Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Baiting Attack Exercise – The Old School Way Still Works

In the past few months, we have had quite a few social engineering and client-side penetration tests, and, as you have probably noticed from my previous posts, these are the types of tests I enjoy doing, a lot.

Let me start this blog post briefly describing our usual approach and results for one of the baiting attack exercises we have performed. In this particular case, we have used traditional and old school techniques that still work.

Baiting attacks could be very similar to phishing attacks, however, instead of using email as the delivery method of the attack we use different ways of physical media which relies on the curiosity or sometimes even greed of the victims.

After gathering a list of full names, working address and position for all of the associates of an organization, Trustwave SpiderLabs carefully analyzed this list and decided to target a certain number of employees per location.

After having decided on the targets, the next step was to choose which attack method we were going to be using for that specific case. Trustwave SpiderLabs decided on trying to impersonate users (most of them part of sales team) with a custom message requesting users to update their local Anti-Virus software. Yes, we know, its really old school, but you would be surprised on how effective this is.

The physical medias have been delivered by postal service to each one of the targets along with a letter with details about the (fake) antivirus update and instructions on how to install either the CD-ROM or USB pen-drive that was also included in the packages.

Below is one of the templates used for these types of attacks, the real letters had real names of the targets, and replaced thumb drive with CD-ROM accordingly.

Dear $Employee-First-Name:

During a recent internal security analysis, we have identified that your computer is running an outdated version of our Anti-virus software because of the recent issues in the network of your $Physical-Location.

As you understand, this creates a potential hazard to the safety of the company, and we need your cooperation to provide an immediate solution.

This package you received includes a USB thumb drive containing the Anti-virus update that will fix the root cause of the problem. Please, connect the USB pen-drive to your computer and run the following instructions to install the update:

1. Double click on the icon" My Computer".
2. Double click on the removable disk icon that corresponds to the USB pen-drive.

3. Double click on the file" Anti-Virus Update"

If the update was performed correctly, you will see the following message: "Anti-virus updated successfully". Once you follow these instructions, your Anti-virus will be updated and actively protecting your computer against future threats.

We appreciate your help to protect assets, employees and customers of $Company-Target-Name.

Sincerely.

$Company-Target-Name
Information Security Team
$Customer-Address

For these types of engagements we usually use from normal USB thumb drives, to U3 thumb drives and sometimes even CD-ROMs – all of them customized with an Anti-Virus logo and with an "autorun" application. We usually also need to use a customized payload that was a light version of the one described in a previous post of this blog:

Client-side Payload - The Brazilian Way.

At the end of this one particular exercise, from the 15 packages sent, 1 of them has actually resulted in a compromised. The interesting part though is that the user that has been compromised, not only was one of the original targets but neither worked at the target location.

At another baiting exercise we decided to target two additional locations. The Trustwave consultants, while walking by one of the buildings, threw 2 USB thumb drives on the parking lot. Both of these drives had a customized logo that, on purpose, would be of much interest for any associate of that particular organization. This would also increase the chances of a curious associate to simply plug that drive in their computer.

On the second building, we decided to throw 1 USB drive on the garage, and a second drive has been silent dropped on the sidewalk in front of the building, the third one in the reception. All these 3 USB drives also had a custom logo on it.

The outcome of the exercise was: One of the two USB thumb drives thrown at "Building1"was opened a few days later by a person, that happened not to be an associate of that organization, but was later identified as one of the organization's executives private driver. Hence, this drive was opened from the driver's computer and not one of the computers that actually belonged to the organization.

The screenshot below shows the driver's face when he opened the fake confidential USB drive. Does anyone disagree that he was quite curious?

11554_beeaf3d0-9ba9-4e37-afb5-060ee154f4e2

One of the three USB pen-drives thrown at the second building was opened 2 hours later by a person, which has been identified later by their username, as one of the physical security staff. Although this particular person did not have many privileges in the organizations computers, Trustwave SpiderLabs was able to see the software used to manage all physical security control (badges,  mainentrances,  cameras, etc).

It is also important to note that the Trustwave SpiderLabs was able to escalate privileges to local administrator by using a technique called "Named Pipe Impersonation". With that, we were able to retrieve the WPA pre-shared key stored on the Windows registry and consequently join the wireless network that allowed full access to many systems. This same WPApre-shared key was really strong and very unlikely could be guessed via brute-force or dictionary attacks.

This attack was very simple and used old school techniques, however it's still very effective as demonstrated above. At this point of compromise a real attacker could then be very dangerous and be able to compromise the internal network, just like one would do if present within the organization. Is your company prepared for this kind of attack?

Editors Note: The photo of the "victim" here is not a photo of the actual client. This same attack was done against the authors step-father and is being show with permission and for illustration and entertainment purposes only.

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More