Instructor: Michael Allen
This Anti-Cast was originally aired on January 29, 2025.
In this video, Michael Allen discusses innovative social engineering tactics used in penetration testing, specifically focusing on the use of physical mail to bypass conventional digital security measures. Throughout the discussion, Michael highlights the psychological elements that make these tactics effective and explores how organizations can bolster their defenses against such creative attacks. The video provides valuable insights into both offensive security strategies and the importance of comprehensive security awareness training to mitigate these threats.
- The emotional hijacking technique in social engineering is effective because the human brain can only operate logically or emotionally at any given time, and attackers exploit this by creating situations that trigger quick emotional responses.
- Security awareness training is crucial because creative attackers can always find ways around technical security controls, making trained individuals the first and sometimes only line of defense.
- The use of physical mail in phishing attacks is a novel approach that bypasses many traditional digital defenses, highlighting the need for comprehensive security strategies.
Highlights
Full Video
Transcript
Daniel Lowrie
This is going to be incredible. Tell us a little bit about yourself and tell us what we’re going to learn about today.
Michael Allen
Sure, yeah, yeah. Actually, let me start out by telling you a little bit about the title of today’s Talk. I really hate that, Jason Blanchard couldn’t join us today for the pre show banter because I got a pick on him about this title.
I didn’t write the title. Jason wrote the title and he said, our title has to be 75 characters long or less and it has to have my name in it.
And that’s. So everybody that comes and joins the webcast can submit, their time here watching the webcast as a cpe credit for their continuing education for certifications and stuff.
I was so proud of the title that I originally came up with, that I wanted to show it off. So this is the actual title that was intended for this webcast. Pushing the Envelope: Lessons learned from another Year of Phishing through the Mail. Which I think is really clever because there’s like double meaning to pushing the envelope there because we’re talking about fishing through the physical mail here.
And and I put a good bit of time into thinking about this and it really broke my heart whenever Jason made me change the title. But as I was thinking about it more and more, I, realized that what he was doing in selecting this other title with his expertise, about, what would, what people would find in the algorithm and what people would be able to use to get their CPE credits, was he was creating something that was simpler but gets the job done much more effectively, accomplishes our intended goals, rather than something flashy like the, the, double meaning kind of title that I came up with that I thought was so creative.
So on one hand I wanted to give him a really hard time about that for making me change the title. But on the other hand I wanted to say thank you and also mentioned that like this kind of ties in.
We’re going to do the exact same thing from a per security perspective or needlessly complex.
Daniel Lowrie
Okay, we, we like that. We like things that work. We like things that we can easily. I always say it’s news you can use, right? If, if I come in here and get real esoteric and deep into the weeds on something super, super technical, then only a handful of people are really going to get something out of it.
So we, I, I really enjoy that you can get technical with this and you can kind of point us toward where that gets a little more niche or a little more deep, with the technical specifications.
But start us off broad so that we can actually meet you there one day.
Michael Allen
Absolutely.
Daniel Lowrie
Because you never know who your audience is going to be.
Michael Allen
Yeah. So yeah like we’ve already said, my name is Michael Allen. For anybody out there that doesn’t know who I am and what that’s all about. And like I’ve got one of those certifications that requires the annual CPES too.
You see that CISSP up there next to my name? I work at Black Hills Information Security as a Red Team practice lead and currently acting as the initial access specialist on our ANTISOC continuous pen testing team.
And as we mentioned during the pre show banter, I also teach. I’ve got a couple of classes. one is Red Team Initial Access where I teach all the ways we currently break into high security environments over the Internet.
I’m teaching it next week at Wild West Hackin’ Fest: Mile High. And then I’m also teaching it at Cross KernelCon in April. And then I got a brand new class called Real Social Engineering, which is about the fundamental skills necessary for somebody to get into social engineering penetration testing.
And that one I’m teaching in March live at our Red Team Summit online through Anti Siphon. And I’m not super active on social media but I am on a couple of platforms. I’m on GitHub, X, and LinkedIn.
So I got links to all those in the slides too if you’re interested in following me there. I’m @Wh1t3Rh1n0 on all those platforms. So that’s, that’s it about me. now I’ll get into the content everybody came here to see.
So about a year ago last March I did another webcast. It was actually at our previous Red Team Summit and it was called Greetings from the Red Team. I got a link to it here in the slides and I’m going to quickly go over some of the content from that because I’m talking about the exact same attack that I was talking about during that little 20 minute webcast that I did back then.
so we’ll go over this kind of stuff, give you guys an introduction to this attack that I’m talking about and then we’ll dig into some lessons learned because at that time when I did this webcast, back in March, I had only been doing this for about six months on Red Team exercises.
And since then I’ve got another year of experience doing this attack. We’ve launched it against so many more customers and we’ve learned all kinds of cool stuff along the way. So here I am once Michael, talk about post.
Daniel Lowrie
You’re saying that you’re actually going to show us about a technique to actually send email, or not email, but actual mail, like physical mail through the mail, the usps to get to people.
That’s what this is about. This is that talk.
Michael Allen
That’s exactly what this is about.
Daniel Lowrie
Talk about thinking outside the box. Right? Well if they don’t pay attention to their digital inbox, maybe their real inbox still.
Michael Allen
Yeah, that thinking outside the box is exactly like the whole premise of this whole thing. So when we’re trying to break into any well defended, modern environment, this, this slide right here, this is a list of all the defensive strongholds that we’re usually up against whenever we’re doing a social engineering attack.
This isn’t necessarily everything we’ll be up against, but these are really common ones that are often on my mind whenever I’m crafting a new attack. All the stuff you see in red, so in, in every different, realm of somewhere that a security control could be in an environment, whether it’s communication channels, security awareness or the others, we’re running into pretty strong defenses.
Especially in any customers that like regularly getting Red team exercises. they’re really on top of all of their, their security and like doing best practices and stuff like that. So we start analyzing what we’re going to run into, what we expect to run into on any given attack like the communication channels.
Email is really well defended these days. It’s very difficult for us most of the time to get an email to land in an inbox, chat messages. After a company’s been through one of our Red team exercises, usually their chat messages are locked down pretty tight after that.
so if it’s a continuous pen testing customer or any returning customer, that’s going to be one that’s difficult for us to get in on. When it comes to security awareness training these days. People are being trained to check and be suspicious of all kinds of different channels like email, chat messages, sms, phone calls, and people are being trained to scrutinize the attachments and URLs that they get via any of those channels.
Daniel Lowrie
so you’re saying that security awareness training is finally starting to pay off in some dividends here?
Michael Allen
Yeah, for the most part it is. I’ll be going to be talking about some gaps in security awareness training for sure. But yeah, for the most part like the things that used to work don’t work.
And then we get into like the actual technical defenses on the endpoint or on the network defenses, any, anything that they’ve got on the workstation, like EDR products. That’s a, we’ve actually got a whole team of people at BHIS that are working on tools and techniques to get around EDR products.
Cause that’s such a big hurdle for us. And then the network defenses, network, egress, things like that, monitoring for any suspicious traffic is also something we’ve got to contend with.
Really the only thing I’ve got on here that’s not in red are the external access controls of multi factor authentication and then geolocation, that we have some known reliable attacks for that work pretty much like every time, like 80% of the time it works every time.
So those I’m not worried about too much, so I got them in yellow. But the other stuff in red, is really a pain in the butt.
Daniel Lowrie
I love it. Well, I wanted to ask you something real quick based off of your experience and you’re showing us that like the old stuff isn’t working as well as it used to or at all because security awareness is going up.
Defensive controls are also getting better every day. Are we working our way toward a singularity at some point where we just won’t be able to have very many successful attacks?
I mean ultimately that’s the goal. But do you think we’re actually going to actually get there?
Michael Allen
I don’t know. that’s a really good question. I mean it’s, there’s a lot of speculation around how good AI is going to be at different things. And like, we see all these impressive AI, models for example, that can tell you about some kind of, information out there on the Internet that you didn’t know about but can’t do a basic math problem and spit out the right result.
