Ashley Madison Blackmail Campaigns Prowling Again

If you were involved in the Ashley Madison service, or know someone who was, it might be time to discuss the continuing issues of ongoing blackmail campaigns stemming from the breach. This article appeared this week in SC Magazine, reporting on just such a campaign, that has been potentially identified.

Please be aware that this is happening, and can represent a significant threat, especially for organizations associated with critical infrastructure, IP protection and/or government agencies. 

If you, or someone you know, is being harassed or targeted by black mailers, here are some resources:

General council advice.

Contacting the FBI.

WikiHow Advice from the public.

Stay safe out there!

Social Media Targeting: A Cautionary Tale

I was recently doing some deep penetration testing against an organization in a red-team, zero knowledge type exercise. The targets were aware of the test at only the highest levels of management, who had retained myself and my team for the engagement. The mission was simple, obtain either a file that listed more than 100 of their key suppliers, or obtain credentials and successfully logon to their internal supply system from an account that could obtain such a file.

Once we laid some basic groundwork, it was clear that we needed to find the key people who would have access to such data. Given the size of this multi-national company and the thousands of employees they had across continents, we faced two choices – either penetrate the network environment and work our way through it to find and obtain the victory data and/or find a specific person or set of persons who were likely to have the data themselves or have credentials and hack them get a shortcut to victory.
We quickly decided to try the shortcut for a week or less, preserving time for a hack the network approach should we need it as a backup. We had approximately 6 weeks to accomplish the goal. It turned out, it took less than 6 hours…
We turned our TigerTrax intelligence & analytics platform to the task of identifying the likely targets for the shortcut attack. In less than 30 minutes, our intelligence team had identified three likely targets who we could direcly link to the internal systems in question, or the business processes associated with the victory condition. Of these three people, one of them was an extensive participant in their local dance club scene. Their social media profile was loaded with pictures of them dancing at various locales and reviewing local dance clubs and DJs. 
A plan was quickly developed to use the dance club angle as an approach for the attack, and a quick malware serving web site was mocked up to look like an new night club in the target’s city. The team them posted a few other sites pointing to a new club opening and opened a social media account for the supposed club’s new name. The next day, the penetration team tested the exploits and malware against the likely OS installs of the victim (obtained from some of their social media data that was shared publicly). Once the team was sure the exploits and malware were likely to function properly, the club’s social media account sent a tweet to the account of the target and several other people linked to the club scene, inviting them to a private “soft opening” of the club — starring the favorite DJ of the target (obtained from his twitter data). Each person was sent a unique link, and only the target’s link contained the exploit and malware. Once the hook was delivered, the team sat back and waited a bit. They continued to tweet and interact with people using the club’s account throughout the rest of the day. Within hours, the target followed the club’s account and visited the exploit site. The exploit worked, and our remote access trojan (RAT) was installed and connected back to us.
It took the team about an hour to hoover through the laptop of the target and find the file we needed. About the same time, an automated search mechanism of the RAT returned a file called passwords.xls with a list of passwords and login information, including the victory system in question. The team grabbed the victory files, screen shotted all of our metrics and data dashboards and cleaned up after themselves. The target was none the wiser.
When we walked the client through this pen-test and explained how we performed our attack, what controls they lacked and how to improve their defenses, the criticality of social media profiling to attackers became crystal clear. The client asked for examples of real world attackers using such methods, and the team quickly pulled more than a dozen public breach profiles from the last few years from our threat intelligence data.
The bottom line is this – this is a COMMON and EFFECTIVE approach. It is trivial for attackers to accomplish these goals, given the time and will to profile your employees. The bad guys ARE doing it. The bigger question is – ARE YOU?
To learn more about our penetration testing, social engineering and other security testing services, please call your account executive to book a free education session or send us an email to As always, thanks for reading and until next time, stay safe out there!

Social Engineering Even Exists in the Animal World

OK, so we have all read about birds that social engineer other birds into raising their young, and maybe you’ve even seen the TV special about it. But, this picture brings to mind a lesson in social engineering, thanks to our friends in the animal world. It all comes down to confidence, doesn’t it? 🙂

I am pretty sure that one of these things is not like the other. Would your security team spot the difference? How about your users?

Credit: The first time I saw the pic, it was here, just in case you want to use it for awareness training. — Thanks to @robertjbennett for the pic!


