WEBVTT 00:00:00.296 --> 00:00:05.280 JACK: Before we really had the term ‘social engineer’, people used to just say ‘con artist’ 00:00:05.280 --> 00:00:11.040 because what a con game is, is where you gain someone’s trust and then defraud them. Social 00:00:11.040 --> 00:00:16.500 engineers gain people’s trust in order to trick them. Same thing. One of my favorite 00:00:16.500 --> 00:00:21.480 con artists was George C. Parker. He made a living off of selling things he didn’t own. 00:00:21.480 --> 00:00:25.980 He lived in New York City in the early 1900s. A lot of immigrants were moving into the city 00:00:25.980 --> 00:00:32.160 and he wanted to take advantage of their lack of knowledge about the city. Grant’s Tomb was 00:00:32.160 --> 00:00:37.920 built in 1897 which is the final resting place for Ulysses S. Grant. It’s right in Manhattan 00:00:37.920 --> 00:00:43.140 and it’s an extraordinary monument. You can even go inside and look at the casket. It’s 00:00:43.140 --> 00:00:48.180 a popular tourist attraction. George C. Parker saw so many people coming to see Grant’s Tomb, 00:00:48.180 --> 00:00:53.940 he wanted to somehow make money off this, and not by selling popcorn or hot dogs or flowers. 00:00:53.940 --> 00:01:01.860 No, George’s idea was to sell Grant’s Tomb itself even though he didn’t own it. 00:01:01.860 --> 00:01:08.100 He got to work drafting up fake documents which showed he was the grandson of Ulysses S. Grant and 00:01:08.100 --> 00:01:12.120 then he rented an office to look like a legal place where you can make such a transaction, 00:01:12.120 --> 00:01:17.040 and then he went around town looking for victims. There’s a lot of people walking around in New York 00:01:17.040 --> 00:01:22.020 City stopping for shoe shines, grabbing the paper. It’s easy to strike up conversations 00:01:22.020 --> 00:01:27.780 with anyone. George found someone interested in buying Grant’s Tomb. George forged some 00:01:27.780 --> 00:01:31.800 documents which looked like he was the owner and he told the victim that he could make 00:01:31.800 --> 00:01:37.020 a lot of money off this place if he would just charge people to come take a look at the casket. 00:01:37.020 --> 00:01:43.860 So, he made the deal. He sold Grant’s Tomb to someone even though he didn’t own it. In the 00:01:43.860 --> 00:01:49.440 following decades, George C. Parker went on to sell dozens of other landmarks in New York 00:01:49.440 --> 00:01:55.620 City. He sold the rights to plays and operas. He sold Madison Square Garden to someone once. 00:01:55.620 --> 00:02:01.020 He sold The Metropolitan Museum of Art once, and the Statue of Liberty. But my favorite 00:02:01.020 --> 00:02:05.760 thing that he sold was the Brooklyn Bridge itself. He would tell people that they could 00:02:05.760 --> 00:02:09.960 set up a toll booth on the Brooklyn Bridge and make a lot of money from all the cars passing 00:02:09.960 --> 00:02:17.640 by. This was such a great con game that George sometimes sold the Brooklyn Bridge twice a week. 00:02:17.640 --> 00:02:23.280 The city would often have to come out and stop victims from erecting toll booths on the bridge. 00:02:23.280 --> 00:02:27.600 That’s where we get the term ‘if you believe that, I’ve got a bridge to sell you.’ 00:02:27.600 --> 00:02:39.120 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:02:39.120 --> 00:02:54.360 I’m Jack Rhysider. This is Darknet Diaries. 00:02:54.360 --> 00:02:57.480 [INTRO MUSIC ENDS] 00:02:57.480 --> 00:03:00.840 JACK: Can we start out with who you are and what do you do? 00:03:00.840 --> 00:03:08.340 CHRIS: Sure. It’s kind of a loaded question; Chris Hadnagy and primarily I’m the CEO or 00:03:08.340 --> 00:03:14.640 my fun title is Chief Human Hacker of Social Engineer LLC. But I also run 00:03:14.640 --> 00:03:21.000 social-engineer.org which is a free resource for social engineers or people interested in 00:03:21.000 --> 00:03:27.360 the topic where they can educate themselves and learn about things like stories and the science 00:03:27.360 --> 00:03:34.380 behind it. Then I also run a nonprofit called The Innocent Lives Foundation. 00:03:34.380 --> 00:03:36.380 JACK: How did you get into social engineering? 00:03:36.380 --> 00:03:43.380 CHRIS: Oh, that’s fun. I was working in the industry but doing vulnerability assessments, 00:03:43.380 --> 00:03:47.760 so I want to say maybe many of us started off that way but I’m not sure. But yeah, 00:03:47.760 --> 00:03:55.020 back in the day, just kind of doing what I would say very light security and understanding light 00:03:55.020 --> 00:03:59.940 security and then doing vuln assessments. Then I took a course called Pentesting 00:03:59.940 --> 00:04:07.560 with [00:05:00] BackTrack at the time before it was Kali and got addicted to pen testing. Ended 00:04:07.560 --> 00:04:13.740 up spending way more time than was healthy inside their labs and cracked a server that hadn’t been 00:04:13.740 --> 00:04:19.380 cracked at the time and got a job offer from OffSec to work with them as their ops manager. 00:04:19.380 --> 00:04:24.360 Through that process of working with them and learning about real pen testing and how to do it, 00:04:24.360 --> 00:04:30.540 I found that my natural niche in the field was people, talking to people and learning 00:04:30.540 --> 00:04:36.480 how to influence them. I started to write a framework on social engineering. That’s what the 00:04:36.480 --> 00:04:42.660 social-engineer.org site is basically based on, is that framework. When that framework came out, 00:04:42.660 --> 00:04:46.080 I got a book offer to write my first book which no one should read, 00:04:46.080 --> 00:04:50.760 and from there my company was started and now we’re here eleven years later. 