Trustwave Blog

A reporter asked us to hack him, and here's how we did it

Written by Garret Picchioni | Oct 31, 2013

You may have read Adam Penenberg's Pandodaily article, "I challenged hackers to investigate me and what they found out is chilling," explaining how we infiltrated Adam's life in just a couple weeks.

Adam approached Trustwave asking for our advanced research and ethical hacking team, SpiderLabs, to hack him. Since the SpiderLabs team at Trustwave performs thousands of penetration tests every year, we were a natural fit for this project and jumped at the opportunity.

The Pandodaily story gave Adam's account, but we thought it would be interesting to provide our perspective and follow that with some helpful lessons to be learned from this exercise.

While a number of Trustwave team members contributed to this project, for the purposes of this article "we" refers to Security Analyst Garret Picchioni, Malware Researcher Josh Grunzweig and Security Consultant Matthew Jakubowski.

Reconnaissance and preparations

Before we conducted the actual attacks, we researched Adam online to find out some basic information. Not surprisingly, through social media and other channels, we found quite a bit - his address, pictures of his apartment, credit reports, names of family members, birth dates, emails, phone numbers, etc. We also discovered that his wife owned a Pilates studio.

Using all of the preliminary information we gathered, we developed a two-pronged approach that combined both wireless and malware/phishing attacks.

The wireless attack: Many sleepless nights outside a Brooklyn home

When we perform wireless penetration tests for companies, we are given a list of network names (SSIDs) beforehand so that we don't waste time trying to identify them and don't accidentally compromise someone else's network. In Adam's case, we did not have this luxury, so we needed to identify Adam's home wireless network name without compromising someone else's by mistake.

Using our equipment, we did a quick Wi-Fi scan which revealed more than 1,200 wireless networks discoverable from Adam's block. Without obvious wireless network names such as "Adam Penenberg's House," we knew it would take us a few days to identify which one belonged to our target. So, we rented a car and camped out about 50 yards away from his house.

To scan wireless networks exclusive to his apartment (or very close), we created a device that we placed behind a planter outside of Adam's house. We also tethered an iPhone to the device so we could interact with it without having to be on Adam's doorstep.

 First iteration of the wireless device

 

Wireless device inside bag, with a high-gain Yagi Antenna, that was used against Adam's network

After letting the device sit overnight, we had a final list of wireless networks and narrowed that down to Adam's network. Now with access to Adam's wireless network, we were able to bypass the two-factor authentication for his bank and email accounts. Both sites did not detect malicious login activity because we were logging in from a previously used location.

Further exploitation of the network proved unnecessary due to the success of a malware campaign we executed simultaneously.

Planting the malware

To embed the malware, we used a common ruse - phishing. After an initial botched attempt, we packed a malicious Mac OS X application inside of a ZIP file and drafted an email (with the ZIP file attached) posing as a Pilates instructor who was looking for a job.

If and when Adam's wife opened the ZIP file, the application would not only execute the malware, but it would also open a legitimate movie file. We also changed the default icon to make it look like a normal movie file. We figured if Adam's wife opened up the file, she would see a video file actually open and believe it was working as expected.

The next day, she opened the email, and we gained complete control of her computer.

Success

Our Pilates-themed spear phishing attack installed custom OS X malware that gave us remote shell access to Adam's wife's laptop. When the laptop was online, we received text message alerts letting us know that the connection was established. We had direct access to view files and run commands on her system until she disconnected from the internet. We pulled every document on Adam's wife's home drive, including her business' financial records and, much to our surprise, W-2 documents for the entire family.

Now we had plenty of sensitive information, but wanted to see what more we could find. We were able to obtain Adam's wife's OS X Keychain password management system, which held all of her saved usernames and passwords. Unfortunately, we needed the master password to access that information, so we created an application that asked Adam's wife for her administrative password. She ignored it a couple of times, but eventually, she conceded and entered it.

 Counterfeit GUI application

At this point, we had access to plenty of personal information, including:

  • W-2 documents
  • Adam's Twitter account
  • iCloud account
  • Amazon account
  • Bank account
  • Other miscellaneous accounts

Lessons to be learned

Fortunately for Adam, this ethical hack was merely an experiment. Sadly, however, these kinds of cyberattacks happen far too often.

Imagine if this happened to an employee who worked for a large corporation or, like Adam's wife, an owner of a business. The attacks could severely damage the individual's and business's reputation, intellectual property and finances. So how can employees and employers protect themselves from falling victim? Here are some helpful tips:

Remember the basics - Be cautious about what you post and who you befriend on social media. A new "friend" may not be a friend at all. He/she may just want to learn more about you and use it for malicious purposes. Use strong passwords. Passwords should be at least six characters long and include a combination of symbols, letters and numbers. We also suggest using passphrases, which are harder to guess, such as "mydogisnameddexter."  Businesses should conduct security awareness training that covers these tips and others so that employees have a better understanding of how to avoid becoming a victim.

Think twice before opening an attachment or link - Criminals often send emails that contain malicious links or attachments. Once the receiver opens the link or attachment, malware is planted on his/her machine.  Before clicking on such lures, confirm with the sender that he/she did indeed send it. If you do not know the sender, it's best not to open it.

Perform frequent penetration testing
 - Employers should have frequent penetration testing performed on their networks, applications and databases. Penetration testing identifies vulnerabilities within a business's security so that business leaders can fix the weak spots before it's too late.

See the threats
 - Security technology such as Security Information and Event Management (SIEM) collects data from a business' network, databases and applications, and alerts them in real time to any threats or unusual activity. This kind of technology helps organizations lower their threat detection and reaction times, which greatly reduces their risk and the potential for damage caused by undetected threats.

Don't forget about mobile
 - According to the 2013 Trustwave Global Security Report, our security researchers saw a 400 percent increase in mobile malware in 2012. Malware, policy violations, data loss, as well as unsupported and insecure mobile applications, are creating new security risks. Business leaders must add security controls to help protect the data to which mobile devices have access. For example, technology such as Network Access Control enables granular control over network access and continuous monitoring of corporate-sanctioned and BYOD endpoints to help prevent malware and other threats that can harm infrastructure and leave businesses vulnerable to attack and data loss.

Garret Picchioni is a security analyst at Trustwave.