So I don’t know, there could be a lot of hype there. There may not. One thing that is certainly true is around email phishing. AI has been implemented in a lot of like email phishing detection controls and filters and things like that.
so as products like that are used that can actually have a better understanding of what content is in the message. we definitely have to contend with the intelligence of the system like an AI, in addition to the Intelligence of the recipient.
So, ideally, in a perfect world, like what I’d really like to see and what I would build it right now if I could. But, I just. I don’t have the capability to do this. I would create an AI agent that lives on your computer and lives on your phone and looks at everything that you do all the time, listens in on all of your phone calls.
I know it sounds terrible from a privacy perspective, but would like, if somebody visits a phishing website, the AI, checks out. That website says, is this real or not?
And then it prevents the person from actually, submitting credentials or if they get a phone call from some scam artist, it, listens in on the phone call and it hangs up and tells them, hey, this was a scam call, and doesn’t let them actually continue, the conversation.
So hopefully we get there. yeah, in a way, I think it would be a benefit to the world if I was out of a job if we couldn’t do this anymore.
But, yeah, it does.
Daniel Lowrie
Seem to be like, that would be a good thing, right? Like, that’s the hopes. I mean, one day I just. I just wish to go read books on the beach and maybe be a, a truck driver or a mailman or something.
Talk about that. Because security, that problem has been solved. It does seem though, that, like, with what you’re showing us today, or at least the, the topic and, and what we’re about to see is there’s always a way around it that we haven’t thought about.
There’s always some new. Is this a novel approach? Did you pick this up or did you come up with this yourself? Like, how did, how did you get to this idea of I’ll send them postcards?
Michael Allen
Yeah. So actually that’s exactly what I got up right now is as me, and another red teamer, Joseph Kingstone, on the BHIS team. We were on a red team. We were trying to come up with some creative attacks, that would, get around these defenses that we were facing.
And as. As we were thinking through this, these were kind of the things that were on my mind. To attack where our opponent is weakest, to be in the place that they can’t see and to do what they don’t expect.
And these tenets, these kind of common sense things, when you really stop and think about it, are what has guided my thinking since then. And they’re.
They’re what has guided my thinking, as we were coming up with this attack. So I applied these principles that we want to do as attackers here to make our lives easier to those exact same realms of security that we saw on the earlier slide, where I was showing the defensive strongholds to just ask the question, what can’t they defend?
What can’t they see? What don’t they expect in every one of these areas? And then the answer sort of started becoming obvious. So when it comes to communication channels, it’s impossible for any organization that I know of to monitor and block mail, physical mail that’s coming to an employee’s home address.
nobody can do that. And then when it comes. What’s that?
Daniel Lowrie
I said, take that, AI.
Michael Allen
Yeah, yeah. I mean, unless, like, literally, I know that the USPS has a service for them to, scan your mail, and they can, like, alert you whenever you have new mail and that kind of thing.
But unless they’re actually scanning your mail and opening it up, then it, would be even impossible for AI to do that. Absolutely. And then, for security awareness training, another weakness is that usually mail that comes to your house is not covered in security awareness training that occurs on the job.
Also, when you’re at home, you’re usually in a home state of mind, not in a work state of mind. So at work, you get that quarterly phishing campaign that the security team does, and you’re constantly being tested, but at home, you’re not expecting an attack against your employer to land in your home mailbox.
Also, the things that people, are taught to scrutinize during security awareness training, those URLs and attachments, those can be, scrutinized visually just by looking at, say, the file extension and the attachment or the domain and the URL.
But, a QR code cannot be visually inspected by a human being. It has to be scanned with something in order for the data inside of it to be read. So we’ve, got a bit of obfuscation there and actually a little bit of trust because people are so used to using QR codes all over the place.
And then the defenses on the endpoint, in addition to the network defenses, the defenses on the corporate network, both of those, the solution to them is actually in the name.
Defenses on the endpoint are on the endpoint. So if we just get off that endpoint and move somewhere else that’s outside the organization’s control, like the web browser on a user’s personal phone.
Now, we don’t have to contend with EDR or anything like that. Same thing for the network. We get off the network, off the corporate network, onto the user’s home Internet or their mobile Internet connection.
Now we don’t have to deal with those network defenses anymore. And then of course, the external access controls, I mentioned I don’t really care because I got ways around those. So, now this just like, just by answering these questions, it presents an opportunity to us for an attack that we can do.
And that attack ends up looking like this. So this is the envelope that shows up in a user’s inbox or in their physical mailbox at their home.
And it’s got the return address of their company on it. We put the real return address up there in the corner with the real company name and everything. We, have these printed by a professional printing company and they look real nice.
Professional, good. Got the clean looking font on there so it looks like it’s from the company. And then if they open it up, because there’s not any reason that they wouldn’t open it up since it looks like it’s from the company.
Inside they find this postcard. The postcards got this, stock photo on it, some cheesy text that sounds like it was probably written by somebody in hr. And the company logo. In this case, I used the Contoso logo because I don’t want to call out any companies, out there that I’ve actually sent these two.
So just the fictitious company logo there, we’d put the real one, depending on who we’re sending it to. And then on the back of the postcard we got the company logo again, we’ve got the Amazon logo and a QR code over there on the left.
And then on the right we’ve got this letter that’s written to the person who’s receiving the postcard. So it says dear Alice, or whatever the name of the person is. It is my pleasure to inform you that a teammate recently nominated you for a peer recognition award on behalf of our Contoso family.
Please accept this $50Amazon gift card as a small token of our appreciation for you and all the hard work. You sincerely, Carol Roberts, Chief Human Resources Officer. And then below that there’s some instructions.
Use your phone to scan the QR code on the left and sign in with your Contoso email to claim your electronic gift card. So hopefully what’s happened at this point, they’ve opened up that envelope, they’ve taken out the postcard, they saw the postcard, they’ve read that they’re getting an award.
They scan that QR code with their mobile phone that was probably right there in their pocket. They’re at their home when this is happening because we mailed it to their home address. So we know that they’re off the company network, they’re off of a company device.
We’re controlling the execution environment and we can just not engage with all of those defenses that the company spent all that money on and start our attack, in a very weak place for them.
Daniel Lowrie
What is so great about this is that you’ve taken the physical media of mail, right? That we were like yeah, that’s, that’s, that’s old and that’s busted. Right? We’re, we’re the email, we’re the instant SMS messaging generation.
We don’t use mail. And you’ve taken all the things that we are used to seeing and looking for to defend ourselves against a phishing attack. You just applied it to that.
You gave a legitimate looking organization. You baited it really well with your social engineering technique of saying hey, you have some money, people love to win stuff.
And then you have, there’s still a link in a, in a physical that you can click on. Oddly enough, it was funny. I, I saw the thing come up, I was like, oh, let me get my camera.
it’s like, should I click this? There’s $50 at the end of this rainbow. I want to have it in my Amazon.
Michael Allen
Yeah. If anybody out there is curious, feel free to, to visit the QR code and see where it goes.
Daniel Lowrie
Yeah. So I mean, is that legit? Can we actually go to that QR.
Michael Allen
Code and that one won’t hurt anybody. I, what I forget off the top of my head where it goes? It either goes to my class website for the Red Team class or it goes to my X account on X.
So it’s one of the two. I can’t remember which. I’d have to.
Daniel Lowrie
Gotcha. Gotcha. It’s not your phishing server at all.
Michael Allen
No, it’s not.
Daniel Lowrie
Our main culprit here.
Michael Allen
That QR code, this is the next thing that they see on their phone. you’ll notice that this looks exactly like Microsoft 365. If their organization wasn’t using Microsoft 365 it would be whatever else they use.
So okta, Microsoft, 365 Duo, whatever, whatever their single sign on Portal is, that’s what they’re going to see whenever they scan that QR code, the only clue that they’re going to have on their phone when they scan that is the domain name that’s up here.
if, if they check that on some phones, depending on how we craft our URL, it won’t actually display the full domain or the full URL whenever they actually scan the QR code.