00:04:50.760 --> 00:04:57.840 JACK: Over a decade ago, Chris set up the website social-engineer.org. There, 00:04:57.840 --> 00:05:02.700 he started writing a framework to do social engineering which is a guide, if you will, 00:05:02.700 --> 00:05:07.080 on how to do it. He wrote a code of ethics, he defined a bunch of terms, 00:05:07.080 --> 00:05:09.960 and he outlines many of the different methods and attacks. 00:05:09.960 --> 00:05:14.280 CHRIS: It came about because I wanted to understand social engineering from a 00:05:14.280 --> 00:05:19.500 scientific and an artistic level. [MUSIC] The way I went about it was kind of looked at my bookshelf 00:05:19.500 --> 00:05:25.260 and said man, I read this book ‘cause I wanted to understand ‘x’, so let’s say ‘influence’. I wanted 00:05:25.260 --> 00:05:29.400 to understand influence so I bought Robert Cialdini’s book and I read it and I studied 00:05:29.400 --> 00:05:33.715 it. Then I took principles from that and tried them on a phishing e-mail or tried them where we 00:05:33.715 --> 00:05:38.700 were breaking into a building, so I would write that down. I went through my bookshelf and just 00:05:38.700 --> 00:05:44.520 outlined these are the skills I used, these are the places I learned them, and here’s how – what 00:05:44.520 --> 00:05:50.220 I took away from those lessons. Through that, it took about nine or ten months that formulated the 00:05:50.220 --> 00:05:54.840 social engineering framework that is still alive on the site today. It’s been updated, 00:05:54.840 --> 00:05:59.820 of course, since that time. But took about a year to do and it came out right around 2009. 00:05:59.820 --> 00:06:06.180 JACK: Yeah, so Chris here, the Chief Human Hacker, has literally written the book on social 00:06:06.180 --> 00:06:11.580 engineering; actually, three of them at this point but back in 2010 on top of the framework he was 00:06:11.580 --> 00:06:16.860 writing, he was also writing newsletters on social engineering and putting out a podcast about it. 00:06:16.860 --> 00:06:21.960 CHRIS: Then companies start calling ‘cause they’re reading this, they see it. Again, it’s the first 00:06:21.960 --> 00:06:28.500 time anyone’s ever defined it. They’re saying hey, would you come and test our company? Will you come 00:06:28.500 --> 00:06:33.960 and pen test us? Or will you come and phish us and tell us how we did? I was like yeah, sure, 00:06:33.960 --> 00:06:40.020 we would try that. Again, at this time in history, there was no companies doing this so it was – what 00:06:40.020 --> 00:06:44.280 do we charge them? How do we make a business out of this? We were trying to figure it out 00:06:44.280 --> 00:06:52.320 all as we went. That’s what started my company at that time which was about 2010, ’11 time 00:06:52.320 --> 00:06:59.280 is when I separated then formed my own company focused strictly on social engineering. 00:06:59.280 --> 00:07:01.380 JACK: You’re aware of what a phishing e-mail is, 00:07:01.380 --> 00:07:06.540 right? An e-mail designed to get you to click a link in there which will harm you somehow, 00:07:06.540 --> 00:07:12.120 whether it will get you to download malware or scam you or whatever. When Chris gets a 00:07:12.120 --> 00:07:15.120 call to do a phishing campaign against a company, he gives them two options. 00:07:15.120 --> 00:07:19.380 CHRIS: You have the security awareness phishing and then you have pen test phishing, right? 00:07:19.380 --> 00:07:25.440 Security awareness phishing, the goal is education at the end. Those are usually done company-wide, 00:07:25.440 --> 00:07:30.180 like, everybody, no matter if there’s 1,000 people or 100,000 people. They’re done every 00:07:30.180 --> 00:07:35.460 month and the goal is to get them to click a link that then brings them to an educational page, 00:07:35.460 --> 00:07:39.960 ‘cause our end goal with that kind of phishing is to teach them how to catch it and how to 00:07:39.960 --> 00:07:45.480 report it properly. But in pen test phishing, the goal is much different. Pen test phishing, 00:07:45.480 --> 00:07:52.620 our goal is to steal credentials, to install an implant to get a trojan or malware on the machine; 00:07:52.620 --> 00:07:57.360 somehow to compromise the network or the people for the pen test that we’re doing. 00:07:57.360 --> 00:08:02.040 JACK: Now, I’ve worked with, I don’t know, hundreds of clients as a security engineer 00:08:02.040 --> 00:08:06.840 myself. Boy, let me tell you, none of them were interested in me doing phishing attacks 00:08:06.840 --> 00:08:10.980 on their employees. In fact, my own company that I was working for wouldn’t even let me 00:08:10.980 --> 00:08:17.460 do phishing tests on our own employees. It’s just rare for companies today to try to phish 00:08:17.460 --> 00:08:23.070 their employees but it was extra-rare to see companies doing this in 2010. 