Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Baiting Attack Exercise – The Old School Way Still Works

In thepast few months, we have had quite a few social engineering and client-sidepenetration tests, and, as you have probably noticed from my previous posts,these are the types of tests I enjoy doing, a lot.

Let mestart this blog post briefly describing our usual approach and results for oneof the baiting attack exercises we have performed. In this particular case, wehave used traditional and old school techniques that still work.

Baitingattacks could be very similar to phishing attacks, however, instead of usingemail as the delivery method of the attack we use different ways of physicalmedia which relies on the curiosity or sometimes even greed of the victims.

Aftergathering a list of full names, working address and position for all of theassociates of an organization, Trustwave SpiderLabs carefully analyzed thislist and decided to target a certain number of employees per location.

Afterhaving decided on the targets, the next step was to choose which attack methodwe were going to be using for that specific case. Trustwave SpiderLabs decided on trying to impersonate users (most of them part of sales team) with acustom message requesting users to update their local Anti-Virus software. Yes,we know, its really old school, but you would be surprised on how effectivethis is.

Thephysical medias have been delivered by postal service to each one of the targetsalong with a letter with details about the (fake) antivirus update and instructionson how to install either the CD-ROM or USB pen-drive that was also included inthe packages.

Below is oneof the templates used for these types of attacks, the real letters had realnames of the targets, and replaced thumbdrive with CD-ROM accordingly.

Dear $Employee-First-Name:

During a recent internal securityanalysis, we have identified that your computer is running an outdated versionof our Anti-virus software because of the recent issues in the network of your$Physical-Location.

As you understand, this creates apotential hazard to the safety of the company, and we need your cooperation toprovide an immediate solution.

This package you received includesa USB thumbdrive containing the Anti-virus update that will fix the root causeof the problem. Please, connect the USB pen-drive to your computer and run thefollowing instructions to install the update:

1. Double click on the icon"My Computer".
2. Double click on the removabledisk icon that corresponds to the USB pen-drive.

3. Double click on the file"Anti-Virus Update"

If the update was performedcorrectly, you will see the following message: "Anti-virus updatedsuccessfully". Once you follow these instructions, your Anti-virus will beupdated and actively protecting your computer against future threats.

We appreciate your help to protectassets, employees and customers of $Company-Target-Name.


Information Security Team

For thesetypes of engagements we usually use from normal USB thumbdrives, to U3 thumbdrivesand sometimes even CD-ROMs – all of them customized with an Anti-Virus logo andwith an "autorun" application. We usually also need to use a customized payloadthat was a light version of the one described in a previous post of this blog:

Client-side Payload - The Brazilian Way.

At theend of this one particular exercise, from the 15 packages sent, 1 of them has actuallyresulted in a compromised. The interesting part though is that the user thathas been compromised, not only was one of the original targets but neitherworked at the target location.

Atanother baiting exercise we decided to target two additional locations. TheTrustwave consultants, while walking by one of the buildings, threw 2 USB thumbdriveson the parking lot. Both of these driveshad a customized logo that, on purpose, would be of much interest for anyassociate of that particular organization. This would also increase the chancesof a curious associate to simply plug that drive in their computer.

On thesecond building, we decided to throw 1 USB drive on the garage, and a seconddrive has been silent dropped on the sidewalk in front of the building, thethird one in the reception. All these 3 USB drives also had a custom logo onit.

Theoutcome of the exercise was: One of the two USB thumbdrives thrown at "Building1"was opened a few days later by a person, that happened not to be an associateof that organization, but was later identified as one of the organization'sexecutives private driver. Hence, this drive was opened from the driver's computerand not one of the computers that actually belonged to the organization.

Thescreenshot below shows the driver's face when he opened the fake confidentialUSB drive. Does anyone disagree that he was quite curious?


One ofthe three USB pen-drives thrown at the second building was opened 2 hours laterby a person, which has been identified later by their username, as one of thephysical security staff. Although this particular person did not have manyprivileges in the organizations computers,Trustwave SpiderLabs was ableto see the software used to manage all physical security control (badges, mainentrances, cameras, etc).

It isalso important to note that the Trustwave SpiderLabs was able to escalateprivileges to local administrator by using a technique called "Named PipeImpersonation". With that, we were able to retrievethe WPA pre-shared key stored on the Windows registry and consequently join thewireless network that allowed full access to many systems. This same WPApre-shared key was really strong and very unlikely could be guessed via brute-forceor dictionary attacks.

Thisattack was very simple and used old school techniques, however it's still veryeffective as demonstrated above. At this point of compromise a real attackercould then be very dangerous and be able to compromise the internal network,just like one would do if present within the organization. Is your companyprepared for this kind of attack?

Editors Note: The photo of the "victim" here is not a photo of the actual client. This same attack was done against the authors step-father and is being show with permission and for illustration and entertainment purposes only.