And on some browsers on phones, you have to go to the top and like actually swipe down to get it to show the URL. It doesn’t just show it by default. So it’s a little bit of a pain to go and see that on a mobile phone which we use to our advantage as well.
But everything else about the portal that they run into at this point is literally their company’s single sign on portal. And the reason for that is because we’re using a tool, an adversary in the middle phishing tool such as Evil Jinx 3 that I’ve got linked here on the slide that is sitting between our victim, their device and the real login portal.
And it’s just passing all the information back and forth between those two. So when they visit our server, it shows them the real login portal for their company, they enter their username and password, it passes that on to the real login portal and then the real login portal’s response, which is usually asking for multi factor authentication, it passes that back to that end user as well.
And then when they complete that multifactor authentication in this case it’s asking for a code. It would also work for a push notification. It would also work for like if they get a call on their phone for just about all of the common popular multi factor authentication methods there are out there.
It works for most of them. Then it’s actually going to complete that authentication process. It’s actually going to work and we will get their session token that keeps their browser logged into their single sign on portal.
So now we’ve got full access to that account, we can just jump right in. We don’t even have to log in. We don’t have to have access to their multi factor token.
Daniel Lowrie
And Michael, that’s kind of the cool thing about something like Evil Jinx, right is that it’s doing this man in the middle reverse proxy, action where traditional credit harvesting sites where it looks like the actual login portal but it’s not, it’s controlled by the attacker.
You put in your, your username and password or whatever the case is, it, it harvests that and then it kind of forwards you along to the actual page and then you’re either logged in, you already have a session or whatever, and you’re none the wiser.
And now the attacker has the creds. And you can do that with Evil Jinx. But the, the real brilliance of it, in my estimation, you tell me what you think about this, is that with Evil Jinx, yeah, you can get that information, the usernames and passwords, but like with two fa, mfa, what I really want to get is for you to create that session and grab the token and now I can just do good old session hijacking.
That’s what’s going to give me the access, right?
Michael Allen
That’s exactly right. Yeah. And that’s. So that’s what we get at this point. And the other very nice thing about tools like Evil Jinx is after they log in, what the user sees is not their normal single sign on portal.
Even though they just logged into Microsoft 365. In this case, they’re going to log in. They’re not going to see Microsoft 365. What they’re going to see is this landing page that we redirect them to where we’ve got a real Amazon gift card waiting for them.
It looks just like the real Amazon website and it’s got $50 on that gift card waiting for them. And I love this part of the attack because we don’t, like many people don’t realize people who are doing the quarterly phishing campaigns and things like that, or pen testers that are doing social, engineering, pen testing, that we keep making these empty promises to the recipients of our attacks, the end users.
we say complete this survey and you’ll be entered in a drawing to win a $10Amazon gift card or whatever, or an iPad. I’ve seen all kinds of things offered and nobody ever gets the thing that’s offered.
All these, these phishing campaigns, these training phishing campaigns or pen testing phishing campaigns are full of a bunch of empty promises. And I’m sure that a bunch of that the real phishing campaigns that real attackers are doing are as well.
But, what, what this does is it gives the, the recipient the opposite belief that if I get the thing I was promised, that’s proof that this was not a scam.
So if they get the $50 now, they say, oh, this was 100% real. There’s nothing to be suspicious of. It. It solves like any question they had in their mind of whether this was real or not if we didn’t.
Daniel Lowrie
And $50 for access. That’s cheap.
Michael Allen
Absolutely. Every attacker, like in the world would be glad to pay $50 and get access to a major US corporation or any other major company.
Daniel Lowrie
yeah, because fun fact, they’re playing. They’re paying a ton more than that for insider threats right now. So if they’re like 50 bucks, you say, tell me more.
Michael Allen
Absolutely. And if, and if we didn’t give them the $50, we just put a fake code here, what are they going to do? They’re going to go type that code into Amazon, but it’s going to get rejected.
They’re going to contact their HR person whose name I put on the postcard. They’re going to say, hey, I really appreciate the reward, but my gift card code didn’t work. And then the HR person is going to say, what gift card code?
And they’re going to go back and forth for a couple of messages and then it’s. One of them is going to escalate it to security because they’re going to realize it’s a scam, it’s going to get investigated, and we’re going to get kicked out of the environment. So we don’t want that to happen.
So we give them the $50 to make, to keep their mouth shut, basically, and give them a little something for their trouble.
Daniel Lowrie
I love it. It’s hush money for your. For your end users.
Michael Allen
Absolutely. So one of the things that, when we were coming up with this attack, that I was personally a little hesitant about was like, okay, well, it’s really easy for us to get email addresses.
Right? Like, that’s. We can get email addresses for any user in any company usually. But how do we get home addresses for people? Can we do that? And can we do it, reliably? It turns out it’s really, really easy to do.
you just go on LinkedIn, you find all the employees that work for the company. click on the company and click on the people page, and then on each person’s profile, just about everybody has their name and their location listed.
You go out to a, free people search engine like fastpeople search.com that I got over here on the. Right. And put in that name and location. And if you get just a single hit for that name, then there’s a very, very strong chance that that’s the person that you were trying to find the address of.
And that happens a lot more often than you would think. and even if it doesn’t even if like the company is full of a bunch of, John Smiths that live in big cities or something. if a company has thousands of employees, it’s very easy for us to come up with a pool of targets whose addresses we can get out of that large pool of employees that we can reliably send these to.
So finding the address is not really a hurdle at all to doing this type of attack. And that was going into this, that was really going to be the biggest hurdle in my mind. And it turned out we could do that so reliably.
Daniel Lowrie
Gotta love free information on the Internet, don’t you?
Michael Allen
Yeah.
Daniel Lowrie
And that just goes to show you, like you should have good personal OPSEC about what it is that you put out there on the Internet. It can be, it might be the thing that, that gets you got right, like you, you, you want to be very careful.
Michelle Khan talks about this a lot in his OSINT courses and things where he’s, he is very protective about what he puts out on the Internet. Even when he submits things for like job applications or something like that, he will not put his addresses in there he goes, it goes into a database and if they get breached, somebody gets my data.
So it’s, it’s like trying to find the right balance of what you put in the world and what you don’t can be tricky.
Michael Allen
Yeah, honestly, I mean this kind of stuff, there’s so much information out there for someone that’s actually interested in it. I totally get, not putting information out there about yourself or trying to obfuscate it or put out fake information or things like that, trying to frustrate that.
But for your average person that’s not really all that interested in security, everybody’s going to be listing their location. Everybody, just about everybody on LinkedIn probably would like to find a easier, higher paying job.
And that’s probably part of why they’re on LinkedIn. So they want to connect with employers that are looking for somebody that’s in that location potentially. Or they want the people that search for their name to know it’s actually them and maybe know that by the location or whatever.
So yeah, I’m reluctant to put sort of the blame or the responsibility, primarily on the end users whenever the, like, the world we live in is just, if I couldn’t get it on LinkedIn, I could get it somewhere else.
It’s just, that’s the easiest way that I can tell everybody that’s watching this. How to do it in one slide.
Daniel Lowrie
Yeah, yeah. No, I think you’re absolutely right.
Michael Allen
We could do it some other way.
Daniel Lowrie
For sure that this is, I think you’re pointing out, this is the world we live in where a lot of our information is out there and we would have to have a, a pretty big culture shift into more of a, of a privacy culture to, to see a change in that, in real life land.
And this is the kind of thing that kind of brings that conversation up. So this is just the fact that you have things that are out there that is the culture you live. This is the exchange that we have made with everyone. M saying, hey, for a lot of quote unquote free services, I’m going to give you information.
And therefore that information becomes pervasive and ubiquitous. So it’s just really interesting to see that you were able to go, hey, I can take advantage of the culture being that way and manipulate it for my advantage as what I do for a living.
And it does point out a significant security risk potentially for an organization.