00:08:23.070 --> 00:08:28.140 CHRIS: I got called by a really large financial institution and they said 00:08:28.140 --> 00:08:33.000 we’ve been doing SE internally for a while and we use your framework now. 00:08:33.000 --> 00:08:37.740 Would you be willing to work with us in actually testing our people? For me, it was a shock ‘cause 00:08:37.740 --> 00:08:42.360 like you, I had the same experience. We would do a pen test for a client and I would say to them hey, 00:08:42.360 --> 00:08:46.680 can we send some phishing e-mails? They were like nah, we don’t really care about that. I 00:08:46.680 --> 00:08:50.760 would offer them for free. I would say, let me send five for free. If you like what you see, 00:08:50.760 --> 00:08:55.980 we could talk about more on pay. Then they would be like okay, yeah, you could send a 00:08:55.980 --> 00:08:58.740 few. They would always work and they would be like nah, I don’t want to pay for them; 00:08:58.740 --> 00:09:02.700 they just worked too good. It’s like, but [00:10:00] that’s why we should do it, you know? 00:09:02.700 --> 00:09:07.440 You were right; I was hitting this roadblock where companies didn’t want to do it but then 00:09:07.440 --> 00:09:12.660 this large financial institution says let’s do this and all of a sudden we are full-board 00:09:12.660 --> 00:09:18.960 doing SE testing and phishing and all this other work in a major company that’s global, 00:09:18.960 --> 00:09:24.600 and that word spread. Soon as that happened, we – other companies started saying well, 00:09:24.600 --> 00:09:29.280 if you’re working with them, maybe we should consider that. That is when we were sitting 00:09:29.280 --> 00:09:32.940 back saying okay, I don’t even know – how the heck do we charge for this stuff? Where do you 00:09:32.940 --> 00:09:37.440 come up with pricing? How do you figure out what a service should look like since 00:09:37.440 --> 00:09:42.540 there was no go-to-glass-door and figure out what a typical social engineer makes, 00:09:42.540 --> 00:09:47.280 you know? It was just figuring it out as we went. Then, you’re right, it still was a struggle. 00:09:47.280 --> 00:09:51.804 First five years, I don’t – it was like pulling teeth. You would approach companies and they 00:09:51.804 --> 00:09:57.900 would be like, why do I need this? It was a lot of education. Then as media started picking up 00:09:57.900 --> 00:10:03.840 stories of phishing attacks and vishing attacks and social engineering impersonation attacks, 00:10:03.840 --> 00:10:09.000 as media covered those more and more, it got to the point where people, companies, 00:10:09.000 --> 00:10:12.720 C-levels were hearing these stories and going wow, this is a problem, 00:10:12.720 --> 00:10:18.780 and that’s when it became easier to now sell those services like it is today where most companies 00:10:18.780 --> 00:10:25.440 know they need social engineering services. But of course, as it wasn’t before, there’s a lot more 00:10:25.440 --> 00:10:30.600 competition. It’s like every other industry; now they have to pick and choose who they deal with. 00:10:30.600 --> 00:10:34.380 JACK: Chris sometimes gets calls to send everyone in the company phishing 00:10:34.380 --> 00:10:39.240 e-mails and the goal is to give the employees education and awareness of this kind of attack. 00:10:39.240 --> 00:10:45.240 CHRIS: For us, it’s – we levelized, what I call levelized the phish, so we have three different 00:10:45.240 --> 00:10:50.580 tiers. Let’s say it’s the same phish; like, right now one of the big things that’s going around in 00:10:50.580 --> 00:10:55.200 the real world is since everyone’s working from home, it’s new work-at-home policies, 00:10:55.200 --> 00:10:59.280 right? [MUSIC] So, if you’re working from home, here’s some policies you need to read. 00:10:59.280 --> 00:11:05.280 A phish like that, let’s say with a really basic levelized number one, it might only 00:11:05.280 --> 00:11:09.420 – it might look like it’s just coming randomly to you. It’s not personalized, 00:11:09.420 --> 00:11:13.200 it’s not branded, and it has even some spelling and grammar errors. 00:11:13.200 --> 00:11:19.980 A level two might come to you and it’s not personalized but there’s no errors in it. It looks 00:11:19.980 --> 00:11:25.620 a little more realistic. Then a level three looks like it’s coming from your HR department. All of 00:11:25.620 --> 00:11:32.280 these are geared to teach the employee two things; one is can they catch the phish? We’re recording 00:11:32.280 --> 00:11:38.580 a lot of data. Did they report it properly if they caught it? If not, when they clicked it, 00:11:38.580 --> 00:11:42.180 did they go to the landing page that was given to them and read the information 00:11:42.180 --> 00:11:48.660 which in security awareness, a lot of people love to push ten, fifteen, twenty-minute CBTs. 00:11:48.660 --> 00:11:50.940 JACK: CBTs are computer-based training, 00:11:50.940 --> 00:11:53.940 like your typical security awareness training you might get at a company. 00:11:53.940 --> 00:12:00.840 CHRIS: Those aren’t great. Those have a use and a purpose but they’re not great for what we’re 00:12:00.840 --> 00:12:03.900 talking about here. You want to give someone some information they can 00:12:03.900 --> 00:12:07.920 digest in sixty to ninety seconds. It should be a ‘hey, you just clicked on a 00:12:07.920 --> 00:12:12.300 phish. Here’s how you could have caught it. Please report it to this address.’ 00:12:12.300 --> 00:12:17.340 We find that that kind of security awareness phishing program helps keep the idea of phishing 00:12:17.340 --> 00:12:21.300 in people’s minds and they’re much more aware about all phish throughout the month. 