Brute-Force Attacks Reveal Band Tour Dates Before Official Announcement

Wikipedia File: Live Phish 7-15-03 (cover art)As many of my friends know, I have a slightly unhealthy obsession with the band Phish.  Yes, that Phish from Vermont. The band whose reputation rides the coattails of Jerry Garcia & Co., traveling from city to city and playing wanked-out, 30-minute versions of songs to a bunch of patchouli and Birkenstock-wearing hippies.

While only partially true, (or a majority for that matter) many “phans” or “glides” are actually quite resourceful and technically cunning.

Since the bands inception, (and taking a cue from The Grateful Dead) they’ve encouraged concert-goers to audio tape performances and trade those tapes, thus spreading their music far and wide. 

More recently, the band has included a free MP3 download code on each ticket and fans can actually listen to “crispy board” literally hours after the show has ended.  A co-operative Google spreadsheet was established to document and source every known performance of the bands storied career and links to digital and audience performances. For those who aren’t interested in downloading every show in the band’s archive, one can actually obtain an external hard drive with the music and a handful of video taped performances already loaded.  

If owning the entire catalog is too much music to sift through, fans have put together a number of compilations including “Machine Gun Trey,” “The Covers Project,” and a “Best Of’” version of the bands songs, chronologically — all labeled, sourced and ready to be downloaded into iTunes, with album art, of course.

While access to the band’s previous shows does quell the senses of their rabid fans, it does nothing but amplify the anticipation of upcoming tours.  For a band that has a reputation of traveling from town to town, fans have come to expect Fall/Holiday/Spring/Summer Tour announcements to come about the same time each year.

Rumors began to speculate weeks ago about where and when the band might be playing this summer. Recon missions for tour dates along with some good old-fashioned social engineering confirmed a date here or there.  Unsuspecting venue employees’ word about a “2 day hold on a venue” were placed together like puzzle pieces.

On February 28th, 2012, anticipation reached a near fevered pitch as the anticipated “Tour Dates at Noon” came and went without official announcement from the band and band’s management.  With only 1 official date announced for Bonnaroo (a four-day, multi-stage camping festival held on a 700-acre farm in Manchester, Tennessee) on, internet savvy fans began a brute-force attack on the website, with surprisingly accurate results.

By changing the URL of the band’s website using the intelligence and rumored concert dates gathered during the social engineering exercise, a more accurate touring calendar began to reveal itself. A simple change to the URL didn’t reveal a “404 – Not Found” web page but the message “You don’t have access rights to this page.” Fans knew they were on to something and my Facebook friends began to make travel plans for the tour that hadn’t been officially announced. This “leg up” could possibly make the difference between a hotel bed close to the venue or car-camping on a hot July evening in a field somewhere nearby. It also could mean a difference in airfare, days off work, or even rental car availability.

The official announcement came shortly after 12:00 PM on Leap Day 2012, (which is perfectly fitting for Red, Henrietta, Leo, and Cactus) complete with a professionally produced video of Phish Drummer Jon “Greasy Physique” Fishman preparing like Rocky for an upcoming bout. At the bottom, of the video, the band’s summer tour plans streamed with surprising accuracy of what many knew 24 hours beforehand.

Not bad for bunch of stinky hippies!

How to Avoid Falling For Social Engineering Attacks

I am one of the “end-users” in our organization. I’m not a tech, but over the years have had my eyes opened regarding information security and ways I can safeguard my own private data. My favorite tool is a password vault, which helps tremendously as I belong to dozens of sites. Quite frankly, I can’t remember what I had for dinner yesterday much less recall all the different passwords needed to access all those sites. So a password vault is incredibly helpful.

But what really fascinated me was the discovery of social engineering. Social engineering is when someone uses deceptive methods in order to get you to release confidential information. Sometimes it’s almost obvious, sometimes it’s sneaky. But on most occasions, people don’t realize what’s happening until it’s too late.

I’ll give an example: One time I received several phone messages from my credit union. I was told there was an issue and to return the call. I called my credit union to discover that (surprise, surprise), there was no “issue” and they never called me. So when this shady outfit called me two days later, I was home and answered the phone. After the woman went through some type of script (needing my account number, natch), I blew up.

“For your information, I contacted my credit union and there IS no issue and no need to speak to me. How in the world do you sleep at night, deliberately trying to get people to give you confidential information so you can steal from them? You’ve got a helluva lotta nerve to keep calling!”  The woman was silent. I slammed the phone down. I never heard from them again.

