Title: Baiting Attack Exercise – The Old School Way Still Works.

In the past few months, we have had quite a few social engineering and client-side penetration tests, and, as you have probably noticed from my previous posts, these are the types of tests I enjoy doing, a lot.

Let me start this blog post briefly describing our usual approach and results for one of the baiting attack exercises we have performed. In this particular case, we have used traditional and old school techniques that still work.

Baiting attacks could be very similar to phishing attacks, however, instead of using email as the delivery method of the attack we use different ways of physical media which relies on the curiosity or sometimes even greed of the victims.

After gathering a list of full names, working address and position for all of the associates of an organization, the Trustwave consultants carefully analyzed this list and decided to target a certain number of employees per location.

After having decided on the targets, the next step was to choose which attack method we were going to be using for that specific case. The Trustwave consultants decided on trying to impersonate users (most of them part of sales team) with a custom message requesting users to update their local Anti-Virus software. Yes, we know, its really old school, but you would be surprised on how effective this is.

The physical medias have been delivered by postal service to each one of the targets along with a letter with details about the (fake) antivirus update and instructions on how to install either the CD-ROM or USB pen-drive that was also included in the packages.

Below is one of the templates used for these types of attacks, the real letters had real names of the targets, and replaced thumbdrive with CD-ROM accordingly.

Dear $Employee-First-Name:

During a recent internal security analysis, we have identified that your computer is running an outdated version of our Anti-virus software because of the recent issues in the network of your $Physical-Location.

As you understand, this creates a potential hazard to the safety of the company, and we need your cooperation to provide an immediate solution.

This package you received includes a USB thumbdrive containing the Anti-virus update that will fix the root cause of the problem. Please, connect the USB pen-drive to your computer and run the following instructions to install the update:

1. Double click on the icon "My Computer".2. Double click on the removable disk icon that corresponds to the USB pen-drive.3. Double click on the file "Anti-Virus Update"

If the update was performed correctly, you will see the following message: "Anti-virus updated successfully". Once you follow these instructions, your Anti-virus will be updated and actively protecting your computer against future threats.

We appreciate your help to protect assets, employees and customers of $Company-Target-Name.

Sincerely.

$Company-Target-NameInformation Security Team$Customer-Address

For these types of engagements we usually use from normal USB thumbdrives, to U3 thumbdrives and sometimes even CD-ROMs – all of them customized with an Anti-Virus logo and with an “autorun” application. We usually also need to use a customized payload that was a light version of the one described in a previous post of this blog:

http://blog.spiderlabs.com/2012/08/client-side-payload-the-brazilian-way.html

At the end of this one particular exercise, from the 15 packages sent, 1 of them has actually resulted in a compromised. The interesting part though is that the user that has been compromised, not only was one of the original targets but neither worked at the target location.

At another baiting exercise we decided to target two additional locations. The Trustwave consultants, while walking by one of the buildings, threw 2 USB thumbdrives on the parking lot. Both of these drives had a customized logo that, on purpose, would be of much interest for any associate of that particular organization. This would also increase the chances of a curious associate to simply plug that drive in their computer.

On the second building, we decided to throw 1 USB drive on the garage, and a second drive has been silent dropped on the sidewalk in front of the building, the third one in the reception. All these 3 USB drives also had a custom logo on it.

The outcome of the exercise was: One of the two USB thumbdrives thrown at "Building1" was opened a few days later by a person, that happened not to be an associate of that organization, but was later identified as one of the organization's executives private driver. Hence, this drive was opened from the driver's computer and not one of the computers that actually belonged to the organization.

The screenshot below shows the driver's face when he opened the fake confidential USB drive. Does anyone disagree that he was quite curious?

One of the three USB pen-drives thrown at the second building was opened 2 hours later by a person, which has been identified later by their username, as one of the physical security staff. Although this particular person did not have many privileges in the organizations computers, the Trustwave consultants were able to see the software used to manage all physical security control (badges, main entrances, cameras, etc).

It is also important to note that the Trustwave consultants were able to escalate privileges to local administrator by using a technique called "Named Pipe Impersonation". With that, the Trustwave consultants were able to retrieve the WPA pre-shared key stored on the Windows registry and consequently join the wireless network that allowed full access to many systems. This same WPA pre-shared key was really strong and very unlikely could be guessed via brute-force or dictionary attacks.

This attack was very simple and used old school techniques, however it's still very effective as demonstrated above. At this point of compromise a real attacker could then be very dangerous and be able to compromise

the internal network, just like one would do if present within the organization. Is your company prepared for this kind of attack?