00:12:21.300 --> 00:12:27.180 JACK: This kind of training works amazingly well. It really sticks with the employees who did click 00:12:27.180 --> 00:12:32.640 the link and got phished. That sixty seconds where they learned that they clicked on a malicious link 00:12:32.640 --> 00:12:38.580 is a powerful moment. Their online awareness and digital hygiene are instantly leveled up. 00:12:38.580 --> 00:12:42.660 CHRIS: When we’ve had clients that use a levelized approach that do it consistently, 00:12:42.660 --> 00:12:48.360 so these are the things; you have to have a levelized approach, do it consistently, 00:12:48.360 --> 00:12:53.700 and have messaging that isn’t damaging. What do I mean by that? Everyone’s afraid of Covid-19 right 00:12:53.700 --> 00:12:59.820 now. If we start phishing people with like, let’s say a phish that says ‘Find out who in the office 00:12:59.820 --> 00:13:06.240 was diagnosed with Covid-19.’ Everyone’s gonna click that and when they find out it’s a test, 00:13:06.240 --> 00:13:11.580 they’re gonna feel hurt, especially if someone lost a family member. 00:13:11.580 --> 00:13:16.800 Let’s say someone had a family member die because of the virus and now they find out you used that 00:13:16.800 --> 00:13:20.460 virus as part of education, they’re gonna feel really hurt and you’ve taken away the ability 00:13:20.460 --> 00:13:27.240 to educate them. Your program has to be levelized, consistent, regular, and also, it has to not step 00:13:27.240 --> 00:13:35.820 over that moral line. When you do that, we’ve – probably the case I love to use the most, is we 00:13:35.820 --> 00:13:41.040 phished a client we had with – for five years and after three years of consistently phishing them, 00:13:41.040 --> 00:13:48.660 they had a 78% reduction in actual malware on their network. Actual malware-related cases 00:13:48.660 --> 00:13:52.980 on their network reduced by 78% ‘cause people were catching phish and reporting 00:13:52.980 --> 00:13:59.160 them properly without clicking them. That’s a huge win when you think about doing it right. 00:13:59.160 --> 00:14:03.180 JACK: Pretty impressive, [00:15:00] huh? Conducting phishing campaigns on everyone 00:14:03.180 --> 00:14:07.440 in the company as part of your security awareness training seems like a no-brainer 00:14:07.440 --> 00:14:12.420 in terms of how it helps improve the security of a company because a ton of malware enters a 00:14:12.420 --> 00:14:17.820 company by people clicking phishing e-mails. It’s crazy these are still effective today 00:14:17.820 --> 00:14:21.720 even though most people know about phishing attacks and have been told over and over 00:14:21.720 --> 00:14:27.120 not to click on suspicious links. You know what I’ve seen some companies do? Where I used to work, 00:14:27.120 --> 00:14:30.840 they used to give a bonus to employees who could demonstrate healthy behaviors like 00:14:30.840 --> 00:14:34.440 if you didn’t smoke and you went to the doctor for preventative care and did regular exercise, 00:14:34.440 --> 00:14:39.960 they would incentivize you and give you a extra $500 a year as a health bonus. 00:14:39.960 --> 00:14:45.420 But some companies take this a step further and incentivize people demonstrating proper security 00:14:45.420 --> 00:14:50.940 hygiene. Like, if you’re tested with phishing e-mails every month and pass and then have 00:14:50.940 --> 00:14:55.800 implemented two-factor authentication properly, and then you use a password manager and you’re 00:14:55.800 --> 00:15:01.680 virus-free for a year, you might get a digital health bonus too, because some companies can 00:15:01.680 --> 00:15:07.380 really save money by incentivizing their employees to be more vigilant and secure which results 00:15:07.380 --> 00:15:13.620 in less infections company-wide, because the overall benefit to security outweighs the cost. 00:15:13.620 --> 00:15:16.200 But enough about security awareness training. I want 00:15:16.200 --> 00:15:20.100 to hear a story about when Chris had to do a penetration test on a client. 00:15:20.100 --> 00:15:24.540 CHRIS: I had just hired Ryan. He’s my COO now and him and I were just working together; 00:15:24.540 --> 00:15:28.980 this was literally our – one of our first jobs together, going back a couple years 00:15:28.980 --> 00:15:36.300 now. We were hired to go break into a couple banks in the country of Jamaica. 00:15:36.300 --> 00:15:42.600 This is an interesting one because it’s my first time breaking into banks in a foreign country. 00:15:42.600 --> 00:15:48.000 We didn’t know what to expect in doing the job, like what was – when we arrive, 00:15:48.000 --> 00:15:52.380 were they gonna be armed? Were they not gonna be armed? How hostile would they be? 00:15:52.380 --> 00:15:57.840 JACK: Their task was to get into the bank in the middle of the day. Really, this was to see if they 00:15:57.840 --> 00:16:02.880 could get past security and into the inner areas of the bank because this bank wasn’t really where 00:16:02.880 --> 00:16:09.600 customers come in, typically. Two foreigners just walking in off the street with no business 00:16:09.600 --> 00:16:14.460 being in there should not be able to get in this building. Security should stop them at the front 00:16:14.460 --> 00:16:19.560 door but if they get in, the doors to every secure area in the building should be locked. 00:16:19.560 --> 00:16:26.220 CHRIS: One of our jobs was that we had to put a USB key into random computers and 00:16:26.220 --> 00:16:31.260 hack the network. We had to have different pieces of software and malware on the USB 00:16:31.260 --> 00:16:36.300 keys that would allow us to show them that we could’ve – we weren’t allowed to steal anything 00:16:36.300 --> 00:16:40.560 or get into sensitive parts of the bank but if we were to gain access to the network, 00:16:40.560 --> 00:16:45.120 they wanted us to prove that we would have been able to destroy them if we 00:16:45.120 --> 00:16:50.160 gained access to that part. They wanted us to have software and tools with us that can 00:16:50.160 --> 00:16:54.900 prove those parts while recording also so we could show them what it is that we were doing. 