Michael Allen
Absolutely. Yeah. So as I said, kind of beginning this whole thing, everything up till now is just kind of an overview of what this attack is.
And we’ve been doing this with a lot of success. I mean every company that we have sent this to, we have gotten into as a result of it over the last year.
And also as a result, we’ve had a lot of lessons learned. We actually did a really massive campaign postcard phishing campaign against all of our anti soc customers, at least all of them that were willing to opt in.
There were a couple that were kind of, iffy about sending stuff to people’s home addresses. But the large majority of our anti stock customers all opted into this last summer and we got to do this at scale.
And we had so many lessons learned. there was another talk that I’ll reference here in a minute. It was about the post exploitation, some lessons we learned from that end. But I wanted to go over some of the things we learned from this that were really interesting about this attack, and talk about those things.
Some of the lessons learned though are things that I learned from m mistakes in addition to things that we learned from our success.
Daniel Lowrie
The best teacher.
Michael Allen
Yeah, and I want to be completely transparent about that. I mess up too, and I make dumb mistakes and like sometimes I’m just careless, which is what happened in this first one. Like I, I thought there might be a reason that I shouldn’t be Ordering all those Amazon gift cards from my personal account.
And it turns out that feeling was right. So, so lesson learned number one is if you’re going to do this attack, set up a separate Amazon account from your personal account to order those Amazon, gift cards.
Even if you order the physical gift cards or the print at home gift cards, what happens?
Daniel Lowrie
Lesson 0.1. Go with your gut, right?
Michael Allen
Yes, yes, always go with your gut. Whether you’re an attacker or whether you are just a regular person who thinks something seems suspicious, going with your gut is always seems, to be the right answer.
But yeah, like you buy these gift cards and the person puts in the gift card number. I did not realize it probably shows that I haven’t received many Amazon gift cards from other people.
But I, did not realize that when they put in that number, it actually shows them the name of the person that sent or the person that purchased the gift card. So everyone that was putting in the gift cards was getting a message that says, would you like to thank Michael Allen at the bottom of the screen where they put in their gift card code.
Amazingly enough, nobody ever noticed that and like used that as a reason to report this to their security team or anything like that or something that they thought was fishy. And the thing that alerted me to it was this message right here in the screenshot.
a lady sent me a thank you for, for sending her the $50 gift card. And I thought that was hilarious.
Daniel Lowrie
So did you thank her back?
Michael Allen
No, I didn’t want to do it. Thank you account while this was happening. And it was just it was so funny. I see this notification pop up in my personal email actually because it was my personal Amazon account.
And it said so, and so is thank you. I’m like, what? And it was just, it was a really hilarious, moment, that came as a result of one of my mistakes. So everyone can learn from that mistake.
Daniel Lowrie
That is, that’s very entertaining though. The fact that you’re getting thanked by the person that you are actively compromising.
Michael Allen
Absolutely. Then this second lesson that we learned, this actually also kind of came from a mistake as well. So when I started doing this attack back in 2023, I started out very first campaign that I did 10 postcards was how many we sent to that organization.
And I’d been doing 10 postcards ever since to every other organization and been very successful. When we did the massive campaign for our ANTISOC customers, I really wanted to go the extra mile. I wanted to make sure that none of those postcards like got sent to the wrong address and that caused us to fail or something else happened that, caused us to fail related to the postcards.
So I picked out 20 targets for every organization instead of 10. And the interesting thing about this campaign is that in every case the majority of the users that we targeted logged in.
And this is very unusual for a social engineering campaign that the majority of users actually fall victim to it. Usually it’s a minority of users that fall victim and you frequently rely on the fact that like, well, at least one person’s going to do it.
And that’s all it takes, is one person. This, screen capture here is actually from an after action review that we did for one of those antisocial customers. And they actually have fewer targets than the rest of them did because, they had taken some people out of our targets list that were like executives and a couple of people who were retiring within about a month or so.
So they didn’t want them to be getting that postcard like right before they retired. So, they only had 14, users that were targeted in theirs. Nine of those 14 logged in.
The, other five, I have no way of knowing whether they were suspicious or whether, the postcards just didn’t get delivered, got delivered late. Maybe we’d send them to the wrong address, who knows?
But, the point being that this attack is so effective that you don’t have to send that many. like sending 20 actually caused more problems.
One of, one of those problems I’ll talk about here in a minute than if we had just stuck to 10 per organization. So another lesson I learned there.
Daniel Lowrie
Yeah. Can I ask you, were you very specific on who those users were? Did you cherry pick them or did you just kind of go, well, this is what we found. Let’s grab 10 randos and send that out.
Or what was the process like on that? Or do you have that data?
Michael Allen
It varied between from one organization to the next. So, some companies have asked that we target specific departments. like one organization asked that we target anyone who was in like their security team and their IT team that anyone that they thought would be, a prime target and have administrative access and others.
It was just, we’re going to pick a random sample and so that random sample ends up me going to LinkedIn. There’s, a tool that I use, it’s on my GitHub, I created, it’s called Ice Scraper.
That I just scrape all of the data from all of the employees for that organization. I randomize that list. I then find who the first 10 random people are that I can find their address, or in this case 20 random people and then those end up being our targets.
So it can go either way that it’s randomized or cherry picked.
Daniel Lowrie
Good to know.
Michael Allen
And then the third lesson we learned, and everybody on the team really learned this one, had a lot of fun repeating it over and over, was that people really want that Amazon gift card. And there were a few ways we could tell just how bad they wanted it.
The first was it was not just the technically unsophisticated users that fell victim to this. We actually had one case, I mean we had several people with administrative credentials of different kinds log in, but we had one case where the Azure Global Admin for an organization logged in to our phishing page and it was just game over for that organization as soon as we got access to the account.
Because we had access to servers, workstations, all their files, all kinds of development data, just everything you can imagine, we were able to get access to and really do whatever we wanted.
So it wasn’t just your kind of your usual suspects or like low hanging fruit type users. It was everybody seemed to be affected by this regardless of their status in the organization or their position or their technical sophistication.
Daniel Lowrie
Can you talk at all about what that debrief was like to tell that person, sit them down and go. So here’s the thing.
Michael Allen
Honestly I don’t remember if there was any specific concerns about that one, individually because there were so many people compromised in every organization that they were just another one of many.
So I don’t, I mean I do know that we made recommendations that like you should have separation of privileges and things like that and the person shouldn’t be logging into a website with their administrative credentials.
But I, I don’t think we really had any kind of stuff where we dialed in too specifically on that one person. And there’s, there’s reasons for that too.
Like we try and not make it about one individual but more about processes and the overall security awareness in the organization.
Daniel Lowrie
Yeah, makes sense.
Michael Allen
So the number two thing that let us know that people really wanted that Amazon gift card was we got logins from people who were out on vacation. So there was a webcast I did, I’ve referenced this earlier, back in October that was about the post exploitation stuff that we Learned from doing all of this.
And, during that one, I told this story of this guy who, logged in. And, I got into his account because he logged in. And once I got into his account, I saw his autoresponder was turned on and said he was out of the office.
And I looked at his inbox. None of the messages were being read. They were all still unread in his inbox. I looked in his team’s account. He had a ton of messages that were just building up in his team’s account.
Those hadn’t been interacted with at all yet. So I knew he was out for a few days. And, he. It was really amusing to me that he was not logging in to check his email or anything like that.
But he did log in to get that gift card. So even, even somebody who’s got a good work life balance and they’re not checking their email while they’re on vacation, they’ll still, log in to get that gift card while they’re out.
Daniel Lowrie
Man, that just really does kind of open up the human psyche about how much we really enjoy getting things. Oh, yeah, Actually kind of to your point before.
about how if it’s not in this specific lane, we become blind to the fact that it might be an attack of some kind.
Michael Allen
Absolutely. Yeah. And I’m going to dig into that human psyche part here in just a moment too. So we got multiple logins from the same person. This happened for all kinds of people. I don’t mean just one person.
