Had to figure out a creative way to send an executable to someone. This isn't a new method by any means-more of a reminder of how important security awareness training is.
Person didn't want to use OneDrive, Dropbox, or a myriad of other methods to share files. Their e-mail blocked a bunch of different file formats including a password protected zip.
So I sent them a text file containing the base64 encoded version of a password protected zip that contained the executable I needed to send.
Then I sent instructions about how to decode it with multiple different methods in case one failed and the password without saying pass or password-just that they would need it and what it is.
Now imagine I'm a social engineer tricking people into doing this and downloading/running a dropper for me or I'm someone keen on bypassing DLP.
People say, "There's no way someone would try that." My question is why not?
They said the same thing when I told a vendor at my former job that a social engineer could send a malicious QR code.
Here we are now years later and it's in the news that adversaries are doing that. https://gbhackers.com/malicious-qr-codes-steal-employee-credentials/amp/
It was being done before it was in the news just not as wide-spread.
I was inspired that that could be done because one of the SANS Holiday Hack Challenges had us bypass a badge system that uses QR codes and it was vulnerable to SQL Injection.
I got to thinking-why wouldn't someone send a QR code via e-mail and social engineer people into scanning it. It's easy. So, when we were testing a vendor solution at old job, I tested that. I sent a malicious QR code. I highly doubt I was the first person to think of this.
Every defense we put in place, they meet with a "new" tactic. Even if the attack is actually old and very simple.
Please-train people. Try to think ahead-and not just what is popular now, but what could be a problem soon.
No comments:
Post a Comment