00:16:54.900 --> 00:16:58.380 JACK: On top of that, they were told to report any security issues they found 00:16:58.380 --> 00:17:04.920 along the way. The objective is set; time to get to work. 00:17:04.920 --> 00:17:07.260 CHRIS: [MUSIC] We had done a lot of OSINT and we 00:17:07.260 --> 00:17:10.500 found that the bank was undergoing an audit from an American company. 00:17:10.500 --> 00:17:14.640 JACK: Okay, OSINT is open-source intelligence-gathering which is 00:17:14.640 --> 00:17:20.940 where you look in public areas online for private information about a company. Chris 00:17:20.940 --> 00:17:25.620 didn’t say how he did it but here’s how I would start. First, go to the company’s 00:17:25.620 --> 00:17:30.360 LinkedIn profile. This typically lists a bunch of employees who work for that company. From there, 00:17:30.360 --> 00:17:35.460 you might see employees posting stuff right on LinkedIn like ‘Ugh, it’s audit time again. Can 00:17:35.460 --> 00:17:39.780 you believe it?’ But if no clues like that show up, you can take this a step further. 00:17:39.780 --> 00:17:44.580 You take the names of the employees that are on LinkedIn and then try to find their 00:17:44.580 --> 00:17:49.800 Facebook profiles to see what they’re posting there and look through all that. 00:17:49.800 --> 00:17:55.380 If nothing is there, then take it another step further; try to take that name and see if you can 00:17:55.380 --> 00:18:01.560 find their Reddit profile or their Stack Overflow name or some Twitter name or something else that 00:18:01.560 --> 00:18:07.620 you can go and scour those posts, then. You keep pivoting around and eventually you’ll find someone 00:18:07.620 --> 00:18:16.140 somewhere posting something that they shouldn’t be posting. In this case, Chris found people posting 00:18:16.140 --> 00:18:21.960 information about a network audit being conducted by an American company on this Jamaican bank. 00:18:21.960 --> 00:18:27.060 Specifically, it was a PCI audit which stands for Payment Card Industry. Basically, 00:18:27.060 --> 00:18:33.840 if any business wants to process credit cards, they need to pass a yearly PCI audit. Since Chris 00:18:33.840 --> 00:18:39.360 and Ryan are both from the US and understands the ins and outs of PCI, this would be a perfect cover 00:18:39.360 --> 00:18:45.420 or pretext. They were gonna pretend to be PCI auditors to try to get access to the building. 00:18:45.420 --> 00:18:50.340 CHRIS: We had printed business cards and button-up shirts with that company’s name on it, grabbed 00:18:50.340 --> 00:18:56.640 some clipboards, and we arrive in Jamaica. We drive to the location to scope it out first day. 00:18:56.640 --> 00:19:02.160 [MUSIC] It’s a pretty big building. It was maybe three or four [00:20:00] stories high, 00:19:02.160 --> 00:19:07.080 huge square. The whole parking lot is surrounded by a fence that has 00:19:07.080 --> 00:19:13.200 barbed wire pointing in. There is a guard as you pull into the 00:19:13.200 --> 00:19:18.600 parking lot. There’s a guard booth with two guards sitting in it at the edge of the parking lot. 00:19:18.600 --> 00:19:22.860 JACK: They drive up to the guard gate, prepared to lie their way in somehow. 00:19:22.860 --> 00:19:27.780 CHRIS: Because it was daytime and it was – they were expecting customers in and out, 00:19:27.780 --> 00:19:33.180 we weren’t stopped at the gate. We were stopped but they were – we just said oh yeah, 00:19:33.180 --> 00:19:37.740 we’re here to do some banking, and they let us right in. There was no issues. 00:19:37.740 --> 00:19:42.180 JACK: As they entered the parking lot, they see some guys whiz by on 00:19:42.180 --> 00:19:46.260 dirt bikes. [BIKE ENGINES] Not only were they on dirt bikes but as they drove by, 00:19:46.260 --> 00:19:52.440 Chris and Ryan saw that mounted on the side of the dirt bikes were sawed-off shotguns. 00:19:52.440 --> 00:19:58.740 CHRIS: They were security. They were bank security where like, that – in America, bank security’s a 00:19:58.740 --> 00:20:04.200 security guard. Maybe he has a gun on his belt but he’s sitting at the desk or up front. These guys 00:20:04.200 --> 00:20:10.920 were on dirt bikes driving through the parking lot. It was just crazy. We were like, what? 00:20:10.920 --> 00:20:15.240 Ryan and I pulled up. The first thing, we both looked at each other and we both 00:20:15.240 --> 00:20:19.560 had this immediate thought like, are we still gonna do this job? 00:20:19.560 --> 00:20:25.680 You know, Ryan, he says it; he goes, I didn’t sign up for this. I’m like well, we just flew all the 00:20:25.680 --> 00:20:30.900 way here from America to Jamaica. It’d be a real shame to just come all this way and not even try. 00:20:30.900 --> 00:20:35.460 He’s like, they have shotguns on dirt bikes. I’m like yeah, it’s a little odd. 00:20:35.460 --> 00:20:41.580 But a gun’s a gun and we’re breaking into armed facilities in America and those facilities, we 00:20:41.580 --> 00:20:45.720 have a risk of getting shot, too. Yeah, maybe they’re not on dirt bikes running around the 00:20:45.720 --> 00:20:51.480 parking lot but still, getting shot with a shotgun or a rifle or an AR is no different; 00:20:51.480 --> 00:20:55.740 it’s all gonna suck and we’re gonna get shot, so – and we do those jobs. That 00:20:55.740 --> 00:21:01.680 was really poor reasoning but that was my reasoning. He went along with it and we 00:21:01.680 --> 00:21:07.380 did it. Looking back, I’m like phew, boy, that was a scary, scary moment. 