Password Problems Part 2: Phishing & Social Engineering
Welcome back to IT Audit Lab’s Series on Password Security. In part one, we covered issues with modern password architecture from password reuse to complexity, creation, and storage. As a brief recap: the number of passwords required for each individual continues to rise, complexity requirements are rising at a rate to match pace with password cracker’s hardware, and in order to combat the rising complexity and quantity of passwords, most individuals turn to easily guessable passwords or reuse passwords between websites and services. In this section, we will explain common attack strategies employed by hackers to bypass authentication and collect passwords.
Common Techniques for Collection
There are many methods by which threat actors attempt to gain access to passwords with the most common method in the modern threat landscape being phishing and social engineering attacks.
Method 1: Phishing and Social Engineering
Phishing as defined by Merriam Webster is “the practice of tricking internet users (as through the use of deceptive email messages or website) into revealing personal or confidential information which can then be used illicitly. Threat actors sending malicious phishing emails to organizations worldwide are social engineering stunts aimed at harvesting valid credentials and other authentication data from users within the organization. Examine the following example from phishing.org:
Image 1: Example Phishing email courtesy of phishing.org.
The phishing email example contains multiple red flags in the body text that appear in most every phishing email campaign. Ignoring the suspicious sender email and subject line, the first item to identify is the hook.
The hook will explain why the user is receiving the email and instill some sort of sense of urgency into the target. In this example, the attacker is hooking the user by stating they have been trying to reach them about suspicious activity and that this user has not yet responded. It is unclear whether prior messages were truly sent, it is likely the first email the end-user has received about the matter. This hook presents a case where there is an active attacker within their PayPal account who has been active for an unknown amount of time; instilling a sense of dread and urgency to get it taken care of.
Second, the attacker offers a solution to the urgency: “log in to your account and go to the Resolution Center”. While the user could do this via the PayPal website, the attacker conveniently included hyperlinks within the email to take the user there. Once those links are clicked, the user will be brought directly to an official looking PayPal sign in page where they can “sign in” to the service. However, this disguised webpage is simply a copy of the PayPal sign in page and upon submitting credentials the user has sent their plain-text username and password to the attacker.
These types of phishing attacks are extremely common in the information security world and are called credential harvesting attacks. They take many forms and vary from attackers impersonating banks, Microsoft services, social media support teams, or providing prizes as part of a sweepstakes or drawing. They all share a similar purpose, however: to harvest valid credentials from their target user. These types of attacks are so common because they require no prior access to the protected systems and once a user freely submits their username and password, the attacker does not have to do any work to decode a password hash or crack an encrypted password. Rather, they are provided with valid authentication details and are able to directly sign into services as that user.
While email is a common tactic for attackers to gather credentials through credential harvesting attacks, other social engineering attacks also take place wherein attackers attempt to gain clear text credentials from users. A common practice is for the threat actor to impersonate the Service Desk or IT Department at the business and connect with users over the phone. While speaking on the phone with the end user, the threat actor will attempt to hook the user. Just like in a phishing email, the threat actor will devise a logical reason for calling and will craft a story about odd account activity, possible misuse of IT resources, or some other fabrication to get the user to trust that the IT Department or Service Desk is calling to help keep them out of trouble. In the conversation, the threat actor will need to verify information like username, email, account information, and the current password to “confirm” that this is the correct user. Once they have what they need, they will get off the phone and use the victim's confidential information to remotely access the systems.
In fact, social engineering and impersonating the IT Department was the main method utilized by the hacker who recently breached the Uber corporation according to Bleeping Computer. The 18-year-old social engineered credentials from an Uber employee and hit them with an MFA Fatigue attack to bypass their multi factor requirement. In short, no complex code was executed to breach a multi-million-dollar organization, rather, the use of social engineering and persistence attacks was all it took to create a high-level breach of privacy.
If possible, threat actors prefer social engineering using phishing, smishing, or vishing over other methods of password collection as it requires no prior access to systems and provides them with encrypted and decoded authentication details. Stay tuned for part three, where we will delve further into other common methods threat actors use to gain unauthorized access to account credentials.
By: Kyle Rozendaal
Phishing is just one way that people are going to try and compromise your identity. Attackers do this through various ways including impersonating companies, sending malicious emails, and more. Knowing common tactics and being able to spot this scheme is vital. If you have experienced suspicious activity such as phishing, call IT Audit Labs at (612) 567-8626 for more information, or visit www.itauditlabs.com/contact.