Imagine it’s a lovely Saturday morning and your whole customer database just leaked. Huge (and not just GDPR) nightmare, right? And imagine that it was thanks to just one simple e-mail and 2 clicks from one of your team members. Over the last couple of years, I was able to gain access to people’s accounts on Facebook, LastPass, Google, Slack and many more. And even to this day, it’s still scary for me to see how easy that is.
Over the last couple of years, I’ve been testing my colleagues to see how they are doing when they are faced with real phishing attacks, different kinds of social engineering, malicious USB sticks dropped on the street and many other attacks that you can possibly imagine. It’s something completely different when you watch a nice illustrated video about phishing and different dangers and when it happens directly to you. I’m trying to build awareness about threats of today’s world and I’d like to share a couple of stories with you to also help you.
To be honest I was always interested in hacking and social engineering I just didn’t want to end up in jail. Breaking a system that someone designed or exploiting human vulnerabilities is something that fascinates me. That’s why I started experimenting with my colleagues — I wanted to see how are we doing in terms of security. I’m always trying to act as an outsider and don’t use any personal knowledge about my colleagues to my advantage.
We (geeks) sometimes get carried away in the most secure technology solutions (encrypting everything with the top algorithms) that we can think of. And it’s easy to forget that the easiest way how to hack a company is by exploiting human vulnerabilities.
Let’s get to some dirty stories. Just a disclaimer, this is not a manual for hacking anyone, I consider myself to be an ethical hacker and I want to spread the message and help other people to be more secure.
Story #1: How to get access to someone’s Facebook account?
That was actually a starting point for me because I wondered how hard would it be to get it. So I created a fake e-mail using a surname of one of my colleagues and name of the company (something like firstname.lastname@example.org), and I’ve sent out an e-mail that contained a link to a video about “DJs of today age” that was on Facebook. Nothing wrong with that, right? Except that the Facebook wasn’t Facebook but my fake domain “faceboo-k.cz” that was pretending to be Facebook and it was just stealing all the log-in details of my innocent colleagues. I wasn’t even using HTTPS to have that “green lock” that was in Chrome at that time.
Can you guess what was the success rate of this experiment? Over 70% of my colleagues voluntarily gave me their credentials to their Facebook account! That was a scary moment for me and since then I’ve decided that I want to help everyone to understand all the warning signs and not to become a victim of an attack or at least lower this possibility to a minimum.
Story #2: On to the next level — get access to LastPass
If you’ve never heard of LastPass (or 1Password), it’s a simple password manager that allows you to have a different random password for every service you use. Which in my opinion is the best way to manage your passwords because you’re not using the same passwords for different services. And in case one service leaks your data in the future, you don’t have to change the passwords everywhere because you have a different password for every service and online account.
One of the other great features of password managers is a possibility to securely share passwords with your colleagues, they can simply accept those requests. Imagine that one day, your CEO shares a password with you, you click on “Accept” and you land on a page where you can see your pre-filled e-mail. Nothing sets you off because this is pretty much how LastPass works. You have to always log-in to accept the credentials or view your passwords. You just fill in your password and you’re inside your LastPass account. But what if it wasn’t your account? What if you’ve just leaked your master password that is encrypting and protecting all your passwords, credit card details, secure notes, etc. You’re screwed if you don’t have any other security mechanisms in place (2-factor authentication for example) because the attacker has access to all your passwords and credit cards now.
That was exactly one of my following experiments. The question was simple: would it possible to lure those master passwords out of people? I’ve used a pretty similar setup to the Facebook attack, but this time, I’ve just tried to take it to the next level. I was pretending that I am Twisto’s CEO sharing new credentials and I’ve individually pre-filled an e-mail of every colleague to smooth the “User Experience”. And I’ve finally started using HTTPS to have that “Secured” sign.
Using secure communication doesn't necessarily mean you are communicating with the right website, you should always pay attention to the URL address (only Extended Validation Certificate with the name of the company is validating the identity of the site).
Can you guess what happened? I got 10 people! 10 people! What did that mean?
= 10 master passwords
= 210 passwords to all their online services
= 7 internet banking credentials
= 10 credit cards
I guess I don’t have to explain the severity of this leak. And this wasn’t anything sophisticated or fancy, it was just a simple setup.
I believe that banks are doing a good job in hacking/phishing education but I think that it’s not enough. It’s completely different to watch an animated video about phishing and to experience an attack by yourself. I was super happy when one of my colleagues approached me after the attack and told me:
“Wow, I thought that I am aware of all that stuff. Obviously, I’m not, thanks for showing that to me!” –Anonymous colleague
With pretty much the same setup (sometimes more or less sophisticated) I was able to lure access to other services like Slack, Google Drive, GitHub, Zendesk.
