Are You Enjoying Your Trip As Much As The Social Engineer Is?

Are You Enjoying Your Trip As Much As The Social Engineer Is?

Winter is coming. For most of us that means starting to plan the trips to Grandma’s for turkey dinner, the ski week in Colorado,the next work conference, or maybe sitting on a warm sunny beach enjoying a mai-tai. Whatever your plans, don’t forget that a social engineer may be enjoying your vacation right along with you.

Protecting Your Professional Life

In standard business etiquette it’s become the norm to set automatic out-of-office email replies to respond in your absence. In fact, many businesses require and provide rules to follow when setting up the automatic reply. Most of these responses include dates of the absence, names and contact information for fellow employees, and in some circumstances including the reason for the absence (vacation, conference, etc.)In conjunction with the automatic email replies, most also change their voicemails to give callers similar information on the absence.

All of this seems like harmless information right? Think again, because these are excellent tools that can be leveraged by a social engineer in attacking your corporation. For example just by knowing dates and who to contact in your absence a social engineer would be able to craft a convincing vishing or phishing attack directed towards your surrogate. In a vishing scenario the pretext would sound similar to, “Hey Bob, I know Alice is out until the 14th I’m hoping you can take a minute to help me out so Alice and I aren’t in hot water if this doesn’t get done.” A few things are at play here as to why this works. First, the social engineer is appearing knowledgeable about Alice’s matters, which helps to establish trust with the target. Second, the social engineer is appealing to Bob’s natural tendency to want to be helpful. Finally, the social engineer is letting him know this will take a short amount of his time, and not be a task that derails the rest of his day.

The other way that Alice’s absence information helps a social engineer, is the ability to know how long they can spoof as her in vishing attacks. When performing these types of services for our customers, I at times will find a high-ranking executive, IT person, or HR person with an OOO message telling me that they will be gone for a few weeks, and it is a great tool that I like to leverage. I then know that until the 22nd of that month I’ll be able to pretext as Alice while eliciting with less risk of raising alarms. Even if the target did happen to call me back and get my OOO voicemail, they’d probably just assume that I was working remotely, since it’s so common for us to stay connected even when we’re supposed to be relaxing.

One of the best ways to protect against this is to set up different auto-response messages for contacts within your organization, and one for those outside of it. For internal contacts your message can contain dates and who to contact in your absence. However, for external contacts you may want to limit what your response, or choose to forego an automatic response at all. If you’ve got a very import external contact this could affect, you may just want to send them a private notification of your absence details. Since you can’t filter out who hears your voicemail currently, you’re best to limit the amount of information you share to a minimum. For example, you could just say, “I’m out of office until the 10th, please leave a message and I’ll respond when I return”. Finally, if you’re one of those lucky enough to have an admin assistant, please make sure that they know not to share any details of your absence until they can verify the caller is trusted and has a need to know.

Protecting Your Personal Life

We’ve all seen the news stories where Alice & Bob posted about their vacation on social media, only to return and find that their home had been robbed while they were away. This information can also be helpful in social engineering attack vectors. This is why it’s so important for you and your family to be aware of how to lock down social media accounts, and routinely check that they are. While an executive may have their Facebook page locked down, I’ve been able to make many successful spear phish emails by information found on their spouse’s or children’s social media pages. Even after the fact, this information can still be used to craft a spear phish similar to, “Hello Bob, thank you for dining at our Lounge at the Beachcomber Resort on the evening of September 12. You’ve won our quarterly drawing for a $200 voucher good at any of our resorts and restaurants world-wide. Just download the attached certificate and present at any of our locations.”

We all know social media can be a powerful tool to leverage when complaining about bad service, but don’t forget posting those emotional rants can open you up to attack. Many times I have created successful spear phish attacks such as, ““Hello Bob, thank you for dining at our Starchaser Lounge at the Beachcomber Resort on the evening of September 12th. I’m very disappointed to hear that you didn’t have an enjoyable time, and don’t feel this was resolved to your satisfaction. I’d like to reimburse you for two nights of your stay, please just fill out the attached complaint form and email it back so I can process this as soon as possible.” Besides running malicious code from the downloaded form, I can also try to acquire address, banking, and/or credit card information if Bob’s emotions are running high enough.

Enjoy Your Upcoming Vacations, Just Take Some Precautions First

In your absence, sharing vital information can be important to keep things running smoothly. Just make sure that information is only getting to trusted people within your organization, or specifically shared to outside contacts with a need-to-know basis.

Make sure you and your travel companions are making security conscious choices when sharing details on social media. We can ask our families to lock down their accounts, but if you find that your friends have tagged you in some posts/pictures you can go in after the fact and un-tag yourself from them.

Finally, if you really liked this newsletter, please mail us a post card from your fabulous destination. 😉

Written By: Laurie V