Hacking and social engineering with a 70% success rate

Lukas Hurych
Jun 30, 2019 · 10 min read
Image for post
Image for post

Imagine it’s a lovely Saturday morning and your whole customer database just leaked. Huge (and not just GDPR) nightmare, right? And imagine that it was thanks to just one simple e-mail and 2 clicks from one of your team members. Over the last couple of years, I was able to gain access to people’s accounts on Facebook, LastPass, Google, Slack and many more. And even to this day, it’s still scary for me to see how easy that is.

Over the last couple of years, I’ve been testing my colleagues to see how they are doing when they are faced with real phishing attacks, different kinds of social engineering, malicious USB sticks dropped on the street and many other attacks that you can possibly imagine. It’s something completely different when you watch a nice illustrated video about phishing and different dangers and when it happens directly to you. I’m trying to build awareness about threats of today’s world and I’d like to share a couple of stories with you to also help you.

To be honest I was always interested in hacking and social engineering I just didn’t want to end up in jail. Breaking a system that someone designed or exploiting human vulnerabilities is something that fascinates me. That’s why I started experimenting with my colleagues — I wanted to see how are we doing in terms of security. I’m always trying to act as an outsider and don’t use any personal knowledge about my colleagues to my advantage.

We (geeks) sometimes get carried away in the most secure technology solutions (encrypting everything with the top algorithms) that we can think of. And it’s easy to forget that the easiest way how to hack a company is by exploiting human vulnerabilities.

Stories

Story #1: How to get access to someone’s Facebook account?

Image for post
Image for post
Not really sophisticated phishing setup.

Can you guess what was the success rate of this experiment? Over 70% of my colleagues voluntarily gave me their credentials to their Facebook account! That was a scary moment for me and since then I’ve decided that I want to help everyone to understand all the warning signs and not to become a victim of an attack or at least lower this possibility to a minimum.

Story #2: On to the next level — get access to LastPass

One of the other great features of password managers is a possibility to securely share passwords with your colleagues, they can simply accept those requests. Imagine that one day, your CEO shares a password with you, you click on “Accept” and you land on a page where you can see your pre-filled e-mail. Nothing sets you off because this is pretty much how LastPass works. You have to always log-in to accept the credentials or view your passwords. You just fill in your password and you’re inside your LastPass account. But what if it wasn’t your account? What if you’ve just leaked your master password that is encrypting and protecting all your passwords, credit card details, secure notes, etc. You’re screwed if you don’t have any other security mechanisms in place (2-factor authentication for example) because the attacker has access to all your passwords and credit cards now.

That was exactly one of my following experiments. The question was simple: would it possible to lure those master passwords out of people? I’ve used a pretty similar setup to the Facebook attack, but this time, I’ve just tried to take it to the next level. I was pretending that I am Twisto’s CEO sharing new credentials and I’ve individually pre-filled an e-mail of every colleague to smooth the “User Experience”. And I’ve finally started using HTTPS to have that “Secured” sign.

Using secure communication doesn't necessarily mean you are communicating with the right website, you should always pay attention to the URL address (only Extended Validation Certificate with the name of the company is validating the identity of the site).

Image for post
Image for post
Pretty much the same setup, with HTTPS and pre-filled e-mails this time

Can you guess what happened? I got 10 people! 10 people! What did that mean?

= 10 master passwords

= 210 passwords to all their online services

= 7 internet banking credentials

= 10 credit cards

I guess I don’t have to explain the severity of this leak. And this wasn’t anything sophisticated or fancy, it was just a simple setup.

I believe that banks are doing a good job in hacking/phishing education but I think that it’s not enough. It’s completely different to watch an animated video about phishing and to experience an attack by yourself. I was super happy when one of my colleagues approached me after the attack and told me:

“Wow, I thought that I am aware of all that stuff. Obviously, I’m not, thanks for showing that to me!” –Anonymous colleague

With pretty much the same setup (sometimes more or less sophisticated) I was able to lure access to other services like Slack, Google Drive, GitHub, Zendesk.

Password requirements ≠ secure passwords

✅ 8 characters long

✅ 1 uppercase letter

✅ 1 number or special symbol

With these rules, there are 3 026 000 000 000 000 000 different password combinations. Does that mean that my password is secure? It depends.

What if your user has a favorite name or a word like “weapon” and you tell him/her that it has to contain 1 uppercase letter? In 90% of cases, it will be in the beginning: “Weapon”. And what if you tell him/her it has to contain a number? Again, in 90% of the cases it will be in the end, so “Weapon90”. Does that resemble a password you’ve sometimes used or you are still using? If that’s the case, you should probably go change it. If you are using the same pattern (following the instructions above) you are down to 80 000 000 000 combinations. And for example with a rented GPU grid on Amazon, this is not an impossible amount of passwords to crack.