00:21:07.380 --> 00:21:13.020 JACK: They took a deep breath, drove through the parking lot, and parked. The dirt bikes 00:21:13.020 --> 00:21:16.860 were whizzing by and they were just adding a whole new level of stress that they weren’t 00:21:16.860 --> 00:21:22.260 expecting. Got out of the van and suited up. They put on a shirt with the company’s name 00:21:22.260 --> 00:21:27.540 that was conducting the audit. They got their fake business cards ready and of course, my favorite… 00:21:27.540 --> 00:21:31.980 CHRIS: The clipboard. The clipboard’s hollow so inside the clipboard are USB 00:21:31.980 --> 00:21:35.460 keys and other tools that we may need; lockpicks, 00:21:35.460 --> 00:21:40.800 a camera that we can videotape things with. Inside the clipboard are a lot of different 00:21:40.800 --> 00:21:43.980 things that we can carry so we don’t have to have them all in our hands when we’re walking in. 00:21:43.980 --> 00:21:45.285 JACK: They take a look at this building. 00:21:45.285 --> 00:21:49.020 CHRIS: [MUSIC] The building is mirrored glass so as you’re approaching it, 00:21:49.020 --> 00:21:52.980 you can’t see through the windows ‘cause all the glass is mirrored. 00:21:52.980 --> 00:21:56.820 JACK: They got a little information about what’s inside this building before coming in, 00:21:56.820 --> 00:21:59.580 so they know what it looks like inside before they even get in. 00:21:59.580 --> 00:22:06.120 CHRIS: As you open the front doors, there’s a security guard desk right there with a 00:22:06.120 --> 00:22:11.640 metal detector. The security guards are sitting behind a desk but you have to walk 00:22:11.640 --> 00:22:16.440 through the front doors right past them to get to the staircase. That is the only access into 00:22:16.440 --> 00:22:21.960 the building, so there’s no other access into that particular building in that area. You can 00:22:21.960 --> 00:22:26.760 go around the back; there were some loading docks and other areas but the front door was 00:22:26.760 --> 00:22:31.860 the only access in through the security guards to get to the rest of the bank. 00:22:31.860 --> 00:22:33.540 JACK: They walk up to the building. 00:22:33.540 --> 00:22:37.500 CHRIS: As we’re getting closer to the door, I said to Ryan, look, I’m just gonna get on my phone, 00:22:37.500 --> 00:22:41.940 act like I’m having a conversation. When we get inside, I’m gonna say something like hey, 00:22:41.940 --> 00:22:45.780 we’re coming upstairs now; just wait. We’ll finish the audit in a minute, and we’ll just 00:22:45.780 --> 00:22:50.700 walk past security like we belong. He’s like, is that gonna work? I’m like well, let’s find 00:22:50.700 --> 00:22:55.920 out. I open the front door, walk in, I pick up my phone, put it to my ear. I’m like yeah, yeah, 00:22:55.920 --> 00:23:01.140 Jack, we’re in the front. We’re coming upstairs. We walk right past security and they don’t even 00:23:01.140 --> 00:23:08.280 stop us. I mean, not even flinch. You don’t have time to pause and be like, what the heck? But as 00:23:08.280 --> 00:23:13.800 we’re walking up the stairs, we’re both like what the heck? Like, that was way too easy. 00:23:13.800 --> 00:23:17.460 We get upstairs and we realize we don’t have time to stop and breathe and figure out where 00:23:17.460 --> 00:23:23.340 we go. I round the corner and there’s a room that says ATM testing center; 00:23:23.340 --> 00:23:27.480 big sign on it says ATM testing center. There’s a woman who’s walking right in front of us and 00:23:27.480 --> 00:23:31.560 she enters the room. I just make a quick right and I enter the room right behind 00:23:31.560 --> 00:23:36.060 her. Ryan follows right along. We get in the room and she kind of startled; she turns around 00:23:36.060 --> 00:23:40.560 and she looks at me like what are you doing? I’m like oh, we’re here doing the audit for 00:23:40.560 --> 00:23:45.840 PCI. We’re finishing it up. She’s like oh, okay. She just turns around and lets us in this room. 00:23:45.840 --> 00:23:52.500 JACK: They made it in. They look around this room. It seems to be where they repair ATMs, 00:23:52.500 --> 00:23:56.400 big machines which may or may not have cash in them, 00:23:56.400 --> 00:24:00.600 but they’re all opened up in pieces around the [00:25:00] room. 00:24:00.600 --> 00:24:06.720 CHRIS: Now, Ryan is like, literally climbing up inside giant ATMs, taking pictures of all their 00:24:06.720 --> 00:24:12.120 circuit boards and parts. There’s a guy over with a computer testing out this ATM so I walk up to 00:24:12.120 --> 00:24:16.980 him and I say, explain to me what you’re doing. He walks me through how they code their ATMs, 00:24:16.980 --> 00:24:23.040 he shows me their software. He’s basically giving me a free education on ATMs and I’m 00:24:23.040 --> 00:24:27.420 videotaping the whole thing and he doesn’t know I’m covertly videotaping it. We were 00:24:27.420 --> 00:24:30.240 in that room for probably about thirty minutes to the point where we were like, 00:24:30.240 --> 00:24:33.660 we have to leave otherwise it’s gonna look really awkward that we just keep 00:24:33.660 --> 00:24:38.520 hanging out here talking to these people. We tell them okay, we’re done. We exit. 00:24:38.520 --> 00:24:40.140 JACK: [MUSIC] Now, remember, 00:24:40.140 --> 00:24:44.640 they are in Jamaica so they look out of place here. But they had a ruse. 00:24:44.640 --> 00:24:49.740 CHRIS: We’re the only two white guys in literally this whole building. 