How a Friend of Mine Phished GCHQ*

An exploration of social engineering

Aaron Kelly

*technically

Some Background

Whoami?

Who are GCHQ?

How was my friend able to do this?

CyberFirst Advanced

Some of you may or may not be familiar with CyberFirst.

If you are feel free to switch off for the next minute.

Act 1: The Set Up

Our CyberFirst Week went quite well.

Made some good friends, including but not limited to Lanky Max, Millom Max and Posh Max.

We went through a lot including but not limited to:

• Kali
• Metaspolit
• Wireshark
• Social Engineering

Act 2.1: The CTF

Friday 30 August in the Two Thousandth and Nineteeth Year of our Lord.

We get given a task.

Someone was being naugthy on their Windows 7 PC and now they’re trying to cover it up.

But lucky for us 16 year olds, someone managed to get an image of their hardrive.

Act 2.2: Assemble your team

I form a team of only the most elite guys on this course.

I knew one from school and met the other three on the Tuesday.

Me, Matthew, Mark, Luke and John.

The five least skilled people there.

We hatch a foolproof plan.

• Mark is looking at hex dumps of files.
• Matthew is doing a binary analysis.
• Luke is looking for signs of steganography.
• John is trying to enumerate users.
• I’m going to look through some Windows logs.

Act 2.3: We have a breakthrough

At some point one of us had an idea.

Why are we doing all this techy stuff when we could just try and ask nicely?

idea.jpg

Act 3.1: Gone Phishing

Doing some OSINT gathering (we looked at the back of the workbook) we found that this had been created by an another company.

This lead to a few Google searches and finding a customer service number.

So then my friend called them.

Act 3.2: The Phone Call Begins

We’ll call him Steve

Steve: “Hello, [Company Name], this is Steve speaking”

Friend: “Hi Steve, my name’s Friend and I’m calling from [Place], how are you doing today?”

Steve: “I’m doing wellh

Little did Steve know, this was about to be a very bad day for him.

Act 3.3: The fun bit

My friend and Steve have a bit of a back and forth.

Act 3.4: Send me an email

After extensive conversation and some mild convincing, the line we wanted to hear.

Steve: “Right, if you send me all that as an email, I’ll get it to right person.”

As a group we set up a very creative email, (john.smith.[place]@gmail.com).

We phrase the email very similar to our side of the conversation and send it off.

Act 4: Lunch

All the teams, break up for lunch.

We go back to sitting with other groups and talk about how things are progressing.

Over lunch we get an email back

Epilogue

As a team, we won, as the only team to finish the challenge.

We got the file, in a method that had not been seen before by the course leaders.

After explaining how we did it, the leader was concerned.

Aftermath

The leadership informed the company what happened.

The company created some new phishing materials after this incident and retrained a lot of staff.

Through the grapevine I heard that Steve started looking for alternate employment.

And we realised something

This Realisation

We were quite transparent about what we were doing

We didn’t claim to be part of the organisation

Does this mean that phishing training is useless?

No, not in the slightest.

We still did things that should have been caught.

Our email (john.smith.[place]@gmail.com), should have been a massive red flag.

We employed a common tactic of emphasising urgency to Steve.

More of me

For more of me if I’m interesting enough to you:

GitHub: github.com/aaronkellyuk

LinkedIn: linkedin.com/in/aaronkellyuk