Wednesday, September 6, 2023

It's Just A Text File...

Had to figure out a creative way to send an executable to someone.  This isn't a new method by any means-more of a reminder of how important security awareness training is.

Person didn't want to use OneDrive, Dropbox, or a myriad of other methods to share files.  Their e-mail blocked a bunch of different file formats including a password protected zip.

So I sent them a text file containing the base64 encoded version of a password protected zip that contained the executable I needed to send.

Then I sent instructions about how to decode it with multiple different methods in case one failed and the password without saying pass or password-just that they would need it and what it is.

Now imagine I'm a social engineer tricking people into doing this and downloading/running a dropper for me or I'm someone keen on bypassing DLP.  

People say, "There's no way someone would try that." My question is why not?

They said the same thing when I told a vendor at my former job that a social engineer could send a malicious QR code.

Here we are now years later and it's in the news that adversaries are doing that.  https://gbhackers.com/malicious-qr-codes-steal-employee-credentials/amp/

It was being done before it was in the news just not as wide-spread.

I was inspired that that could be done because one of the SANS Holiday Hack Challenges had us bypass a badge system that uses QR codes and it was vulnerable to SQL Injection.

I got to thinking-why wouldn't someone send a QR code via e-mail and social engineer people into scanning it.  It's easy.  So, when we were testing a vendor solution at old job, I tested that. I sent a malicious QR code.  I highly doubt I was the first person to think of this.

Every defense we put in place, they meet with a "new" tactic.  Even if the attack is actually old and very simple.  

Please-train people.  Try to think ahead-and not just what is popular now, but what could be a problem soon.

No comments:

Post a Comment