Embed Size (px)
Citation preview
[ ! ]1
It only takes one...We needed the right person to start us off befriending the rest of the company. This one looked ‘friendly’, lucky her!
FACEBOOKJune 2008
Anti-Social Networking: “It is good to strike the serpent’s head with your enemy’s hand.”
THE FRIEND OF MY ENEMY IS MY FRIEND. (2008) The Facebook Coworker search tool can be abused by skilled attackers in sophisticated attempts to compromise personal information and authentication credentials from your company employees.
Josh Valentine and Kevin Finisterre of Penetration Testing Company Netragard, Inc. also known as Peter Hunter and Chris Duncan, were tasked with conducting a penetration test against a large utility company. Having exhausted most conventional exploitation methods they decided to take a non conventional approach to cracking the companies networks. In this case they decided that perhaps a targeted attack against the companies Facebook population would be the most fruitful investment of time.
Since Facebook usage requires that you actually sign up Josh and Kevin had to research believable back grounds for their alter ego’s Peter and Chris. The target company had a fairly large presence in the US with four offices located in various places. Due to the size of the company it was easy to cherry pick bits and pieces of information from the hundreds of
available profiles. Because many profiles can be browsed without any prior approval gathering some basic information was easy.
Armed with new identities based on the details and demographics of the companies Facebook population it was time to make some new friends. After searching through the entries in the Coworker search tool they began selectively attempting to befriend people. In some cases the attempts were completely random and in others they tried to look for ‘friendly’ people.
The logic was that once Peter and Chris had a few friends on their lists they could just send out a few mass requests for more new friends. With at least four or five friends under their belt the chances of having overlapping friends would increase.
Now who would think that your best
friend would be your worst enemy and your
enemy your best friend?
[ ! ]2
“by the way... thanks for the hookup on the job. I really appreciate it man.”Appearing as if they were ‘friends of friends’ made convincing people
to accept the requests much easier. Facebook behavior such as the ‘Discover People You May Know’ sidebar also added benefit of making people think they knew Peter and Chris.
Blending in with legit accounts meant that the two fake accounts needed to seem like real people as much as possible. Josh and Kevin first came up with basic identities that were just enough to get a few friends. Now If they wanted to continue snaring new friends and not raise any suspicions with existing friends they would need to be fairly active with the accounts.
Things needed to get elaborate at this point so Josh and Kevin combed the internet looking for random images as inspiration for
character background. Having previously decided on their desired image and demographic they decided to settle on a set of
pictures to represent themselves with. They came up with a few photos from the surrounding area and even made up a fake sister for Chris. All of this obviously helped solidify the fact that they were real people in the eyes of any
prospective friends. Eventually enough people had accepted the requests that Facebook began suggesting Chris and Peter
as friends to many of the other employees of the target company.
You have 2 friends in common.
YOU HAVE A FRIEND REQUEST.
My Fictitious SisterAdding pictures and commenting back and forth on them helped us simulate a legit user profile which added to our persona.
They did some of the work for usReally people you DON’T know me!
[ ! ]3
Batch requests are the way to go Cherry picking individual friends was
obviously the way to get a good profile started but Josh and Kevin were really after as many of the employees as possible so a more bulk approach was needed. After they were comfortable that their profiles looked real enough the mass targeting of company employees began.
Simply searching the company Facebook network yielded 492 possible employee profiles. After a few people became their friends the internal company structure became more familiar. This allowed the pair to make more educated queries for company employees.
Due to the specific nature of the company industry it was easy to search for specific job titles. Anyone could make a query in a particular city and search for a specific job title like “Landman” or “Geologist” and have a reasonable level of accuracy when targeting employees. At the time the Chris Duncan
account was closed there were literally 208 confirmed company employees as friends.
Out of the total number of accounts that were collected only 2 or 3 were non employees or former employees. The company culture allowed for a swift embracing of the two fictitious individuals. They just seemed to fit in. Given enough time it is reasonable to expect that many more accounts would have been collected at the same level of accuracy.
Facebook put some measures in place to stop people from harvesting information. The first 50 or so friend requests that were sent Facebook required a response to a captcha program. Eventually Facebook was complacent with the fact that the team was not a pair of bots and allowed requests to occur in an unfettered manner.
The team did run into what appeared to be a per hour as well as a per day limit to the number of requests that could be sent. There was a sweet spot and the team was able to maintain a nice flow of requests.
PETER HUNTER
Do you know this guy? You thought you knew him, why? Was it because he was from your city? Was it because he looked like a friend of a friend? Did he go to your school? Was he in your graduating class? Maybe you went to college with him? I can tell you candidly... you DON’T know him. He is a creation of Josh's imagination.
Found 492 people
matches.