00:24:49.740 --> 00:24:56.220 It was definitely culturally interesting there because we definitely stood out. 00:24:56.220 --> 00:25:02.340 That’s why we chose that we were working for an American audit company. 00:25:02.340 --> 00:25:06.120 That made sense of why we were there, that we weren’t trying to be locals, we didn’t try to 00:25:06.120 --> 00:25:10.860 make-believe we lived there, we didn’t try to make-believe anything that would throw them off. 00:25:10.860 --> 00:25:14.640 We were like yep, we just came in, flew in from America last night and we’re finishing the audit. 00:25:14.640 --> 00:25:19.380 JACK: They wander the halls with a clipboard in hand, looking for something else of interest. 00:25:19.380 --> 00:25:23.700 CHRIS: There’s a long hallway and at the end of the hallway, there’s these two glass doors that 00:25:23.700 --> 00:25:28.800 we could see through. There’s a call center; I can see all these men and women sitting on 00:25:28.800 --> 00:25:36.360 phones and headsets, these rows of computers. I’m like okay, that’s a call center. There’s a RFID 00:25:36.360 --> 00:25:43.140 pad right next to the door so we assume okay, the door’s locked. We can’t go just yanking on 00:25:43.140 --> 00:25:49.260 it. I’m walking really slow towards the door in the hopes that someone would either enter or exit 00:25:49.260 --> 00:25:52.800 and I would be able to hold the door for them or catch the door with my foot and get in without 00:25:52.800 --> 00:25:59.280 having to have a key. It’s like, you can’t even plan this as smoothly. As I approached the door, 00:25:59.280 --> 00:26:05.280 this woman’s exiting and I go oh, let me hold that for you. I pull the door, she unlocks it, and I 00:26:05.280 --> 00:26:09.180 hold it for her. She says a really nice thank you and Ryan and I walk into the test center. 00:26:09.180 --> 00:26:13.980 JACK: They get in this large office room. [BEEPING, DIALING] Rows and rows of desks and 00:26:13.980 --> 00:26:19.200 cubicles are here, lots of people all over with headsets on, talking to customers on the phone. 00:26:19.200 --> 00:26:25.920 CHRIS: We’re trying to find a quiet, open spot. We’re walking up and down these aisles kinda 00:26:25.920 --> 00:26:32.940 slowly and I go down this one aisle and there’s a computer that’s on but it’s at its lock screen. 00:26:32.940 --> 00:26:37.920 There’s a woman sitting right next to it on her computer so I just say to her, hey, I need you 00:26:37.920 --> 00:26:42.840 to put your password in this computer here. She looks; she stops and looks at me and she’s like, 00:26:42.840 --> 00:26:46.020 what? What do you mean? I said I need you to log in to this computer. She’s like, 00:26:46.020 --> 00:26:50.340 but I’m using this one. I’m like yes, I know, but I need you to log into this computer, too. 00:26:50.340 --> 00:26:55.620 She goes, okay. She just gets up and as she’s typing her password, I start recording on my 00:26:55.620 --> 00:26:59.880 phone and I hold my phone over the keyboard so I’m recording her password on my phone. 00:26:59.880 --> 00:27:01.080 JACK: Does she see you do this? 00:27:01.080 --> 00:27:05.880 CHRIS: She doesn’t, so I’m doing it where I’m holding my phone on the back of a clipboard. 00:27:05.880 --> 00:27:09.810 I make a big stink about looking away from her so she thinks I’m not watching her put 00:27:09.810 --> 00:27:15.240 her password in, but I’m recording it on my phone. I call Ryan over. He sits down, 00:27:15.240 --> 00:27:22.260 he pulls out one of the USB keys and he starts hacking the network from there. [MUSIC] 00:27:22.260 --> 00:27:26.580 While Ryan’s doing that, I just turn around and I notice that there’s this guy sitting at 00:27:26.580 --> 00:27:31.860 a desk right behind us about five or six feet and he gets up to use the bathroom, I assume. 00:27:31.860 --> 00:27:36.120 He just gets up from his desk and he walks away. When he walks away, he leaves his computer 00:27:36.120 --> 00:27:41.820 unlocked, he leaves his badge on the desk, he leaves everything there. So, I go over to his 00:27:41.820 --> 00:27:48.840 computer and sit down and just start scrolling through banking screens, applications, I take a 00:27:48.840 --> 00:27:55.440 picture of his badge for cloning later. Then Ryan comes over and he starts hacking that computer. We 00:27:55.440 --> 00:27:59.520 now are on these two machines and we’re like okay, we’ve been in the ATM testing center, 00:27:59.520 --> 00:28:04.260 we hacked the network, we’ve run two different machines, it’s time for us to start exiting. 00:28:04.260 --> 00:28:08.580 JACK: Ryan and Chris start packing up and planning their escape out of there. 