Hacking a Hacker
Whilst I knew I had put a lot of thought into my pranks, as I edged closer to the infosec industry I did think the ‘prank’ label might not be doing me any favours.
I’d gone with ‘EMAIL PRANKSTER’ as it was literally descriptive and added a clown horn to what I was doing, which I felt would defuse any unwanted interest from higher powers. Plus it would SEO well. If I’d gone with ‘the joker’ then Batman the franchise and the fan-art would kill me cold as a search term.
At this stage I’d only recently discovered there was a name for what I had done — social engineering — so there was a part of me bounding about like a Labrador, trying to find other social engineers to pat me on the head.
Looking back to that time I can see I placed both ideas — proving my skills and making friends — unnervingly close to each other on the ‘things to do’ shelf.
Much in the same way my pranks were often triggered by current news (it works so well because I can be relevant with hardly any OSINT needed) I read there had been a social engineering competition at a convention, and the tweet gave congratulations to the winners. Were these to be my new industry friends??
[ Narrator: No ]
Swiftly repackaging my pranking formula as an amusing way to break the ice (and show-off) I switched effortlessly into the mindset of solving the puzzle. The puzzle being; I had a specific target, can I deceive them?
I think the ‘can’ part is important, and is an integral part of a hacker’s motivation. You’ve challenged yourself, and acknowledged that it might not be possible. If you’re wired up like me that triggers bonus levels of focus and determination; your brain throws off its sandbags and you feel like no amount of difficulty or number of dead-ends can’t be overcome.
I also think now that there’s a healthy shot of delusion involved, because you can’t let failures along the way dull your drive; perhaps there’s a dose of gambler’s mentality in there too. 11 reds in a row means black is getting closer, so keep spinning the wheel.
When you’re intent on spear phishing a specific person you are going nowhere without their email address. So first I always carry out a 5 minute run through of the methods which are most likely to find it if it’s not being intentionally kept away from the open internet.
I think there’s a bit of an art to it, not so much in the methods as individual processes, but in mentally mapping out the business interests the target has; businesses, personal brand pressence, any boards they are on etc.
It’s important to understand how each email world you discover will connect with the world around it; what characters live in each world, and how you would personally use each domain’s identity if you were them. Already having decided I would hook my pretext around the competition, I had to figure out which of the target’s domains would be most likely to pair up with comms from the event.
It’s not an exact science, and spear phishing comes with risks because if you get this part wrong then it’s instantly game over. If you were hell bent on it being successful (If your boss was Mr V. Putin perhaps) you would have to consider layering attacks so if one attempt misses the target you would still have options that were not too badly affected by the failure — increased vigilance being the most unwanted side effect of a failure, especially if it’s a complex and personal pretext. In the perfect world you would have a pretext that left as few afterthoughts as possible, even if it’s spotted.
As was my habit back then all of this OSINT was done on my trusty iPhone. I would make the occasional screen grab, but I didn’t need to write anything down as I was after specific nuggets, variables I could start to lock in.
This simplicity makes sense when you think the tangible part is only ever going to be some text in an email, sent to an email address. Also in a similar way to how cyber criminals operate, I had a few custom templates for pretexts that I thought might be suitable, and importantly I also knew they’d been successful.
I think finding and deciding on which email address would work best took about 45 minutes. Covering bases, I’d also got another winner’s email address, I think having redundancy was baked into me at this point.
Now I had to decide on the pretext — and just as importantly; who would I pretend to be? After immersing myself in security awareness over the last year i’ve got a much better understanding of the dynamics I was playing with back then. Email is a tool of enablement, it allows us all — even services — to ask and to do. For example, even sending someone an email is asking that they read it, or at the very least recognize it’s basic attributes; who sent it, and why.
Using that transactional behaviour model I can work backwards from what I want to encourage the target do. I guess this is where the ‘engineering’ part of social engineering comes in. I felt I had to tick some threat comparable boxes to make this unpranky, so getting them to click on a link (clicks are fairly easy) and hand over ‘some’ personal information seemed perfect.
