When performing a penetration test your first task is to survey the access points to the client that give access to restricted areas and information. Using social media, you can create a trust relationship with employees at the target organisation, and then use that trust to spread malicious files and links. These materials can weaken or breach the security boundary of the target. The strategy works because employees instinctively trust each other (they’re on the same team), must cooperate to be effective (teamwork) and seek positive self regard (peer recognition).

Sample attack

Linkedin is a good resource for pen testing. It’s a social media site that combines the work resume with a list of endorsements from coworkers and clients. It relies on “guilt by association”. The user is supposed to limit contacts to those that they personally vouch for. Because many businesses see Linkedin as a combination of advertising and recruitment opportunity, employees are encouraged to create Linkedin social groups. People are added to contact lists simply because they work at the same company.

I’d like to add you to my professional network on LinkedIn.

We construct a fake linkedin account using the name of an existing worker at the target company, combined with a randomly selected user image. This image will be “clean” and not have previously been posted somewhere online. We fill this fake identity with a selection of appropriate skills and work experience, then round it out with real world colour — sports, hobbies and charities. It is surprising how little effort is needed to construct a fake account with the same level of granularity as a real account.

Once the account is created, we make a private user group on Linkedin with a title to imply that it is related to the target company. It may be a work community group (ie Company fantasy football club, Company global network etc) or related to a work topic (Company sales network). Ownership over the group adds authority to your fake account. If you are the administrator of a work group, you must be someone in a position of authority.

After adding colour to the group (links to motivational articles, photos of cats, relinked authentic company posts), invitations can be sent to employees at the target site. Each employee that accepts the invitation will increase the authenticity of the group and make it more real. Ideally “co-workers” will be so comfortable that they begin talking to each other. When you have successfully added a few members, your fake account can send contact (friend) requests to the co-workers. Each target that accepts adds to the camouflage of your account and makes it appear more real. Once group membership rises to an acceptable number of participants, you can start to insert links to malicious sites and disseminate malicious files (sharing a work related document). If you are challenged you do not need to give lengthy excuses. You can respond vaguely or not at all and most interrogators will leave you alone. In our experience, most people will accept an invitation and are unlikely to cause problems, even if they are suspicious.

With a properly managed fake account, you can build a powerful tool to penetration test a company. It is difficult to detect or stop, and even if one or two target employees are suspicious, they are unlikely to organise to oust you from your page. You can collect clear evidence for your client about the importance of vetting potential contact requests on social media.

Gathering the evidence for your client

One method to gather evidence is to post a link to a website constructed by you that records visitors. You might tell employees there is a questionnaire connected to this link. In our experience, even if the link is connected to a broken site, you may get victims that recommend the link and even share it. The goal is to log the number of employees who click on this malicious link.

A second method may be to post a malicious file to the group. You tell the group your file is a document about upcoming social events or an important notice or some other bland but intriguing subject. If a victim downloads the file and attempts to open it, they are more likely to think it is broken then that it is a attack. Once again, even if the file does nothing, it is proof that your client’s employees are lacking in security awareness.

Is it worth the effort?

Creating a fake social media account may seem like unnecessary work, but we have found that it is a reliable way to deliver malicious content to a target. Cold calling an employee (pretexting) and asking them to download a file or perform a dangerous request (i.e creating a new account or sharing information) is often refused, even if they do not immediately challenge the caller or make a report. When a pen tester appears to be a co-worker with a visible trust relationship to the company they can ask employees to perform dangerous tasks with far less scrutiny. Targets are more tolerant of suspicious behaviour, and far less likely to make a challenge when uncertain. Peer pressure and social conformity are powerful forces.