Password requirements ≠ secure passwords
We’ve all seen them:
✅ 8 characters long
✅ 1 uppercase letter
✅ 1 number or special symbol
With these rules, there are 3 026 000 000 000 000 000 different password combinations. Does that mean that my password is secure? It depends.
What if your user has a favorite name or a word like “weapon” and you tell him/her that it has to contain 1 uppercase letter? In 90% of cases, it will be in the beginning: “Weapon”. And what if you tell him/her it has to contain a number? Again, in 90% of the cases it will be in the end, so “Weapon90”. Does that resemble a password you’ve sometimes used or you are still using? If that’s the case, you should probably go change it. If you are using the same pattern (following the instructions above) you are down to 80 000 000 000 combinations. And for example with a rented GPU grid on Amazon, this is not an impossible amount of passwords to crack.
If you want to check if your password was leaked on the internet, I highly recommend trying the service https://haveibeenpwned.com/. You can subscribe and you’ll get an update when any of your passwords is a victim of a data leak. I was surprised by how many times my personal details were leaked.
We should always keep in mind that the security of a system or a password is not everything. In a lot of cases, the weakest link is the user and even the most basic method can win.
Story #3: Hacking an online store with 300M+ CZK in revenue and gaining access to all customer data
I have a friend who owns an online store with over 300M CZK (the equivalent of $13M) in revenue which makes them one of the biggest players in the Czech market. And one day I called him and asked him if I can play with his store to see if there are some security issues. He was pretty convinced that they take security pretty seriously but that I can try.
One day later I had admin access to everything — personal data of all customers, orders, profit margins, products, stock, everything. I will leave the full story for another time to go into more technical details, but it took me ~3 hours to do all that. I just wanted to mention a story that is not just about phishing and social engineering but about a couple of flaws that can be introduced into any system. But more about that in a later post.
Anatomy of an attack
In all of the attacks I follow a simple routine:
- Start at the end (define what is your goal and work backward)
- Do a Recon
- Select the Right tools
- Do the Development + testing
- Execute + learn live + iterate/update
This also describes how any development should happen in general. I’m watching the analytics and when I see that my users are not “converting”, I try to change something in the User Experience to make it more smooth and I learn live. That’s something I take from my product and marketing experience when we try to increase the conversion rates, make new features better or try to find the marketing message that really resonates with our audience.
In all those cases I always have the best User Experience that I can give in mind but in a dark and malicious way. For me, the best skillset is tech, UX and marketing combined. That's something I call the best Hacker's mindset.
At Twisto we always focus on having the best UX when we create new products or features. We know that we’re not perfect, but we try to do a better job every time.
One of the nasty tricks I’ve learned is to always display “Sorry, wrong password” message when the user enters his/her password because the user is always trying “those 5 passwords” that he/she is using everywhere.
Remember that your attacker doesn’t have to be a sophisticated hard-core hacker. Hackers nowadays are not like the ones from movies twenty years ago — a lot of black screens with green text somewhere in the basement. Your attacker can be just an ordinary guy sitting at Starbucks with his laptop.
If there would be 5 things I would like you to take away from this story, it would be these:
Common sense is your friend
When there is something fishy going on or when one strange thing doesn’t add up, please be careful. Most of the time it's just about common sense. Why would Facebook suddenly want your password if you’re logged in all the time? Why is your colleague sharing something directly with you when you don't interact frequently?
Vigilance is your biggest weapon
I believe that it is crucial to support the education of your colleagues and friends. Please show them what can happen and how it looks in the real world. Please help them!
You have to be right all the time, the attacker just once
The bad thing is that from the attacker’s point of view, usually, just one person slipping up could be enough to get all the data he/she needs. But from the company’s point of view, you have to be careful and right all the time. You can’t allow even one mistake.
I’ve learned that it’s a lot of fun to come up with new creative attack vectors and to test them out in the real world. So if you have a consent of your colleagues, I can highly recommend it. If you are serious about it, hiring an external penetration testing company might be a good idea.
Deliver 100% UX (and use it for good)
That’s something I really believe in. Why should the user do one extra thing he/she doesn’t have to? We always try to have that “100% conversion rate” mindset because we want to deliver the smoothest User Experience possible.
And remember that it’s not just about secure code but that it’s about people. If you’re a tech person, please help them. Thanks for reading!
If you want to dig deeper into more technical stuff, you can watch my talk at PyCon:
If you are interested in this topic, please subscribe, I will share more detailed stories in the future (for example writing custom malware and dropping nasty USB sticks on the street).
Final remark: Big thanks to all conference/meetup organizers (ngParty, PyCon CZ, Python Moscow) who gave me the opportunity to talk about this topic, I believe it’s crucial to spread the message.