Worth me clarifying I was still using this as an unusual way of introducing myself, I had no intention of running around twitter posting screenshots of the exchanges — if there even were any, it might fail. Plus the second the target replied I would immediately own up to how cheeky I had been. Then we’d laugh, and be good friends. [ Narrator: No you wouldn’t ]
The pretext and identity I chose happened so fast I can’t recall what order it arrived in. I think it had been brewing in the background as I was thinking about the relationship between the target and the competition, so I wasn’t working from a blank canvas.
I’ll just kind of brain dump out how it most likely resolved itself, a lot boils down to and/or, yes/no statements, or lateral relationships.
Target / Competition relationship
Competition — fellow competitor? — dynamics with target too hard to judge
Competition — Event, Organizers, Sponsors
Competition — Just finished
Update from Organizers is plausible
Recall seeing ‘great feedback so far’ on a tweet — mirror this
Who organized it — main person involved seems too friendly with target — possibly would chat away from email — WhatsApp etc.
Check organizers page — new team member — I will pick that as the identity
Why would organizer contact winners? — Late sponsor’s prize arriving
That thought process took me from the top level of having a target with a relationship to a public event, to having what I thought was a solid play for reaching out to them.
I had zero extra information about the target, I didn’t need to go onto their instagram, or look at their LinkedIn. Nor did I need to know anything specific about who I was going to pretend to be, I was working with just the dynamics of the relationships as I interpreted them.
Next I had to choose a sponsor, and I just picked the first one I saw I think. Now onto what prize to go with. I guess there’s a certain balance in getting the prize right. This is also where it could be argued I was a bit mean, as part of the ‘engineering’ of this was to trigger an emotional response (I wouldn’t have known it as an emotional response at the time) — ‘oh wow the prize is cool’ — being the raw headline I was after. I ended up going for a high end portable speaker that was circa $300, something I would personally find cool.
Nearly forgot! The tech bit.
I just created a Gmail account.
End of tech bit.
Below is the email I finally sent out. The ‘Forwarded message’ from the sponsor within the email I sent was made up to add more plausibility and relevance — the key elements to a good phish.
You might notice I never directly said ‘we are sending out a [ exactly what the prize is ]. Personally I think if the target can join some of the dots themselves it helps bypass some of the subconscious triggers they might have to the concept of a prize coming out of the blue.
I’ve sandwiched the request for an address between the reason for the email, and a relevant compliment. That’s just trying to keep a handle on the narrative, again for the reason that openly asking for an address might trigger a red flag, so I wanted to change the subject asap. I also avoided using the word ‘address’ for the same reasons.
You might notice the sponsor said ‘I’m sending two out’…
Plot-twist
This is because as I finalized the pretext and sender identity I realized it could work with 2nd and 3rd place too, not just the winner. This is exactly what scammers do with their BEC emails. It’s almost like a horoscope in a weird way. The recipient will see it as highly personalized, but it has been crafted so that it has relevancy between two specific entities. Here it’s an organizer and its contestants, but it could just as easily be a CFO and a CEO, or an employee and a member of HR.
So to confirm what I actually did — I sent that single email out to 1st and 2nd place. No BCC, or CC, just both addresses in the To: field.
5 hours later, and both had replied with an address to send the prize too.
I then apologized like crazy. I was entirely honest. I said it was meant to be a cool way to introduce myself, but now I was thinking it was perhaps misjudged.
I have never received a reply from either recipient, and that’s how it stands to this very day. I can accept it was perhaps a mortal sin from some perspectives. And I’m happy for them to think I’m an idiot, but also hope they have learnt from it too. As with Tom Bossert, and the Shark Tank dude, they were saturated in awareness knowledge, but they were tricked too.
It’s why technology and process has such an important part to play because you can get those closer to 100% secure than you can with a human.
It also shows in this context knowing personal details isn’t always necessary for social engineering over email. If I knew my target had won a horse jumping competition or went to X university, it would add nothing for me in this context.
And that’s the end of this tale of annoyed hackers and troublesome upstarts, I hope it’s given some food for thought.
Till next time,
James