If you want to check if your password was leaked on the internet, I highly recommend trying the service https://haveibeenpwned.com/. You can subscribe and you’ll get an update when any of your passwords is a victim of a data leak. I was surprised by how many times my personal details were leaked.

We should always keep in mind that the security of a system or a password is not everything. In a lot of cases, the weakest link is the user and even the most basic method can win.

Image for post
Image for post
Credits: https://xkcd.com/538/

Story #3: Hacking an online store with 300M+ CZK in revenue and gaining access to all customer data

One day later I had admin access to everything — personal data of all customers, orders, profit margins, products, stock, everything. I will leave the full story for another time to go into more technical details, but it took me ~3 hours to do all that. I just wanted to mention a story that is not just about phishing and social engineering but about a couple of flaws that can be introduced into any system. But more about that in a later post.

Anatomy of an attack

  1. Start at the end (define what is your goal and work backward)
  2. Do a Recon
  3. Select the Right tools
  4. Do the Development + testing
  5. Execute + learn live + iterate/update

This also describes how any development should happen in general. I’m watching the analytics and when I see that my users are not “converting”, I try to change something in the User Experience to make it more smooth and I learn live. That’s something I take from my product and marketing experience when we try to increase the conversion rates, make new features better or try to find the marketing message that really resonates with our audience.

Image for post
Image for post

In all those cases I always have the best User Experience that I can give in mind but in a dark and malicious way. For me, the best skillset is tech, UX and marketing combined. That's something I call the best Hacker's mindset.

At Twisto we always focus on having the best UX when we create new products or features. We know that we’re not perfect, but we try to do a better job every time.

Image for post
Image for post

One of the nasty tricks I’ve learned is to always display “Sorry, wrong password” message when the user enters his/her password because the user is always trying “those 5 passwords” that he/she is using everywhere.

Remember that your attacker doesn’t have to be a sophisticated hard-core hacker. Hackers nowadays are not like the ones from movies twenty years ago — a lot of black screens with green text somewhere in the basement. Your attacker can be just an ordinary guy sitting at Starbucks with his laptop.

Lessons learned

Common sense is your friend

When there is something fishy going on or when one strange thing doesn’t add up, please be careful. Most of the time it's just about common sense. Why would Facebook suddenly want your password if you’re logged in all the time? Why is your colleague sharing something directly with you when you don't interact frequently?

Vigilance is your biggest weapon

I believe that it is crucial to support the education of your colleagues and friends. Please show them what can happen and how it looks in the real world. Please help them!

You have to be right all the time, the attacker just once

The bad thing is that from the attacker’s point of view, usually, just one person slipping up could be enough to get all the data he/she needs. But from the company’s point of view, you have to be careful and right all the time. You can’t allow even one mistake.

Have fun

I’ve learned that it’s a lot of fun to come up with new creative attack vectors and to test them out in the real world. So if you have a consent of your colleagues, I can highly recommend it. If you are serious about it, hiring an external penetration testing company might be a good idea.

Deliver 100% UX (and use it for good)

That’s something I really believe in. Why should the user do one extra thing he/she doesn’t have to? We always try to have that “100% conversion rate” mindset because we want to deliver the smoothest User Experience possible.

And remember that it’s not just about secure code but that it’s about people. If you’re a tech person, please help them. Thanks for reading!

If you want to dig deeper into more technical stuff, you can watch my talk at PyCon:

If you are interested in this topic, please subscribe, I will share more detailed stories in the future (for example writing custom malware and dropping nasty USB sticks on the street).

Final remark: Big thanks to all conference/meetup organizers (ngParty, PyCon CZ, Python Moscow) who gave me the opportunity to talk about this topic, I believe it’s crucial to spread the message.

The Startup

Medium's largest active publication, followed by +732K people. Follow to join our community.

Lukas Hurych

Written by

Changing the world of finance by day (Chief Product Officer @ Twisto), past madebysource.com & abdoc.net. Telling a story with music composition by night.

The Startup

Medium's largest active publication, followed by +732K people. Follow to join our community.

Lukas Hurych

Written by

Changing the world of finance by day (Chief Product Officer @ Twisto), past madebysource.com & abdoc.net. Telling a story with music composition by night.

The Startup

Medium's largest active publication, followed by +732K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store