The point of this colorful little story is that thieves and hackers are everywhere. With our information becoming more digitalized, we need to be on guard more than ever before and use the most powerful weapon we’ve got.


And follow some of these tips:

  1. If you receive an email from PayPal or a credit card company and they want to “verify” your account, check the URL. If a letter of the company’s name is off or it looks totally different, do NOT click on it. (You can see the URL usually by hovering your mouse over the link.)
  2. Never  click on a link in an email to a financial institution. If you are a member of this institution, call their customer service number. Have them check your account to see if indeed there was a need to contact you.
  3. Always check the identity of anyone who is calling you on the phone to ask for confidential information. Say you’re about to run out the door and get their name and phone number. Then call the organization they represent to verify that this person is legit.
  4. Check to make sure a site is secure before passing on confidential information. Usually this information is either available under a “Privacy” link or an icon (like a lock) is visible in the address bar.
  5. At your workplace, use the same approach. Be friendly, but wary in a good way. If you have a courier who needs to give their package directly to the recipient, casually ask a co-worker if they could accompany the courier to their destination and then ensure they leave promptly afterward. Use this method for any strangers who are visiting your organization such as repairmen, copier salespeople, or phone technicians.

Speaking of copiers, beware of “boiler-room” phone calls. These are attempts to gather information about your copier (i.e., serial number, make and model of copier) so the unscrupulous company can ship expensive supplies to a company and then bill you, as though it was a purchase initiated by your company. These types are scumballs in my book. After I learned what they did, I’d have a bit of fun with them before hanging up. Now I don’t have the patience for it. I just hang up.

You have to be sharper than ever to see through a social engineering attack. The challenge is to retain that sharpness while in the midst of multiple tasks. Most of the time, the attacker will take advantage of a busy receptionist, a chaotic office, or a tired staff when they try their dastardly deed. (Ever notice you hardly get these attempts early in the morning, when you’re awake and alert? And how many happen close to quitting time on a Friday?)

Just a few thoughts to keep you sane and safe. Confound the social engineering attacks so you won’t be the one confounded! Good luck!

Stories of Hacking the Human #security

He stood before the receptionist, patiently waiting until she was finished with the phone call. He fiddled around with his fake badge while glancing at the security door that led into the main office area, waiting to see if someone would exit or enter soon.

Finally, two employees engaged in conversation exited the door while a small group headed toward it. He darted to join the group while the receptionist continued to look down at her list of R.S.V.P.’s, searching for the business’ name.

As the group entering the office area quickly glanced his way, he shot them an easy grin. “Phone lines,” he quipped as he showed them the badge. “Just upgraded on our end and we want to make sure you don’t miss your phone calls!”

As the group laughed and joked about not really missing calls if they had the opportunity, he scanned the cubicle areas to make a note of which ones were empty. In a few minutes, he’d double-back , slip into one, hack into the network and start snooping around.

In larger corporations, that is how social engineering can happen. Employees are trusting and often distracted by their own sense of security. They see the same people in the office but realize every once in awhile, there is “the new girl” or “new guy.” They trust this person has gone through the proper channels that authorized their presence. And that’s their mistake. Very few ask questions.

Many times, employees find that their desire to be helpful is exploited. What is usually portrayed as good customer service (“Is there anything else you need?”), can be cleverly manipulated by attackers. Often a hacker will appear to be IT staff who needs to verify an employee’s password. When the unsuspecting victim is presented with a plausible reason for taking shortcuts (“I’m so sorry, but it could really help me if you just gave me the password instead of having to bother my supervisor…”), they often comply.

How can employers prevent social engineering attacks? The quick answer is, they can’t. Hackers are becoming more resourceful as organizations initiate more complex security measures. But employers can still take precautions that will help employees recognize that a potential threat exists. Here are some tips:

  • Be aware of your surroundings. Know who is in charge of vetting outside service people so when a strange face appears, they know who to call. Tell employees that entering a secured area means using their badges to gain entry and to make sure everyone follows procedure.

  • Be suspicious. When callers ask for personal information, ask if there is a number you could return their call and then verify their credentials with an internal source.
  • Pay attention to the URL of a website. The page may look the same but the URL will expose it as a fake. Contact the company when in doubt.
  • Using these tips will help your organization avoid becoming a victim. Be alert and you’ll keep your data safe!