Don’t Get “Vished” – Attacked via the Phone

Basically – the phone is used as an attack vector to get information.

Vishing – attacker calls you and extracts sensitive information you’d otherwise not share

This type of psychological attack takes advantage of trust, manners, and our social nature to want to be helpful.

The Attack

A stranger calls you at work. They will usually assume 1 of 2 personas – friendly, or intimidating.

1 – the caller is friendly and fun, making you feel rude saying no to their request

2 – the caller poses as someone higher up the corporate ladder. They’ll create a sense of urgency and obligation for you to provide them the requested information. So not wanting to disappoint your “boss”, you give it to them.

While the above are just 2 of the many possible personas, they’re the most popular. See chart below for more angles.

The Defence

– your gut. If something feels off, don’t be shy to say “I can’t” or flat out “no”

– be the outgoing call. Say, “I can probably help you with that, let me finish this email and I’ll call you right back… what’s you number?”

– phone number spoofing is easy, as in, caller ID is not reliable

– vishing attacks often happen while you’re very busy and distracted, so your defences are already down

– remember no information is inconsequential. The attacker may be seeking a tiny piece of information that seems small and frivolous, but really, it’s a key piece to a bigger puzzle

– someone recently tried to vish me, read the anatomy of the attack here

This has been Part 1/3 in a series with Michele Fincher of Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)

Meet Michele here.



Looking for a Lab

Seeking someone to click links for me, see where they go, and what action occurs, to help me solve some of these mysterious occurrences.

Like how I friended myself on Facebook, then accepted it.  Didn’t.

Or the time I replied to the below account, then all my Followers / Following disappeared.

Help for when my blog is under a password attack.

To open and click emails that make no sense.

Or help me find clues to whomever tried to get into my domain account this week.

Ideally we can verify each other’s identity through a mutual contact. Happy to pay or barter.

See more examples for your lab here.



Beware of Bots in your Instagram Feed

Few weeks ago, I Instagramed the below photo, along with the hashtag #MrRobot

Within 13 seconds of posting, the account florstyles12 replied with the below comment.

By the next day, the comment had been deleted.

The Attack

A popular hashtag is posted > bot is programmed to automatically reply > reply is full of links to other accounts > curious recipient visits other accounts > malware is waiting in one of them

The Defence

Time. Note how fast the reply came back.

There’s no way to type those 8 tags in 13 seconds… try it. Right?!

Therefore – must be an automated reply, therefore not clicking and getting involved.

Think before you click. 



52% of all Breaches are caused by Human Error

Over half… really!

Specifically, they’re usually caused by SE – the human side of security:

Social Engineering (SE) – to influence someone to do something that’s not in their best interest.

Bascially: you can have all the anti-virus software in the world, but one click on one bad link, and your computer or network is compromised.

Michele Fincher is an expert at getting you to click on that link.

Michele is the Chief Influencing Agent at Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE).

Don’t be fooled by her prettiness, Michele is a world-class social engineer and will breach your organization, probably while you hold the door for her.

We met at the SC Congress Security Conference, talked about Social Engineering and here comes a little series about hacking the human:

1 – Don’t get Vished
2 – Onsite impersonation works amazing
3 – The multi-stage attack

Blog tag = social engineering




80% of Prox Card Readers are Now Vulnerable

A pair of security researchers introduced BLEKey at the 2015 Black Hat Security Conference.

It’s such a high percentage – 80% – because really, all proximity card readers are made by 1 of 2 companies. Actually, if you use one to get into work, I bet it’s a HID unit.

The BLEKey (Bluetooth low energy key) can be installed in 60 seconds by attaching it to the reader via 3 wires. Then, when paired with a mobile phone, this $10 device can open a proximity card protected door.

1 – Bluetooth

2 – processor

3 – where the 3 wires attach (2 data, 1 power)

4 – battery

Once in place, it can clone cards, remotely open the door, or disable the door entirely for 2 minutes after the attacker is through.

Business Owners:

At the conference, the pair threw 200 BLEKeys into the crowd, and made available both the code, and unit for sale; it’s now out there.

To protect your business, they suggest ensuring tamper detection is turned on, and make sure to monitor the logs for anomalies. Also monitor the camera by the door, to stop an attacker from installing one into your reader.


Add this to your kit. It could make the physical portion of your pentest smoother, especially since sensitive areas are often protected by prox cards.

Or use it to mess with the company’s logs.

Get the code here – GitHub

Here’s the are the guys behind BLEKey and the best part is… they’re Canadian! They also received the most cheers of all the presentations I attended.

Left is Eric Evenchick, and right is Mark Baseggio.

From Black Hat 2015

Blog tag = Black Hat