Professional Documents
Culture Documents
Still Works.
In the past few months, we have had quite a few social
engineering and client-side penetration tests, and, as you
have probably noticed from my previous posts, these are
the types of tests I enjoy doing, a lot.
Let me start this blog post briefly describing our usual
approach and results for one of the baiting attack
exercises we have performed. In this particular case, we
have used traditional and old school techniques that still
work.
Baiting attacks could be very similar to phishing attacks,
however, instead of using email as the delivery method of
the attack we use different ways of physical media which
relies on the curiosity or sometimes even greed of the
victims.
After gathering a list of full names, working address and
position for all of the associates of an organization, the
Trustwave consultants carefully analyzed this list and
decided to target a certain number of employees per
location.
After having decided on the targets, the next step was to
choose which attack method we were going to be using for
that specific case. The Trustwave consultants decided on
trying to impersonate users (most of them part of sales
team) with a custom message requesting users to update
their local Anti-Virus software. Yes, we know, its really old
school, but you would be surprised on how effective this
is.
The physical medias have been delivered by postal service
to each one of the targets along with a letter with details
about the (fake) antivirus update and instructions on how
to install either the CD-ROM or USB pen-drive that was
also included in the packages.