Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Baiting Attack Exercise – The Old School Way Still Works

In the past few months, we have had quite a few social engineering and client-side penetration tests, and, as you have probably noticed from my previous posts, these are the types of tests I enjoy doing, a lot.

Let me start this blog post briefly describing our usual approach and results for one of the baiting attack exercises we have performed. In this particular case, we have used traditional and old school techniques that still work.

Baiting attacks could be very similar to phishing attacks, however, instead of using email as the delivery method of the attack we use different ways of physical media which relies on the curiosity or sometimes even greed of the victims.

After gathering a list of full names, working address and position for all of the associates of an organization, Trustwave SpiderLabs carefully analyzed this list and decided to target a certain number of employees per location.

After having decided on the targets, the next step was to choose which attack method we were going to be using for that specific case. Trustwave SpiderLabs decided on trying to impersonate users (most of them part of sales team) with a custom message requesting users to update their local Anti-Virus software. Yes, we know, its really old school, but you would be surprised on how effective this is.

The physical medias have been delivered by postal service to each one of the targets along with a letter with details about the (fake) antivirus update and instructions on how to install either the CD-ROM or USB pen-drive that was also included in the packages.

Below is one of the templates used for these types of attacks, the real letters had real names of the targets, and replaced thumb drive with CD-ROM accordingly.

Dear $Employee-First-Name:

During a recent internal security analysis, we have identified that your computer is running an outdated version of our Anti-virus software because of the recent issues in the network of your $Physical-Location.

As you understand, this creates a potential hazard to the safety of the company, and we need your cooperation to provide an immediate solution.

This package you received includes a USB thumb drive containing the Anti-virus update that will fix the root cause of the problem. Please, connect the USB pen-drive to your computer and run the following instructions to install the update:

1. Double click on the icon" My Computer".
2. Double click on the removable disk icon that corresponds to the USB pen-drive.

3. Double click on the file" Anti-Virus Update"

If the update was performed correctly, you will see the following message: "Anti-virus updated successfully". Once you follow these instructions, your Anti-virus will be updated and actively protecting your computer against future threats.

We appreciate your help to protect assets, employees and customers of $Company-Target-Name.


Information Security Team

For these types of engagements we usually use from normal USB thumb drives, to U3 thumb drives and sometimes even CD-ROMs – all of them customized with an Anti-Virus logo and with an "autorun" application. We usually also need to use a customized payload that was a light version of the one described in a previous post of this blog:

Client-side Payload - The Brazilian Way.

At the end of this one particular exercise, from the 15 packages sent, 1 of them has actually resulted in a compromised. The interesting part though is that the user that has been compromised, not only was one of the original targets but neither worked at the target location.

At another baiting exercise we decided to target two additional locations. The Trustwave consultants, while walking by one of the buildings, threw 2 USB thumb drives on the parking lot. Both of these drives had a customized logo that, on purpose, would be of much interest for any associate of that particular organization. This would also increase the chances of a curious associate to simply plug that drive in their computer.

On the second building, we decided to throw 1 USB drive on the garage, and a second drive has been silent dropped on the sidewalk in front of the building, the third one in the reception. All these 3 USB drives also had a custom logo on it.

The outcome of the exercise was: One of the two USB thumb drives thrown at "Building1"was opened a few days later by a person, that happened not to be an associate of that organization, but was later identified as one of the organization's executives private driver. Hence, this drive was opened from the driver's computer and not one of the computers that actually belonged to the organization.

The screenshot below shows the driver's face when he opened the fake confidential USB drive. Does anyone disagree that he was quite curious?


One of the three USB pen-drives thrown at the second building was opened 2 hours later by a person, which has been identified later by their username, as one of the physical security staff. Although this particular person did not have many privileges in the organizations computers, Trustwave SpiderLabs was able to see the software used to manage all physical security control (badges,  mainentrances,  cameras, etc).

It is also important to note that the Trustwave SpiderLabs was able to escalate privileges to local administrator by using a technique called "Named Pipe Impersonation". With that, we were able to retrieve the WPA pre-shared key stored on the Windows registry and consequently join the wireless network that allowed full access to many systems. This same WPApre-shared key was really strong and very unlikely could be guessed via brute-force or dictionary attacks.

This attack was very simple and used old school techniques, however it's still very effective as demonstrated above. At this point of compromise a real attacker could then be very dangerous and be able to compromise the internal network, just like one would do if present within the organization. Is your company prepared for this kind of attack?

Editors Note: The photo of the "victim" here is not a photo of the actual client. This same attack was done against the authors step-father and is being show with permission and for illustration and entertainment purposes only.

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More