I mean over and over we got multiple logins from the same individual. And one of the funniest ones was we had somebody who logged in. And when I buy those gift cards, I try and keep the expenses that we expense to our customers down like $100 or less for any given project.
And so I only buy two gift cards. So the first two people that log in, they get the gift cards. And anybody that logs in after them, I’ve already got access to two accounts. So they just see those same gift card numbers, and when they try and redeem them, it says they’ve already been claimed.
So we had some people who we could see, they logged in, they tried to claim the gift card number. It was one that had already been claimed. So then they went to their real company login portal, changed their password, and then tried to log in with the QR code again.
And I mean that they were trying to do anything they could to troubleshoot and get that gift, card number to change to a valid one. On their own without, trying to, like before they actually interacted with HR or anything like that.
So that was.
Daniel Lowrie
They’re going to. They’re going to hack your fake gift card system.
Michael Allen
Yes, it was. That was very amusing to see.
Daniel Lowrie
that must have been no end of fun to watch happen in real time.
Michael Allen
It was actually, at first it was no end of fun, and then the fun actually started to turn into pain. So this fourth one, the logins actually continued two months after the campaign had ended.
And I don’t mean after we started, I mean after we thought it was going to end. It went on for two more months. We kept getting logins. And this, happened even after the organizations had told everyone in the company that this was an attack.
They sent us screenshots, our point of contacts. They had put images of the postcard on their internal intranet website. They had emailed it out to every person in the company, and we still had people logging in.
So this actually got really painful. whenever we got so much success from sending out so many postcards, we had everyone all hands on deck on the anti soc team trying to respond to all these.
And then, this dragged on and dragged on. I wanted to work on other things, and I was still dealing with people logging in and still having to do.
Daniel Lowrie
You’re in postcard hell.
Michael Allen
Yeah, it was like a victim of your own success. It was really, it actually got old. So, yeah, that was, that was a real lesson to learn too, that, man, they really wanted that gift card, that much to keep coming back and logging in.
Daniel Lowrie
Are you, are you going to, play around with the amount at all and see, well, maybe will 25 get me the same kind of attraction, that $50 gave me? Or maybe that’s. That $50 is the sweet spot.
Is that something you’re going to work on in the future?
Michael Allen
Well, it’s funny that you asked that, because one thing I wanted to point out is I selected the $50 for, the specific purpose of being enticing and being a value that most people in most positions, regardless it was a high position or low position, would probably be interested to receive.
if you think about you’re getting a reward in the mail from your employer, if it’s a 5 or a $10 gift card, for example, you’re probably going to see that as more of an insult than a reward. Like, like, they give me $5 for, putting in all those extra hours last week or whatever.
so I definitely wanted it to be something that was enticing. And I think that was a big part of why people kept coming back. I also think the fact that we played on authority, signing it with the head of hr, giving the company logo and just making it look legit, I think that those definitely played a role too.
Those are all common social engineering tactics that we use. But the number one thing that I think makes this attack so devastating and that I really wanted to dig into, because this has been a big takeaway for me from these campaigns, is that it triggered an emotional reaction in the person receiving it.
So I want to talk about something called emotional hijacking, which is a technique that we use as social engineers and what I think made this so, very successful.
So the way emotional hijacking works, and the reason that it works is, a human brain can only operate logically or emotionally at any given time. It can’t do both, only one or the other.
And this is, I’m, explaining this as a layman in psychology. So this is how this was taught to me. but it makes sense to me. So this, that’s what I’m going with.
and the reason that we believe that that is the case, or the reason that we believe that this exists the way that it does, that, our emotional brain reacts, faster than the logical brain, is that we think more people survived throughout human history who had a very quick emotional response to potential danger than people who reacted logically and maybe said, hm, is that a snake?
Or. Or is that a stick on the ground? If somebody just had immediate fear, surprise response to something that looks like a snake and they jumped away from it, if it was a snake, they probably survived more of the time.
If it wasn’t a snake, they were embarrassed maybe, but that’s survivable. As opposed to the other situation where if you don’t get back up, you’re, potentially going to get bit and die and then your genes will not go on and everyone will have these faster emotional responses than logical responses.
Daniel Lowrie
I’m envisioning the scene from Kung Fu Hustle where the snake is biting him in the face. I’m like the first person to be like, well, let me analyze this first before I jump away.
It could be a stick. No, it’s biting me. I’m pretty sure it’s a snake at this point.
Michael Allen
Exactly. So we as, social engineers can use that to our advantage with the technique of emotional hijacking, where we create one of these situations, that has an event that causes a sudden emotional response.
So when our target victim, they have that emotional response, their emotional brain, their amygdala is going to override their logical brain, and they’re going to make a decision out of emotion that may not be in their best interest, that they might not have made if they were thinking things through clearly and weren’t having that moment emotional response.
So, I think about, like, what’s going to happen whenever this person gets the postcard on the other end. And I picture maybe it’s Saturday, let’s say, or it could be, in the evening after work.
But whatever it is, the person’s at home, they’ve finally got some time to relax and recover from the work week. they are not in a work state of mind, which I mentioned earlier whenever we talked about security awareness and the difference between security awareness at home and, at work.
So it’s really important, they’re not in a work state of mind. They’re not even thinking about, a phishing attack, that quarterly phishing attack that the security team keeps doing. And then they get up to go check the mail, not knowing what they’re going to have in their mailbox that day, and they see something unexpected from work.
Now their, their, experience at this point, it may be one of curiosity, it may be one of sort of annoyance. They might be kind of like, what do they want? it’s Saturday. Why are they bothering me?
Who, knows what their reaction is at this point, but hopefully because the envelope looks pretty legit and doesn’t have anything obviously fishy on it, they open it up. And when they open it up, ideally they’re going to see those words peer recognition award on there.
And now they’re going to have a response of surprise. Now they’re going to say, oh, this was not something I was expecting, and this is something good. And then they’re going to see the phrase appreciation for all the hard work you do.
And now they’re feeling validated, they’re feeling appreciated. They’re feeling like all that hard work they’ve been putting in is, actually worth something. They, feel like they’re getting recognition, all the kinds of good things that people want to get from their job.
Daniel Lowrie
And then you get them with a double whammy, right? Because you got them emotionally, like, I want things, right? The psychology of, I like receiving gifts, I like getting. And this is something that I perceive has a High value for me.
So I like that. And not only that, but I’m awesome as well.
Michael Allen
Exactly.
Daniel Lowrie
Okay. Now, man, they could not, not do this right.
Michael Allen
Exactly. Yeah. They see that $50 that they’re getting some kind of, actual real world value, plus all of the emotional value. And what happens next?
The, the, way I picture this, I don’t have any evidence for this. Nobody’s told me what happened after somebody opened one of those. But if I picture myself doing it, if I went to my mailbox and I got a surprise reward from work and somebody else in my family’s home, then the next thing I’m going to do is I’m going to tell somebody about this reward that I just got.
I’m going to tell somebody about the recognition that I got, what a good job I’m doing at work. And if they do that, they just doubled down on believing that this ruse is real.
Now they just told somebody else. Now they’ve just vouched for this. So now if this turns out not to be real, their, their reputation, their emotions, their status that they get from getting that reward, that’s all on the line.
Even if they don’t tell somebody else about it, we think about how they’re feeling. They’re feeling proud, validated, appreciated. They want to believe this story.
So they’re, they’re actually probably thinking as they read through it, they’re like, who would have nominated me for this peer recognition award? Was it my boss? Was it that person who I helped with their project last week?
they’re actually looking for evidence to support the story that we gave them. so now they are doing our job for us. They are convincing themselves of the story that we told them.
And if they were to question it and they were to think about the opposite, then now they’ve got to start considering maybe I didn’t really deserve that reward that I just got.
Maybe I’m not doing as good at work as I think I am. And, they’re going to have to deal with some negative feelings.
Daniel Lowrie
So I would, I would love to be a fly on the wall to someone that got this and went, I mean, I know I suck at this, because, there’s those employees out there that are just phoning it in, and it is possible that one of them received one of these.
