Steven Fox (@SecureLexicon) has been giving a series of talks on creating social illusions. Last Friday, I joined Steven at EMU where he was presenting as part of EMU’s IA summer workshop series. The topic was spearphishing. Steven demonstrated using Maltego to create an email, while Evan Malamis showed how the Social Engineer Toolkit could weaponize and distribute the email.
Let’s suppose Steven was deliberately targeting someone who attended BSidesDetroit. What should the email look like, and who should it be from?
The first thing Steven did was create a social network nodal graph from BSidesDetroit. By navigating the graph, it became obvious there was a tight network bond between Matt Johnson, Derek Thomas, and myself. There was an “ah ha!” moment as Steven explained how a message to a target could be sent from any one of us three.
Now what topic should the email use? Steven pivoted Maltego and pointed out an interesting relationship between BSidesDetroit and BSidesChicago. So he graphed BSidesChicago, and looked for intersections. From there, he probed to see how those intersections touched upon Matt, Derek, and me.
Out popped a tweet from Mr. Minion on the Chicago ISACA/ISSA boat cruise. Steven pulled the tweet and resulting social interactions into another graph. There, it became obvious that #misec was involved. Steven was able to pull out several key pieces of information, including URLs and the like.
The final step of the process was to write the email. Essentially, Steven combined Maltego results with some Google fu to determine how #misec would pitch an event. The look, the feel, and the tone of the message were carefully crafted. Steven even perfectly emulated my writing style. (Take a look for yourself here.)
How successful was this forgery? Consider the following three pieces of evidence.
First, one person immediately commented: “Does that count? We all know the #misec guys are doing this boat thing.” Except we are not. The interesting thing is that #misec is not actively planning a river cruise. Yet the email was so well done that the audience immediately assumed we were.
Once that was explained, another person went: “It is funny you mention the cruise. I would have clicked on it because I remember Elizabeth Martin talking about Detroit doing a boat cruise.” This turned out to be a case of person’s memory adjusting to fit the facts they saw in front of them. Checking with Elizabeth, she did not talk about the cruise during BSidesDetroit at all.
Actually, the Twitter buzz preceeded me checking with Elizabeth Martin. All the buzz led Elizabeth to the logical conclusion that there was a cruise, and she spent an hour researching boats for our event. She later tweeted out: “The best part is I thought I was supposed to plan a cruise so I started working on it!”
Think about that for a moment. Steven Fox effectively invented an event. He crafted a message so accurate that it caused people to remember it, had people believing it was actually happening, and effectively created its own reality. Talk about creating social illusions!Posted by