorrow I will call. We should spend some time looking at the figures before the meeting on Monday though.”
I now know where he is staying, his dinner plans, the fact that Jon is already in Dubai, the meeting is on Monday and he is taking the day off tomorrow.
If I were an attacker I could send him a phishing email pretending to be the hotel requesting payment card verification. Better yet I could be the restaurant asking him to click a link to confirm his booking.
Gary sends a few more emails and puts the finishing touches to a PowerPoint presentation. I start to lose interest.
Then he goes onto Amazon. He browses the portable speaker section and decides on a small Bose speaker. Good choice Gary! He adds it to his Wishlist along with a carrier case for it. He carries on browsing. Looking at the suggested items Amazon is throwing up for him he is very into his music and dehumidifiers...
He goes to log into his Amazon account. He uses his work email and then types his password. I can’t see the keyboard from where I’m sitting but luckily he mistypes his password. Twice. Frustrated with himself Gary clicks on the “view password” icon and retypes it. Now instead of those little dots obscuring the password, I can read the characters. He scrolls through his Amazon Wishlist and eventually just decides to buy the speaker and the case. Into the basket they go and he checks out.
I can go and view what else is in his Wishlist easily and without logging into his account because by default all Amazon Wishlist’s are public and fully searchable.
As well as the fact that I have just seen his Amazon login details, and what I presume to be his home address there are other ways this information could be used to create an effective social engineering attack. For example I know he has just ordered a Bose speaker and case, I know how much he paid and the reference number. I could whip up a phishing email pretending to be Amazon saying:
“Thanks for your recent purchase of 3 Bose speakers and 1 purple carry case. Your order will be dispatched tomorrow. Please note that you can’t cancel the order after it has been dispatched ….”
He hasn’t ordered three, he ordered one. As with many effective phishing emails this is designed to make him panic and click on my malicious link without stopping and thinking about it. He doesn’t want to be billed for 3 speakers after all!
Alternatively, we could be a bit more creative and use the knowledge of his iPhone X to create the attack pretext. I could email him pretending to be Apple offering him a free iTunes voucher (I know he likes his music from his Amazon Wishlist) if he completes a quick survey on how he has found his new phone.
Whilst working at the Police Cyber Crime Unit I realised there is a general assumption that the bad guys exist only in basements in Ukraine and Russia and purchase black hoodies in bulk. They certainly don’t take coaches or hang out in cafes. The reality is they very much do.
When I get hired to conduct a social engineering security test on a company I use social media to see where the majority of staff go on their lunch break. There are usually one or two cafes that are popular. I go and lurk there, I can usually hear about their moans and groans of working life, get an idea of the company hierarchy, pictures of their ID cards or I can even start up a conversation with one of them to find out more information. This is just one example of social engineering. The reality is that as your company’s technical defences get better and better and your I.T. team become better with dealing with security issues the best bet for me as an attacker is to target your non I.T staff.
Back on the coach Gary minimises Amazon and opens up Google Drive and a spreadsheet called confidential_orders.xls. It seems to be a table of recent orders by client number. There are no client names visible just the client number and so he has gone some way to maintaining confidentiality. This is actually a really good tactic by Gary against shoulder surfing. The data I can see is next to worthless as I have no idea who the reference numbers refer to.
Sadly though this advantage is quickly lost when he opens up his CRM platform and I see the customer number and the corresponding names.
Without realising it Gary has handed over a whole load of information to a complete stranger in the time it has taken the coach to drive past two motorway services.
WHAT WE KNOW SO FAR
- Married to Linda and runs his own, profitable company in the construction industry.
- They are flying with Emirates to Dubai in business class for a trip that appears to be both business and pleasure.
- They are staying at Atlantis the Palm.
- He wants to go to Benihana for dinner on Friday with Jon and Linda. He emailed them requesting a table but has yet to receive a response.
- He has an Amazon public Wishlist and has just purchased a Bose speaker and carrier case. According to Amazon’s suggestions he is very into music (and dehumidifiers…).
- We have his Amazon login details and his home address.
- He has one of the new iPhone X phones.
- He has some very important clients some of whom are very large businesses. He is intending to resell the construction machinery being purchased in Dubai and we can see the price he paying vs the price he is selling it for.
- He uses Avast anti-virus – I saw the icon on his desktop. His desktop is cluttered with icons so I know lots of programmes running on his laptop.
SO, WHAT COULD AN ATTACKER DO?
- As with many attackers around the world phishing is the obvious and easiest thing to do to attack Gary and his company. We could send him an email pretending to be Amazon, Apple, his hotel in Dubai, Benihana or Emirates and use the information we have collected to create a plausible pretext or cover-story. We could include a link or an attachment that could drop malware onto his system (we know what anti-virus program it would have to get past) or we could steal more of his credentials.
- We could use this information to impersonate Gary or someone who knows Gary to gain entrance to his company or one of his suppliers.
- There is plenty of information to help support an exploratory vishing call to his company to prepare for a more elaborate attack.
- Alternatively, we could sell the information on the construction machinery to one of his competitors or attack one of his big multinational clients through him.
Those are just a few of the options. As we find in our social engineering training workshops, with a bit of thought anyone can come up with a myriad of well-targeted social engineering attack vectors, many of which would be likely to be effective.
WHAT COULD GARY HAVE DONE TO MINIMISE THE RISKS OF SHOULDER SURFING?
- Don’t do any sensitive work at all in public places. Also shield passwords when you type them in or alternatively use a password manager.
- Be aware of the potential viewing angles on transport or any public place. Put a jumper over your seat back to cover up the gap and block the view from the seats behind. Sit with your back to a wall if possible.
- Put privacy shields on your phones and tablets. These are cheap to buy but mean people can’t shoulder surf to see what you are looking at.
- Don’t mark files you will view in public as “Confidential” it makes them far more attractive!
- Remove the anti-virus icon from your desktop. If an attacker knows what antivirus you have they can keep testing their malware against it on their device until it is undetected.
- Don’t view information in isolation when you think about what to protect. An attacker certainly won’t. One piece of information on its own can be meaningless but when combined with other information it can build a very rich and sensitive picture allowing you to make accurate inferences.
- Get some good face-to-face training on how to spot social engineering attack attempts such as phishing and vishing.
One of the key reasons why a potential attack on Gary would have been so successful is that he was unaware that he was leaking this information in a public place. We had gathered enough specific information on him to “con” him into believing we were Amazon, the hotel or the airline. Employees and individuals need to be equally aware of the information they put out in public and how this can be leveraged against them in an effective social engineering attack.
As part of our advice to companies we recommend that staff audit their online presence to understand what information is public and available and to employ adversarial thinking to see how this information could potentially be used against them.
Partner, Red Goat Cyber Security
Learn about GCHQ certified Social Engineering Awareness Training.
Any names used in this article have been made up to protect the identities of those involved. Amazon no longer appears to allow “view password”. At no point was any information collected on “Gary” or “Linda” nor did we gain access to any of their accounts. They were made aware of their mistakes.