They’re just like, this is obviously fake.
Michael Allen
I get the feeling that, like, most people that are, like, really not doing a good job at work don’t, like, have the the perception that others think they’re not doing a very good job at work.
Daniel Lowrie
Well, what, even if they did, even if they knew, they’re still going to go, but I’m cashing this $50, that’s for sure. Right. Like you see, you had multiple points, of failure. So if, if they were like, yeah, I’m not good at my job, but I do like getting stuff.
So two was one and one is done. Right. That’s how we get, that’s how we do it.
Michael Allen
Absolutely. And those people that are not very good at their job, what are the odds if they don’t, they already don’t care that much about their job. What are the odds that they’re going to care that much about whether they’re typing in their credentials to a phishing landing page when they’re getting dollars out of it?
So, yeah, so, so that is the, that is the real thing that I think that makes this so devastating and that I think we can apply to other attacks as well.
So I think the next question that comes up is then, well, how did we defend against this type of attack? And so, some advice I have on the defense. There are obviously two different areas where we need to defend.
We need to secure the humans, and we do that through the security awareness training, and we need to secure the machines, and we do that through our technical defenses. When, it comes to the security awareness training, in, my opinion, security awareness is really the first line of defense.
And I see people online that, post about security, awareness training actually being a waste of time, a waste of money and energy, that, people are always going to get tricked.
And so it doesn’t make any sense to put all this effort into training people to not get tricked when some creative attacker is always going to be able to trick them. I think that’s not actually true. I think that it is a good investment of time and energy and money, because creative attackers will always be able to avoid technical security controls if they can imagine a situation that the defenders have not yet considered.
And that’s exactly what happens in this case is we intentionally identified, areas that could not be defended, like the person’s mail at home, the person’s mobile phone, those kind of things that, where the defense is not possible by the organization.
And in those situations, security awareness is not just the first line of defense, it is the only line of defense, if there are absolutely no technical security controls, being engaged.
In this case, there are a couple, and I’ll talk about them, but many of the security controls were completely out of the picture.
Daniel Lowrie
The other thing, and you can also kind of say that it’s a, it’s part of layered defense. While yes, maybe we cannot get a hundred percent, of people to adhere to all of our security best practices, but last time I checked, 70 is better than 100, like or better than zero.
We want to have less people falling for these tricks and not all of them. So it is always a good idea.
Michael Allen
Yeah. And I mean, you think about too, those people go home and they’ve got accounts, email accounts, financial accounts, whatever that are their personal accounts and the security awareness training that they receive at work that carries over into their home life.
So we’re actually doing, good, we’re doing right by employees to provide them with effective training, not just so that they can keep the company secure, but so that they can be secure at home.
Because in the case of home accounts, personal accounts, security awareness usually is the only line of defense. There’s not really all that technical, sophisticated, defenses, preventing people from getting into people’s personal accounts.
And that’s, why we have such a high rate of scams and things like that targeting people’s personal accounts. So I think it’s important for that reason too. And then the things that I would call out as, causing that security awareness training to be effective, I think number one, it definitely needs to be concept or principle focused.
that way it will be resilient to attacks that no one has seen yet. new, new attack that comes out in the future. If you teach people, this is what a phishing email looks like, check the sender address and mouse over the link, and see where it really goes.
Well, that’s fine for phishing emails, but if that’s all you teach them, then when something comes in the mail with some, something comes through LinkedIn, whatever, they’re not going to know that’s potentially an attack vector as well.
And then that ties right into the second point which is people, need regular practice and they need that practice across multiple channels. I talked about, whenever we do use the same channels over and over and over in our training and in our simulated phishing attacks, such as email, people will get used to seeing email over and over and over.
And it has the opposite effect also of not just making them hyper aware of email, but makes them less aware that attacks can come from other channels. So we want to be doing that regular practice over every channel that we possibly can.
And then number three is really important. And this is why I mentioned, like, we don’t really like to call out individuals for failures whenever it comes to, they submitted their password or whatever.
and we like to focus from our end as testers on the company’s procedures internally. Ideally, the company wants to focus on rewarding the desired behavior of reporting the suspicious messages, reporting if you did click on a link or submit your credentials or whatever and not negative, reinforcement, not punishing people.
And there are some big reasons for this. there’s a couple of situations that you can imagine where someone gets a phishing email. They click the link, they do the thing, they open the payload or submit their credentials or whatever.
They either don’t report that at all, which we see all the time, because they’re afraid of getting punished and they think, I’ll take my chances. If I don’t report it, maybe nobody will know that I did that and maybe I’ll be okay.
Or they report it, but they only report like the first half. They report that they received the email, but they don’t report that they clicked the link and submitted credentials, or they don’t report that they click the link and downloaded an executable payload and opened it.
And if the security team doesn’t have the ability to tell that those other actions happened, then they’re not going to be able to make a sufficient investigation to actually kick the attacker out of the environment.
Daniel Lowrie
Yeah, it’s always a shame when you see that people get negatively reinforced when they do the right thing after they’ve done the wrong thing. And that is just a really bad practice.
It really needs to go the way the dodo. I, I worked with, an organization, we, we kind of fostered a culture of when, especially when it came to fishing, where we wanted to kind of make a game of it.
We wanted to make a culture of, hey, if you, if you think you got a phishing email or a text message, put it in this team’s channel. That way everybody else could see what it looks like and if they get the same kind of thing, they’ll know.
And then it became like, who can put all their phishing emails in there? Who can put all their sms? And, and then we made fun of it. It was a lot of fun. It made it more fun to participate. And then you didn’t get, you didn’t get your hand slapped.
You were like, oh, My goodness, I got this. And yeah, I totally fell for that. Some of us would be like, yeah, I totally get that. That is an, I would have fell for that if I’d have gotten it.
So you, you, you want to let them know that hey, now we can go and do the right thing and clear this up, get this fixed, do the right investigative techniques, we need to do to make sure that this, the fallout is as small as possible.
And thank you so much for stepping forward.
Michael Allen
Yeah.
Daniel Lowrie
And let everybody see that happen.
Michael Allen
Yeah, exactly. So I’ve got a couple of tips. This is a two step process here on this slide for how to combat the emotional hijacking that I talked about that hopefully companies can work into their security awareness training a bit.
the first step is just to start practicing noticing whenever you’re having an emotional response. It can be somebody cuts you off in traffic, it can be whatever situation where you start gaining that awareness of oh, I’m reacting emotionally right now.
And then the second step is just to stop when you notice that and to slow down and think about what’s happening and start asking yourself questions to enable yourself to get out of the emotional response and make a logical response.
ask yourself is it likely, like statistically likely that the situation is actually what it appears to be. if somebody calls and says they’re from a publisher’s clearinghouse, and starts asking you for personal information, is it likely that they really are that kind of thing.
then ask yourself if you’re about to take an action that could possibly be dangerous, maybe not even one that you realize is dangerous or that you’re sure is dangerous, but it could it possibly be. And then number three, to get a third party involved that’s outside the situation that you trust to verify what’s going on.
So it’s always better to over report to security and things like that than to under report. So in that case reach out to hr, reach out to security, whoever and verify that the message is real that you got before you do the thing.
the one last thing here that I’ll touch on, and we’re running right up against time, is the technical defenses against this attack. So the top two things I’ve got listed on this slide, these will stop the adversary in the middle attack that I just talked about.
The first is switch to a phishing resistant multi factor, any of those standards there that I’ve got listed, those are phishing resistant. I’ve got a document listed that has more information about that.
And the second is to allow logins only from the internal network of the vpn. So either of those will work equally well to flat, out stop adversary in the middle.
And if one of them is too costly to introduce across your whole team, you can apply them to your high privileged users first and kind of test it out and let them do it. And, that way you’re at least protecting those highly privileged accounts before you go through the trouble and the expense of rolling out to the rest of your team.
There, are other things out there that are recommended and suggested sometimes to prevent adversary in the middle. But honestly, a lot of the other stuff, like some of the ones I’ve got listed down at the bottom, we’ve got workarounds, really simple workarounds for a lot of the other detections, around adversary in the middle.