[ ! ]4
“Hi Chris, are you collecting REDACTED People? :)”
The diverse geography of the company and the embracing of internet technologies made the ruse seem comfortable. In many cases employees approached the team suspecting suspicious behavior but they were quickly appeased with a few kind words and emoticons. The hometown appeal of the duo’s profiles seemed to help people drop their guard and usual inhibitions.
With access to the personal details of several company employees at their fingertips it was now time to sit back and reap the benefits. Once the pair had a significant employee base intracompany relationships were outlined, common company culture was revealed. As an example several employees noted and pointed out to Chris and Peter that they could not find either individual in the “REDACTED employee directory”. Small tidbits of information like this helped Kevin and Josh carefully craft other information that was later fed to the people they were interacting with.
With a constant flow of batch requests going there was a consistent and equally
constant flow of new friends to case for information. Over a seven day period of data collection there were as few as 8 newly accepted friends or as many as 63. Days with more than 20 or so requests were not at all unusual for us. Even after our testing was concluded the profiles continued to get new friend requests from REDACTED.
May 26 - 11 May 25 - 9 May 25 - 8May 23 - 15May 22 - 26 May 21 - 63 May 20 - 40
Every bit of information gleaned was considered when choosing the ultimate attack strategy. The general reactions from people also helped the team gauge what sort of approach to take when crafting the technique for the coup de grâce. Josh and Kevin had to go with something that was both believable and lethal at the same time. Having cased several individuals and machines on the company network it was time to actually attack those lucky new friends.
Businessman or fraud? So who is this guy? No one really knows. I can tell you his name is NOT Chris Duncan, and he does NOT live in your city, and you didn’t go to high school with him. This guy is one of about 38,700 results in a search for ‘fro’ on Google images.
CHRIS DUNCAN
“Hi! Do we know each other, or am I just being
REDACTED-stalked?”
[ ! ]5
Having spent several days prior examining all possible means of conventional exploitation Kevin and Josh were ready to move on and actually begin taking advantage of all the things they had learned about the energy companies network.
“Forage on the enemy, use the conquered foe to augment one’s own strength”
During their initial probes into the company networks the Duo came a cross a poorly configured server that provided a web based interface to one of the companies services. Having reverse engineered the operations of the server and subsequently compromising the back-end database that made the page run they were able to manipulate the content of the website in a manner that allowed for theft of company credentials in the near future. During information gathering it was common for employees to imply that they had access to some sort of company portal by which they could obtain information and perhaps access to various parts of the company.
“Supreme excellence consists in breaking the enemy’s resistance without fighting”
The final stages of the penetration testing happened to fall on a holiday weekend. The entire staff was given the Friday before the holiday off as well as the following Monday. Lucky for the team this provided an ideal window of opportunity during which the help-desk would be left undermanned. A well
orchestrated attack that appeared to be from the help-desk would be difficult to ward off and realistically unstoppable if delivered during this timeframe.
“In all fighting the direct method may be used for joining battles, but indirect methods will be needed in order to secure victory”
Several hundred phishing emails were sent out to the unsuspecting Facebook friends, the mailer was perfectly modeled from an internal company site. The mailer implied that the users password may have been compromised and that they should attempt to login and verify their settings. In addition to the mailer the status of the two Profiles were changed to include an enticing link to the phishing site.
Initially 12 employees were fooled by the phishing mailer. Due to a SNAFU at the Anti-SPAM company Postini another 50 some odd employees were compromised. The engineer at Postini felt that the mailer looked important and decided to remove the messages from the blocked queue. Access to the various passwords allowed for a full compromise of the client's infrastructure including the mainframe, various financial applications, in house databases and critical control systems. Clever timing and a crafty phishing email were just as effective if not more effective than the initial hacking methods that were applied.
Social engineering threats are real, educate your users and help make them
aware of efforts to harvest your company info. Ensure that a company policy is established to help curb an employee usage of Social Networking sites. Management staff should also consider searching popular sites for employees that are too frivolously giving out information about themselves and the company they work for. Be vigilant don’t be another phishing statistic.
“ALL WARFARE IS BASED ON DECEPTION Hence, when able to attack, we must seem unable; when using our forces we must seem inactive; when we are near, we must make the enemy believe we are far away...”
Facebook is evil The virtual world of Facebook can give your employees a dangerous sense of comfort. Relaxed settings and the intended social setting make giving away personal information a breeze.
Netragard presents the Valentine and Finisterre combo • Energy and Utilities industry experience• Penetration testing jiujitsu team• Facebook recon team• XSS credential theft orchestration
Statistics show that the cost of good I.T. security is equal to a fraction of the cost of a single successful compromise.
NETRAGARD Telephone: (978) 653-0220 Email: [email protected]
The real Kevin and Josh
drinking Grey Goose
