HackedIN: Thinking outside the phishing box

As we spend more time and resources towards technology and training with the goal of protecting our users from social engineering, attackers are forced under pressure to find novel ways to attack them.

This week's issue of HackedIN details how, when hackers are backed into a corner with no options, they're forced to think outside the box.

Expect the expected

Australians lost a record $3.1 billion to scams in 2022. With this increase in scams, so does the awareness of the average user.

We're now at the point where even your grandma might be able to pick the odd scam.

The average user is becoming more and more aware of the typical ploys.

• E-mails asking to click links or purchase Amazon gift cards
• Phone calls asking for credit card details
• SMS and mobile IM Messages requesting the most ridiculous things

But as they are trained repeatedly to detect these attacks, it leaves them open to more novel ones.

Commercialisation of MFA Phishing tools

MFA has helped raise the bar for attackers in general, but this created a vacuum in which attackers were forced to adapt to the point where MFA phishing tools are now the norm, not the exception.

Tools like Evilginx2 have become commonplace in any decent hacker's toolkit.

The big boys fight back

Like most things in life, it's a constant back-and-forth; after a few years of MFA phishing tools like Evilginx2 being used en mass by almost every attacker on the internet, we saw service providers fight back.

Take, for instance, Okta and their release of Okta FastPass - a zero-trust authentication solution that leans heavily into trusted identities and devices, all while keeping the end-user experience smooth.

Then there's Google, implementing its stealthy analytics to pinpoint, track down, and block MFA phishing infra.

Pressure makes diamonds

Over the years, as AV and EDR got better at detecting traditional malware, we saw attackers move from Windows native C++/executable payloads to living off the land with PowerShell and, in more modern times, reflective in-memory DLLs.

This same logic caused me to switch tactics over the last 6 months.

I've been on multiple engagements recently where the organisations I assessed were utilising the best options available.

Okta, Auth0, MFA, FIDO2, you name it, they had it.

At first glance, it seemed sufficient, but many of these setups ended up being eggs (Hard outer shell with a soft gooey inside).

My Slack is your Slack, and your Slack is mine

Backed up against a wall, here's how I've used Slack on the last 4 engagements to bypass the best of the best when it comes to user security controls.

1. Identify target organisation employees on LinkedIn.
2. Extract their company logo and compile an employee list.
3. Create a free Slack workspace, e.g., (ACMEBank-foobar.slack.com). By design, Slack doesn't verify any brand ownership (nothing wrong with that).
4. Choose 5-10 employees to add to this fake workspace, enrolling them with temporary mailboxes or doppelg?nger accounts.
5. Register these employees in your fake Slack workspace. At this point, it's just you and the fictitious profiles.
6. Invite the remaining organisation members.
7. As employees join, they see familiar names which reinforces the ruse. On top of this, If they're authenticated to their legitimate workspace, this fake one seamlessly integrates into their Slack UI. Lastly, the invites, coming from Slack's genuine mail server, further the deception.
8. Now, the attacker has a whole team of synthetic profiles to utilise based on their red teaming objectives.
9. Users are typically trained to detect a single malicious account, but what if 2 or 3 of their team members are contacting the user at the same time with a story that has business context? From what I've seen, users aren't ready for this.

The Takeaway

• Awareness is Double-Edged: Training users to detect obvious threats might inadvertently make them complacent about more serious ones.
• Adaptability is Key: Both attackers and defenders need to evolve continually.
• Trust, But Verify: Just because something appears familiar doesn't mean it's safe. Always double-check, especially with platforms that integrate easily, like Slack.
• Comprehensive Defense: A robust exterior isn't enough; organisations must ensure their internal systems are equally resilient.
• Human Element: The most sophisticated systems can still be bypassed by exploiting human psychology and behaviour. Continuous training and awareness campaigns are crucial.