So these are the top two right there at the top. Either one of them will work great and stop adversary in the middle, dead in its tracks. So that’s the, the last thing that I’ll, I’ll leave everybody with here right as we’re like, right up against the last minute.
Thank you all for listening, really appreciate it, and also your help. Daniel.
Daniel Lowrie
I, I thoroughly enjoyed it. Michael, this was a, very interesting, thought provoking and fun topic to, to broach. I’m so glad you had a chance to, to bring this information to not just me, but everybody that’s watching today.
And, we got to start thinking outside the box, right? And then, and looking, at everything and not, it’s the old, what is it? The zero trust model of never trust, always verify.
It never hurts you to verify. If someone calls and says, I’m with your bank. If you get a, a postcard that says, you won 50 bucks, pick up the phone, send an email, send a text and say, hey, real quick, I got this in the mail.
Take a picture, send it to them. Did you guys send these out? Because if so, thank you and I’m gonna go cash it, but I’m a. Wait till you, you let me know kind of what you were talking about. Like, slow down, take a beat and say, let me think through this logically real quick before I get all hot and bothered about, scanning a QR code and logging in for stuff.
So. Thank you so much, Michael.
Michael Allen
Yeah, no problem.
Zach Hill
Yeah, Zach.
Daniel Lowrie
Welcome back, sir.
Zach Hill
Thank you. I always love hearing Michael talk about this. it’s so exciting to hear about how, like all, testers are just thinking outside of the box and in these types of ways.
so it’s just fantastic to see you share it and yeah, it’s totally exciting.
Michael Allen
Yeah, I like talking about it from.
Zach Hill
The, the security awareness perspective. I, encourage you all to be champions of security awareness. Encourage, it. Be excited about it. I think, Daniel and Michael both kind of touched on that, but I just really have to emphasize that, like, be the champion in your environment that’s excited about it.
because if you’re excited about it, you can make other people excited about it as well. It is something that I think everybody needs to think about from you, the, your very entry level folks, all the way up to your C levels, security, especially security awareness.
It literally starts with everybody. it’s cheesy as that probably sounds like it is everybody’s responsibility nowadays. So I think the best thing that you could do is make it exciting, make it something that’s enjoyable in some way and just encourage, the positivity around it.
Daniel Lowrie
Yeah, have some fun with it.
Zach Hill
For sure. Definitely have fun with it. That I, cannot. Yeah, I loved what you guys did of, talking about it and then, just making it more engaging that way. Like that is. That’s fun. That is. I like that.
So anyway, thank you, Michael. Sorry.
Michael Allen
Yeah.
Zach Hill
Off topic, there is one question that, that I do have here from somebody, directly to this. So for these engagements, something like this, where does this stand on a legal level, like for vishing and calling personal numbers of employees is sort of a no, no area.
How does sending mail to personal home addresses, difference? Is this something that you guys go over in the ROE or is your scoping. Do you have to get approval?
Michael Allen
Well, I don’t know if my take on this is, necessarily the safest take. But so first off, if anything is not explicitly forbidden in the roe, I consider it in scope.
So, I like this kind of attack to be a surprise because, some organizations are kind of skittish around this, but it’s such a devastating attack. I feel like it’s very, very useful to do.
So if they don’t say anything that gives me a hint that, they don’t want us to do this, I don’t actually mention it in the ROE and I just do it and see what happens.
because usually it works out so well. and if it’s not explicitly out of scope, it’s in scope. The other thing is, we have had a couple of organizations where people in the organization other than our point of contact so like heads of IT or whatever, learned about the attack and then reported the attack like to the USPS or to the FBI.
And I haven’t heard anything from the FBI or from the USPS yet about any kind of mail fraud or anything like that. And I expect I wouldn’t because this is all done as a part of an authorized Red Team exercise or penetration testing exercise.
So we’ve got permission to do this kind of thing. But yeah, in my experience there hasn’t been any trouble from doing it or anything like that.
it’s, and it’s generally really received really well after the attack is all over. I’ve gotten so much positive feedback from our customers, both the ones that knew about it in advance and the ones that we did it to as a surprise.
They loved seeing something outside the box that their users would not be expecting. So that it’s a training opportunity, it’s a teachable moment for those users that, like, you expect these things that you’re not really thinking about or might not know exist.
And also because it highlights the need for as in regard to their technical defenses for them to do things like use stronger multi factor authentication or lock down their controls around logging into resources from outside their network or things like that.
So yeah, I don’t have any concerns my, myself and I haven’t run into any legal issues. But I’m also not a lawyer and I haven’t looked into it. So take that with a grain of salt.
Daniel Lowrie
Always consult a legal professional before applying any legal right.
Michael Allen
Yeah, like putting disclaimers on all of my slide decks because I tended to do that kind of thing,
Daniel Lowrie
Probably a good idea, just try it.
Michael Allen
And see what happens.
Daniel Lowrie
Yeah, yeah, just yolo, right? Who. Yeah, what are you gonna do? Hey, that’s it. I gotta, I gotta go guys. This has been so much fun. I really thank you for allowing me to be a part of your, talk here.
I had a great time. I gotta go. Going to be on the Red Siege Wednesday offensive today, which is in like for me about 10, 15, 10 minutes. I got to go get logged in there, so.
But thank you everybody and everybody in Discord. We’ll see you next time. Keep talking though. I’ll see you guys later.
Zach Hill
Yeah, but wait, that’s not all. we’re still here for a few more minutes and we will be Doing our breakout ama. So stay tuned. Just, have a few more questions, that we have for Michael.
one from Mark. Can you show the countermeasure screen again please?
Michael Allen
Yeah, absolutely.
Zach Hill
And just so, everybody is aware, in the Discord server, under the Slide Resources channel, I have put the slides that, that Michael, was showing today.
So you can access those slides right there in Discord and then, anonymous attendee, while you’re pulling up that, that slide right there to the last point that was made, have you considered, this was a couple minutes ago, but have you considered including.
That person only has a certain amount of time to claim a gift card. They’re saying, I feel psychologically, when, we are on a time crunch, we don’t verify things as much as we should.
Michael Allen
Yeah. So this is something that I actually cover in the Red Team class and in the real social engineering class, which is, the use of time constraints in social engineering ruses and campaigns.
And this, that is something that is very frequently, like, recommended by social engineering material that’s out there.
And there’s a good reason for that. Just like you were saying, people don’t really make the best decisions under time constraints as they would if they had, an unlimited amount of time. We also do that because a lot of times, like if we’re doing a pen test or Red Team, we’ve got a week or maybe three days sometimes or whatever it might be, in the case of a pen test, not a red team, but, very short amount of time to actually execute the attack and get all of our results and generate the report and all those kind of things.
So we need people to respond quickly. So there’s that kind of technical reason for that urgency as well. But, I think, at least in my experience, what we’ve kind of trained users to key on is that if they are, if they’re receiving a message that says, please do this today or please do this this week or whatever, that’s actually a clue that this might be a phishing email or a phishing message of some kind.
so I like to leave that out. And I like the sense of urgency to be very subtle, for it to be unstated, for the urgency to come from inside the person, ideally.
So in this case, one of the things I love about this attack attack is that the $50 gift card, it sort of creates that sense of urgency like the person wants it right now and that I don’t really have to worry too much about putting any kind of expiration date on it for that reason.
Usually, the same day the person receives it is the day they log in and try and get it.
Zach Hill
Awesome. Thank you, friend. Thank you. all right, I just put a link there in the chat too for your class. So if anybody’s interested in Red, team initial access, you, can check out Michael’s class.
just check out the link in the Discord server. you will be at Wild West Denver next week giving, this class in person. So y’all can join us in person at Wild West Hack Infest next, week.
I’ll put a link for that in the chat as well.
Michael Allen
Or.
Zach Hill
Oh, go ahead.
