January 29, 2016

We have just completed a Social Engineering Assessment for one of our U.S. clients. The first one in 2016. The company (a strong well established medium sized business) did a lot of Penetration Testing audits over the years and also a Spear Phishing Test already but they have never undergone a Social Engineering audit.

So they have engaged us asking to pay special attention on whether employees would give out usernames and passwords if social engineered. The results were shocking. Not because users fell for classic social engineering techniques (like claiming to be the IT Dept. or posing as a manager or trusted 3rd party). No it was far worse. Employees were asked by email and in person to give out usernames and passwords in return for something. For the new hires and junior members as $50 Amazon gift voucher did the trick in 7 out of 10 cases.

The classic email phishing was very successful. Claiming to be a manager, people seem to have no problem sending their Active Directory login by email or even via LinkedIn message. Out of 500 phishing emails, more than 400 were successfully answered by employees with username/password pairs.

The best IT Security doesn’t protect anything if employees happily hand it out.

It’s shocking. If we, with the permission of the client get such high results, imagine what a determined competitor or hacking group could do? Security policies are there for a reason. People wouldn’t put their car keys into an envelope and send it to an alleged address of a co-worker? Why people still don’t understand that a username/password is as valuable as the keys to all office buildings?

A lot of training and education is still needed in this field…


Social Engineering always wins

Author: Martin Voelk
April 19, 2015

As IT systems become more and more hardened, many script kiddies turn to easier alternative methods – mainly Social Engineering. Social Engineering is exploiting the weaknesses and the human layer, but getting someone to reveal a password over the phone, clicking on a “free voucher PDF” to win something or simply holding the doors open for someone they don’t even know. The possibilities are endless and unfortunately the success rates are 95% – 100%. Kevin Mitnick himself says: There is no cure for stupidity.

We try to educate our customers and employees as best as we can, but in every Penetration Testing engagement we are asked to do by our clients, we have at least 1 success due to social engineering techniques. Whenever people think they can win a $20 dollar voucher or get anything free, they will almost always click a malicious PDF just arrived in their Inbox, not matter how spammy it may look like. People will almost always plug a USB stick in when they receive a free USB from a nice stranger. People will almost always believe that the IT Support is really on the other line of the phone. The list goes on and on.

Here an interesting article from world’s famous Kevin Mitnick:




April 5, 2015

Social Engineering is responsible for most breaches, the human factor remains the weak link.



March 21, 2015

We have been using those in our assessment for quite a while, but we are still impressed how easy it is to compromise complete networks by just someone plugin in this USB stick as part of a social engineering assessment.

Back in the days an executable file was placed on a USB and once plugged into a machine auto-run executed it. Microsoft has since stopped the auto-run on newer OS versions, so you rely on users to click or open a payload, it must be crafted for the exact OS and so on. A pain.

Not with Rubby Ducky. Rubber Ducky recently helped us to compromise a lot of MacBooks at an audit, along with Microsoft Windows 8 machines and Admin Linux desktops. Why is it so easy? Well, because rubber ducky emulates a keyboard rather than executing a program. That means to the machine the ducky is inserted in, it’s like a user typing things, enabling the camera from the CLI, opening a reverse shell. This is what makes it so hard for OS’ to defend themselves against it.

We recently did a social engineering audit at a large insurance company. One of our ladies simple went to the non-restricted coffee break out area at the reception and put out 10 USB sticks with different tags on them such as: GRAB ME – I AM FREE or MANAGEMENT CONFIDENTIAL or LATEST 2015 EMPLOYEE PAYROLL. Guess what? All 10 USBs were taking within 15 minutes and only 2 hours later 8 of the 10 employees who took this “free gift” had inserted it into their machines and opened them up to us via reverse shell.

This once again shows that no defense is of any good, if employees plug in USBs they find in the coffee place. Now this was a large insurance company. Imagine private users in a Starbucks? Scary.

Those things cost around $45 USD each. Imaging a real hacking group purchasing 100 of them for malicious purposes.

We can only warn again and again. Don’t plug any USB sticks into your devices. Especially not ones you don’t know where they came from!



November 27, 2014

Companies these days realise the need for Firewall and IPS so hackers more and more turn their attention elsewhere – the human. In all social engineering attacks we have performed this year alone, we have a staggering success rate of 98%. In other words, in 98% of the cases users entered their credentials into a portal which they believed was the portal they were trying to login to.

Almost every user happily associates to an Access Point which broadcasts their company name out and happily becomes a man-in-the-middle victim including SSL stripping. 8 out of 10 users plug any USB stick into their private laptops or company laptops if it’s labeled “confidential”. 9 out of 10 users open PDFs and Excels with malicious payloads if they think a friend or the boss sent them. If company security kicks in, still 4 out of 10 email the PDF to their private Yahoo or Gmail account.

If users are being asked, Java needs to run on the browser – do you accept? They click yes and thereby create a tunnel back to the attacker. Spoofed phone numbers, SMS and Emails are usually only the first step to complete data exposure. Almost all employees accept the CEO or Board member on Linkedin (Wow the CEO just added me). No one even thinks that the “CEO” could be a fake profile from a hacker. Building trust with employees, asking for confidential information and getting this information within 5 days is common place.

We have been conducting Security Audits for customers for years, but even our team gets surprised again and again on how easy it is to obtain information from employees and the best Firewall can’t do anything against it. Have a think about where you click, who you answer to! It may not always be the person you think!

We have created a Cyber Security Awareness Training for ordinary non-technical IT Users.