There are a variety of technical methods for information gathering. Some methods require high-tech equipment and in other situations low-tech options will work. No one source of information is the leading method to use, nor is one method alone likely to give you enough data for the compromise. When preparing for a pen test utilize multiple methods of gathering information and then synthesize the proper attack vector from that data. Attackers also use these very same methods of information gathering to execute malicious social engineering attacks. This underscores the advisability of ongoing training and education of both top- level executives and employees.
A simple phone call can reveal the company’s name, the name and department of the person who answered the phone, basic lingo or protocols used by the organization, and so much more. After one phone call is completed, the pen tester can call back and use the information obtained previously to compromise the organization.
There are plenty of different ways to make the call, including burner cell phones, Google Voice, Skype, and other VoIP options. The Caller ID Spoofing section of the Framework has more details about these pen testing tools.
Pen testers use search engines to locate and comb through corporate documents, resumes, floor plans, vendor relationships, phone numbers, job titles, email address protocol, business locations (even amazingly detailed photos of the buildings), and much more. A digital trip to the county auditor’s website provides a wealth of information on the target building and property, as well as a listing of tenants within the building.
Corporate websites provide information regarding products and services, physical locations, job openings, contact numbers and biographies of the executives or board of directors. Support forums for products/services can be a gold-mine of information about policy, organizational jargon, or other data. Public data regarding an organization may be generated by entities inside and outside the target. This data may consist of quarterly reports, government reports, analyst reports and earnings posted for publicly traded companies, etc.
Fingerprinting servers for their operating system, application, and Internet protocol information can disclose a great deal of information about the organization’s infrastructure. If the platform and application in use can be determined, this data could be combined with a search on the corporate domain name to find entries on public support forums. IP addresses may reveal if the servers are hosted locally or with a provider, and DNS records can reveal server names, functions, as well as IP’s.
User sites such as blogs and online videos may provide not only information about the target organization but also offer a more personal connection through the user(s) posting the content. A disgruntled employee that’s blogging about his company’s problems may be susceptible to a sympathetic ear from someone with similar opinions or problems. If the target’s industry is somewhat standardized than details such as jargon/vocabulary or policy can be gathered from industry or subject matter experts (SMEs) before being applied to the specific target to reveal possible vulnerabilities to social engineering.
There are a number of OSI (Open Source Information) or OSINT (Open Source Intelligence) training courses available that focus exclusively on this type of online information gathering.
Searching Social Networking Sites
Searching social media accounts can reveal clues or possible answers to security questions, photos of employees wearing their ID badge, or linking a job title to a key individual’s hobbies/interests for phishing ideas. Try typing in a name of a coworker or friend and see how many hits or matches appear with their information.
Facebook, Twitter, LinkedIn and other social media platforms help people get connected but they also help pen testers find out about likes and dislikes, family, kids and hobbies. With this information, pen testers and malicious attackers can craft phishing emails or vishing calls with the right emotional triggers to successfully con their target. These social engineering tactics are highly psychological in practice and work best when information gathered about a specific person is used to obtain more information about the organization they work for or to compromise the target.
Mia Ash and a Middle Eastern Company
As reported by SecureWorks, Mia Ash, a persona created by COBALT GYPSY/OilRig, used LinkedIn to search out an employee with a job title that implied administrative or elevated access to the corporate network. She then contacted the employee via the networking site with questions about photography. Mia and the employee messaged each other about their professions, photography and their travels. Mia then asked if he would add her as a Facebook friend so that they could continue their conversations there. About a month later she asked him to participate in a photography survey. She then sent a Microsoft Excel document, “Copy of Photography Survey.xlsm” to his personal email account. Mia encouraged him to open the document using his corporate email account so that the survey could function properly. He complied; the attached survey contained macros that he enabled unleashing PupyRAT. The compromise of the individual was not the ultimate goal, but rather served as the launch pad for breaching the target organization.
Social media is a technology that many companies have embraced. It’s cheap marketing that can reach a large number of potential customers. It’s also another stream of information from a company that can provide breadcrumbs of viable information. Companies publish corporate events, new products, press releases, vendor relationships, and updates that may relate them to current events (i.e. security companies describing how they can or are already protecting you from the latest vulnerability).
Privately and publicly available search tools geared toward shifting through the metadata provided on social media sites are available. Please look at our Computer-based tools under the Social Engineering Tools section of the Framework.
Phishing with Cloned Websites
According to Webroot Quarterly Threat Trends Report 1.4 million new phishing websites are created every month. A link to a cloned site can be included in a phishing campaign to collect employee credentials or other identifying information. A cloned website looks legitimately like the company it is impersonating, possibly a target’s own intranet site or a survey site that an employee would fill out. The answers provided by the employee can give either the pen tester or malicious attacker the information they need to gain access to the network.
Another example of using websites for information gathering (or compromise) would be what is called a Watering Hole attack. This is where code on a legitimate website is compromised so that whenever someone accesses that page their computer is infected with malware. This tactic is more likely to be seen “in the wild” rather than in pen testing. The attacker can pick a website that they think people in their target industry are likely to access then sit back like a lion waiting for a herd of zebra to visit the water hole. The attacker can pick a favorite target out of the herd that approached and mine that individual for information that will help complete the compromise.
In February 2017, Symantec reported on a wave of watering hole attacks targeting 100 organizations in 31 different countries. Banks comprised the majority of targeted organizations with a small number of telecom and internet firms also on the list. The watering hole attacks have been traced back to the state sponsored hacking collective known as the Lazarus Group.
While no one source of information is likely to give you enough data for a compromise, social media platforms have emerged as the ‘go to’ resource for collecting personal and professional information. When used by malicious attackers the consequences can be devastating. Here are a few guidelines to help mitigate the risk.
1. Do not overexpose yourself or your organization on social media. Be security conscious when it comes to information you make public on any social media platform. Keep the privacy/security settings up-to-date on both personal and professional social media platforms.
2. Clear guidelines for social media usage, as well as education or identifying potential phishing lures are essential for all employees, including top level executives. Clear company policies should be in place for reporting potential phishing messages received through corporate email, personal email, and social media platforms.
Technical Tools for Information Gathering
For more information on technical tools of the trade, please see the Computer-based tools section of the Framework under Social Engineering Tools.