This post is part of our Professionally Evil series of posts that discuss some of the experiences we have had as Security Consultants. In Kevin’s previous post he talked about his experience doing a physical penetration test as a delivery guy. In this post, I want to take a moment to highlight how my job has an effect on my loved ones, more specifically my wife (a second grade teacher, not a security thinker).
I was working on a client engagement from my home office and this particular test included social engineering. I find this type of test really fun. My wife came into the office and we were just talking as I was surfing the client web site looking for my prime target. My goal: determine if I can get an email recipient to click on a link that I sent them. If this can be done, the chances are very high that I can get malicious software on their machine and gain access to the internal network. This is a common test to determine the awareness of employees regarding social engineering attacks.
I explained to my wife what I was doing and what a phishing attack is. She nodded to show her understanding, but I was sure she didn’t really grasp the concept. I identified a target and proceeded to create a custom email specific for that victim. I even decided to use my wife as part of the email, stating that my wife is a school teacher and was having difficulties with trying to get information from the site. I created a link that exploited a reflected cross-site scripting (XSS) vulnerability on one of the pages. My link was ugly, contained a BeEf hook and was pretty obvious to my wife you shouldn’t click it. I thought, “this is great.. she has some awareness.” My wife swore to me that no one would click that link.
At that moment, I changed the link so that the visible portion of the link was just the client’s website, while the actual link (hidden) was the exploit code. I will never forget the look on her face as she told me how shady I was. It really clicked for her how phishing attacks really worked and one of the techniques used to get people to click links. She thought I was doing legit work, and now she has this whole new view of how shady a security consultant has to be to be effective during an assessment. She may even look at me a little different now (maybe I finally have a little ‘bad boy’ status). Her other concern was that I was getting someone in trouble. Let me make it clear that when we do these types of assessments, it is not to get anyone in trouble and usually it is not revealed who actual targets were. These assessments are to assess the awareness programs, not trying to target actual individuals. No one is losing their job or getting in trouble from this test.
She made it quite clear that she would never open another link from me again. I tried to assure her that I only generate emails like this for paid, legal, approved engagements and I would never do that to her. I sent out the email and waited…. and waited…. and waited. It was a better part of a day before I finally saw in my BeEF log the connection from the victim. Keep in mind, I was just checking to see if the victim clicked the link, nothing more. The anticipation was high, but it paid off and the excitement of seeing the click was huge.
Fortunately, this was a big win, and that doesn’t always happen. I did send emails to a few other people and they all clicked the link. One even forwarded the email on to another, more administrative type person, to help determine why I was having difficulties. No one questioned the emails and they were actually very helpful when they responded.
As for my wife, she has a whole new appreciation for phishing attacks and social engineering in general. We sat at a Lacrosse game a few months later and she was pointing out security issues, a proud day for me.
James Jardine is a Principal Security Consultant with Secure Ideas.
If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org or visit the Secure Ideas – Professionally Evil site for services provided.