Beware of the Wily Old Fox
Social engineering, … is understood to mean the art of manipulating people into performing actions…
Yet another example today of a stupidly simple, yet effective and easy to pull off trick that telemarketers use: pretending that you have “won” or are entitled to Something Good (which probably isn’t). Not as if someone else has not tried this before.
Got a call from 65345723, masquerading as someone from UOB this time.
Miss T: Hello, I’m calling from UOB. Would like to ask you if you’ve done your holiday resort redemption yet?
Me: Huh? What’s that about?
Miss T: Oh, I guess you have not done it yet. You see, we have this redemption thing for UOB members, you just need to come over to UOB tower…
Me: (smiling at this point) Oh…but I don’t have an UOB account, heh.
Miss T: Oh…ok then. *hangs up*
In this case, the tactic being used is called “pretexting“. Plenty of (email) spammers use this trick too, usually trying their luck at impersonating emails from a range of popular social networks and banking services in the hope of getting you to click on a bad link.
This number 65345723 has been flagged by others for calling on behalf of (or pretending to be, I don’t know which is it) other parties like a travel agency (hmmm, “holiday resort redemption”?) and another bank (OCBC) claiming a win of a tablet PC. These folks are really unscrupulous…
Oh well, yet another number to add to my Do Not Answer list.
Have almost forgotten how fun it is to mess around with a Linux server. Building another Linux server did indeed bring back some memories
This is another scratchpad post: little to no explanation/breakdown on the script involved (unless there’s the “impetus” to elaborate in future). Feel free to ask/discuss in the comments section below though.
Any user who logs in should trigger the sending of the notification email from the server immediately, and if it wasn’t an expected login, well at least you’d know it’s time to trigger some incident response processes.
As an improved version of the old post on the same topic, this script similarly is to be appended to
/etc/profile or the relevant
~/.bash_profile per user.
echo -e "$(hostname) shell access\n$(date)\n$(who)\n\
$(for i in $(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|sort -u);
do echo -e "==========\nwhois $i"; whois $i;
echo -e "\n=====\nreverse $i"; dig -x $i;
done;)" | \
mail -s "$(hostname) alert: shell access from \
$(who|cut -d"(" -f2|cut -d")" -f1|cut -d":" -f1|tr "\n" " ")" \
Changes namely are the adding of whois and reverse IP (DNS PTR) lookups for all IP addresses currently logged on via SSH, and also the use of the more readable
$() Bash command substitution expansion rather than the backtick (
You will need to have installed the mailutils package (
apt-get install mailutils), and probably a MTA like postfix or exim too.
Edit 30 Apr 2012: small bug fix in the sequence to extract all IPs from the who command output.
Script kiddy. Tool hacker. Tool maker.
In the various infosecurity circles, it is not uncommon to see various people and organizations contributing to community: be it in the form of knowledge/HOWTOs, or discussions, or tools written and released.
While commercial offerings (courses, products, solutions) have their place. It is pretty much the case everywhere to see that most people get started off, and maintain, their training and equipping in the “open source”/free realm.
As a sysadmin turned webappsec ethical hacker turned DFIR geek, the situation is very much the same too. Much of what I know came thanks to those who shared selflessly with the community.
I’m very much a tools kind of person, which is also why I see the scale as from one who only uses (i.e. leeches ) to the ones who know enough to modify/add on to existing tools, to the ones who get their hands dirty, implementing the tools that they envisioned themselves. This is also one of the scales along which I would want to progress professionally: from one who feeds/leeches off the feeders, to eventually feeding the community.
At what stage am I at now? Probably the “tool hacker” kind of stage, although I’ve been leeching too much of late! Time will tell if I move (up or down this scale), or if priorities change altogether. But whichever the case, it should always hold true that we need to give back to community with our work. And what better way than to start off by giving back the same way we learnt the ropes ourselves?