Crazy Walls – The Devil is in the Detail – Confessions of a Social Engineer
When a social engineer has a target in their sights one of the main tasks is to compile as much information as possible about them in order to inform the eventual attack. In this research stage any and all information is of potential use, as the SE builds a profile of individuals and the company to be attacked. The slightest detail, can be of importance in finding a hook to encourage people to talk and reveal actionable intelligence on the organization.
From operational points regarding subcontractors or site maintenance, to personal habits and staff relationships, tiny details are crucial in order to build rapport and gain trust with individuals, often as a conduit to broader company information. This can be a problem for security teams trying to create “awareness” within the workforce, as staff may not understand how such minor pieces of information could be of use to an attacker. Staff may have a perception of themselves as unimportant or insignificant within a company, and as such don’t think what they know is valuable or work to protect information from those they don’t verify as genuine on a call, or in an email.
The “crazy wall,” or “detective wall,” is a tool for linking these pieces of information together to build a profile of the target and construct the narrative behind the attack. Whilst there are numerous tools to compile this data electronically, the term itself comes from the image, often seem in police dramas, where photographs, post-its, and notes are pinned up on a wall and linked “crazily” together with connecting lines and arrows.
It is often the physical ordering of the information that gives the social engineer the means to orchestrate the breach. The wall provides a visual map of a company, its people, relationships and culture, informing the nature and language of a tailored and bespoke attack. The information makes for a sophisticated “spear-phish” rather than a typical “phishing” or “vishing” campaign using a standard script and relying on the fact that if you target enough people, some of them will click on a link or give out information.
Some time ago, I was working for a client who was concerned that their senior team was a target for a serious “whaling” attack. They had found out that they were vulnerable as a named target, but had no idea what form the attack might take or how the attackers might attempt to gain access to the privileged information that the directors held. They were concerned about a false sense of security amongst their executives who felt that because they did not use social media on a regular basis, that they were somehow “safe” from this type of information led attack.
We looked at their social media profiles and most of them were well maintained with good privacy settings, however, the profiles of their assistants, teenage children and business associates were less secure. From just a few pieces of information, including details of a charity several staff supported, and information around hobbies and interests, a sufficiently populated “crazy wall” was constructed.
The attack itself was simple, using the events diary of the charity to orchestrate a meeting and fake “interview” with two of the directors. To set up the meeting inside their head office it was crucial that we had a legitimate appointment and that meant persuading at least one of the board’s P.As. This can be difficult as personal assistants are generally excellent gatekeepers as a standard part of their role. The trust of the P.A was gained through a process of rapport building based on a “shared interest” of a specific hobby, uncovered via her Pinterest page.
Introduced, as a topic on an otherwise “cold call” the bogus interviewer chatted at length to the individual about a similar hobby. This built rapport through common ground and trust was established. This small detail was ultimately enough leverage for the SE team to jump the queue and gain access to the directors and subsequently, their offices, laptops and company premises.
From a few names and these scant details gained from social media, a detailed enough map was constructed in order to fabricate a specific and effective attack., and whilst all staff where thoroughly debriefed and assisted by ourselves as consultants, we must remember this would not be the case in the event of a malicious real attack.
Crazy walls might seem old fashioned in this digital age, at least those done manually, but as a profiling tool they remain an effective and useful visual profiling tool for attackers. It is vital that security professionals understand the importance of the details people share and convey the potential risk of sharing even small amounts of information publicly. People need to be made aware of how they might be profiled and subsequently exploited, of how the devil really is in the detail.
Want to know more? Jenny Radcliffe will be mapping a “crazy wall” live and demonstrating the profiling process, on Wednesday 26th April at IP EXPO Manchester.