Michael Allen
Sorry, not to be too salesy about that or anything, but just FYI, the, the material that I’ll be teaching at Wild West Hack and Fest, I’ve just updated it with new content.
That Red Team class, I update that every time. Learn something new on, on Red teams, on our ANTISOC team, whatever. so, I got some cool new stuff that I’m looking forward to sharing with everybody and I’m sure that between, whenever we teach it next week and then I teach it again after that, it’ll probably get updated again as well.
Zach Hill
I love that, that that’s, I think one of the, the most exciting things. And not to get piece salesy because, but yeah, you guys do spend so much time updating your classes as you guys are learning new, tools, techniques and methodologies.
and I just love the fact that you are bringing everything that you’re doing, within your job, on a day to day basis. you’re bringing that material to, the masses and you’re sharing that with everybody and saying, hey, this is what we’re seeing, this is what we’re doing.
Here’s how you can do it, here’s how you can benefit and learn from that and take that back to your organization and apply that. And I think that is just huge that you don’t see that very often with a lot of, classes and material that’s out there.
Michael Allen
Absolutely. I’ll tell you something that I think, I personally think is kind of funny about it myself. I find it a little humorous every time I look at my own slides for my class as notes.
So I know what to do, like what commands to run and stuff like that whenever I’m operating. and I do that intentionally. I make my slide deck, my notes, and that’s the standard operating procedure that I work from whenever I’m doing my work.
That’s why it stays updated so much. And that Red Team class is actually, it’s not like required training, but it’s something that everybody on our antisoc team gets access to and goes through as they’re coming on.
and I did that intentionally because it’s just the kind of things that we do all the time on the anti SOC team in particular, we do that on red teams as well.
And and it’s sort of like now it’s bhis internal training basically. in addition to being the class.
Zach Hill
It’s like your playbook too,
Michael Allen
100% is so cool. Yeah, it’s absolutely my playbook.
Zach Hill
I love that, the fact that you just keep that continuously updated too is just phenomenal to see. And you’re just constantly using that as a resource. And I love the fact that you’re, you’re basically saying like, hey, I don’t remember all of these things, the top of my head.
Michael Allen
like. Right. The general idea. But I don’t know, I got a best practice for doing each thing. Like this is the most OPSEC safe version of this command to run or whatever.
And I go in there and I get it out of the slides and I run it because that’s, that’s the one that is working the best. And if I find out that there’s a problem with that one and something else works best, then I change it.
So yeah, it’s just constantly. It’s my best. It’s like the best stuff that I know for that particular topic.
Zach Hill
So you’re telling me as a professional, penetration, tester, you don’t remember all of these commands off the top of your head?
Michael Allen
Nah. I have so many notes that I’ve kept over all the years. Even before I was a pen tester that I’ve still got.
I, was keeping them in a Veracrypt, encrypted volume for a long time, I think before that I was keeping it on a true crypt encrypted volume, which came before Veracrypt.
But anyway, I got all these text files and crap that I just searched through with grip and I’ve got them all dated, and named so that I can search them easily.
And yeah, I have to go look back at my notes all the time. But I’m a very strong believer in notes. I feel like taking good personal notes like that. It’s basically Like a force multiplier.
It just makes you that much better. And, it is, Oh, gosh, now I’ve lost my train of thought. Oh, the other thing about it is I hate solving the same problem twice.
I wish that no one ever had to solve the same problem twice. One human being has already put in the effort and time and everything it takes to solve this problem. Let’s let, get everybody to benefit from that solution.
Maybe somebody else comes up with a better solution later. But, there’s no need for us all to spend our lives like, solving the same problem over and over and over. So my notes are my, my way for me to do that is like, I solved this once I recorded it.
Now I can go back, I can search, I know how to run that command, I know how to do whatever thing it was.
Zach Hill
Ryan, can I please get access to this recording so I can get that? Like the, everything that you just said there was just so on point and phenomenal.
I, I, I always recommend people learn, how to take notes. And they always just continue to take notes as often and as much as they can throughout their career. And I’ve, I’ve stated many times like, I try to take as many notes as I can, but I also like, make a lot of videos of walkthroughs on things that I’m doing.
And I can’t tell you the amount of times where I’ve gone through like an old video of mine, especially like setting up active directory and things like that. Like, I just have to, I have to go back to the video and watch it. So I just remember how to do the steps because I don’t remember all the things.
And then I, I asked you that question very poignantly because I think a lot of people as they’re trying to go through their career journey, especially within cyber security, sometimes they, they think and, or focus on, I need to know all of the things and I need to remember all of the things.
And I just think that, basically what you said was a perfect example and, and really hearing from you as a professional who’s worked in this field for many years, it’s impossible to remember everything.
So you, like, you do the best thing ever is like, you take notes. And somebody said, like, what was it? where was it?
Michael Allen
Yolo.
Zach Hill
sec grepping your notes hardcore. Like, totally. Like, that is so legit. I love that, like, I use notion so that way I could search through my notes. I know, Somebody was just asking any specific note app that you use.
Michael Allen
And then I’ve tried a lot of Node apps over the years. And the reason I settled on Grep, which by the way, I wrote a script so I don’t have to use like Grep itself every time I just wrote a script.
I actually have a Windows version of it and a Linux version of it. So the Windows one uses like Find Str but it searches through all the notes for me.
And the reason I did it that way was because, well, over the years I’ve switched from one operating system to the next depending on what my job was like or what I was doing personally.
And some of the notes I take when I’m doing personal projects and some of the notes I take whenever I’m doing work projects. And a lot of time I use a different operating system personally than I use at work. And note applications will come and go.
I’ve seen a lot of them come and go over the years and I just want to have my notes in a format where I can have them like last a long time so they’re just ASCII text and also where the formatting does not break the commands that I want to run.
So if I throw my notes into something I’m not, I don’t know, I don’t think notion does this. But other things might, where like you paste in a command and you’ve got like a single tick in that command and then it changes it to the smart quotes or whatever it happens.
If you paste commands into Word, for example, that’s a real pain in the butt, especially if you really needed that one character to do something important in that command.
And maybe it’s something you’re not really familiar with all that much. Whenever I was first starting out with SQL Injection, I was not very well versed in the use of each individual character and the importance of those characters in the commands.
And that’s something that would always break my SQL commands. In fact still I refer to the pen test monkeys, cheat sheet on SQL Injection anytime I run into another SQL Injection opportunity or just a SQL Server I can get into.
And the worst thing about that website is they’ve got the smart quotes in their example commands. And so I always have to remember to go back and change them to just like the regular single quotes.
so all those reasons are why I just stick to text files and like kind of universal tools for searching grep and find Stir and things and I just make a little script for it.
But there’s other stuff you can use to search. I love the tool, Agent Ransack, if nobody’s ever used that, I use it for searching my reports, my old pen test reports, because sometimes I use those as notes too.
And, they’ve got commands and stuff in them. I’m like, how did I do this last time? I needed to exploit whatever it was. Agent Ransack is absolutely fantastic for searching Word documents and PDF documents and stuff like that.
there’s, there’s other tools out there for searching stuff like you can find whatever you want to search. Stuff.
Zach Hill
Awesome. Thank you, man. I appreciate you taking the time too, afterwards and answering, some questions from everybody. And it was great, to banter with you afterwards.
You, just had, you had a lot of great stuff to share, so really appreciate that. it’s always good to see you, man. I’m excited to see you next week at, Wild West Denver. we won’t be back or we won’t be.
We’ll be back. We won’t be here next, week because we will all be in Denver, or most of our team will be in Denver for Wild west hack infest. So if you guys are interested, come out and join us, or join us virtually.
We’d love to see you, but otherwise we’ll see you back here for another anti cast in two weeks. And if you are interested in the Breakout Room, I’m going to start that up here in just a minute.
So if you have the Zoom, application installed on your device at the bottom, you should see Breakout Room somewhat, somewhere down there and you can join the AMA session there. But until.
Yeah, two weeks. Yeah, see y’all in two weeks, I guess. Thank you again, Michael, and, see y’all later.