00:28:08.580 --> 00:28:12.900 CHRIS: We start thinking of an exit strategy and a woman comes over and she says 00:28:12.900 --> 00:28:16.860 what are you doing here? We’re like oh, we’re finishing up the PCI audits so we’re 00:28:16.860 --> 00:28:21.840 just testing speeds on these computers. She’s like okay, and she walks away. I’m like man, 00:28:21.840 --> 00:28:27.180 that was way too easy. Well, two minutes later she comes back with a manager and the manager 00:28:27.180 --> 00:28:33.000 says who is your contact here? I said oh, you know, I don’t have a contact here. She goes, 00:28:33.000 --> 00:28:36.660 everyone who’s allowed in the bank has a contact. How did you get in here? I said well, 00:28:36.660 --> 00:28:40.140 we’re working with that American audit company. I said the name and she goes, 00:28:40.140 --> 00:28:43.080 yeah, I know them. They’ve been here for the last month. I’m like right, and we’re just 00:28:43.080 --> 00:28:47.760 finishing up the audit on speed and other things, so I just was told to come do the test. I said, 00:28:47.760 --> 00:28:51.840 I can give you my American contact. She’s like no, I need your local. She goes, come with me. 00:28:51.840 --> 00:28:57.360 JACK: She begins escorting Chris and Ryan to the security desk at the front door of the 00:28:57.360 --> 00:29:01.200 building. Now, Chris is already a step ahead. He thought [00:30:00] about what he would do 00:29:01.200 --> 00:29:07.560 if he got caught because it’s never over when you get caught. This mission has just changed to see 00:29:07.560 --> 00:29:14.160 if you can escape from being caught. Chris’s plan was pretty brilliant. Back in their van, 00:29:14.160 --> 00:29:18.240 in the parking lot of this building, is a third guy they brought with them. 00:29:18.240 --> 00:29:23.040 CHRIS: He’s a local in Jamaica that works for a pen test company 00:29:23.040 --> 00:29:28.140 that was – the bank was his client, so they had hired us to come down and 00:29:28.140 --> 00:29:31.980 do the social engineering part. I said look, you sit in the van, 00:29:31.980 --> 00:29:37.800 you’re our local banker guy so you use this name and if they call, you answer as this, right? 00:29:37.800 --> 00:29:42.420 JACK: Pretty clever. Someone with a local accent who could pretend 00:29:42.420 --> 00:29:47.640 to vouch for them might just be a pretty convincing fake get out of jail free card. 00:29:47.640 --> 00:29:51.840 CHRIS: We get to security and she says check on these people, 00:29:51.840 --> 00:29:55.500 and then she leaves. I tell the security guy; I’m like look, 00:29:55.500 --> 00:30:00.000 you want to talk to my contact here at the bank? He’s like, yes. So, I call on the phone. 00:30:00.000 --> 00:30:04.320 JACK: Chris uses his own cell phone to call his buddy who’s just in the 00:30:04.320 --> 00:30:08.280 van in the parking lot to pose as someone who works at this company. 00:30:08.280 --> 00:30:15.900 CHRIS: I say hey, I need you to talk to the security guard. The security guard said so, 00:30:15.900 --> 00:30:19.440 you know, do you know these two people? We gave them the fake names ‘cause we have fake business 00:30:19.440 --> 00:30:24.720 cards. He said oh yeah, yeah. They work for this company, this auditing company. He’s like yep, 00:30:24.720 --> 00:30:29.820 that’s what their card says. He’s like yeah, they’re supposed to be there doing a speed and 00:30:29.820 --> 00:30:33.960 internet connectivity test. He’s like yeah, that’s what they were doing. He’s like okay, that sounds 00:30:33.960 --> 00:30:39.600 legitimate. He’s like, great, then please let them continue doing their job. That was it. 00:30:39.600 --> 00:30:42.540 Then at that point he said well, you’re verified. 00:30:42.540 --> 00:30:46.320 I’m like okay, well, [MUSIC] we’re gonna just take a break and then we’ll come back ‘cause we, 00:30:46.320 --> 00:30:52.020 at this point, we didn’t know if going back into the building was gonna get us arrested. I don’t 00:30:52.020 --> 00:30:55.440 know about you; I’ve been arrested a lot of times on jobs in the states. Getting out of 00:30:55.440 --> 00:31:00.720 that’s relatively easy. I did not know how getting arrested in Jamaica was gonna be so we decided to 00:31:00.720 --> 00:31:05.100 exit the building. Plus, we hacked the network, we hacked the ATM stuff, so we were like yeah, 00:31:05.100 --> 00:31:08.880 we’re pretty much done here. So, we exited the building and then went to our next location. 00:31:08.880 --> 00:31:12.180 JACK: All objectives on the first building have been accomplished; 00:31:12.180 --> 00:31:16.980 in and out, no problem, easy-peasy, at least to someone who’s as skilled 00:31:16.980 --> 00:31:22.080 as Chris and Ryan. Time to head over to the second bank building. The next one though, 00:31:22.080 --> 00:31:27.000 is where their NOC is. This is the Network Operations Center, the room where a bunch 00:31:27.000 --> 00:31:31.560 of network technicians and engineers are all actively looking for network security incidents 00:31:31.560 --> 00:31:37.800 within the bank’s network to resolve them. Well, Chris and Ryan are about to be two major network 00:31:37.800 --> 00:31:43.080 security incidents if they can get into the NOC. So, this should be an interesting match. 00:31:43.080 --> 00:31:46.620 CHRIS: Inside the banking property which looked just like the other property; 00:31:46.620 --> 00:31:49.980 you know, the barbed wire fence, the whole nine yards. There was a smaller 00:31:49.980 --> 00:31:57.000 building that was surrounded by another barbed wire fence and that was the NOC. 00:31:57.000 --> 00:32:03.300 We ring the bell and the security guard comes out and he says what’s your name? I told him what we 00:32:03.300 --> 00:32:08.160 were doing and he looks at his list and he’s like, you are not on the list. I’m gonna need to call 00:32:08.160 --> 00:32:14.700 and get approval. I said, oh man, if you can – I said, look, we’re two Americans and we’re not 00:32:14.700 --> 00:32:19.260 used to the heat here. Can we come in and wait in the air conditioning while you make the calls and 00:32:19.260 --> 00:32:24.900 verify us? He thought about it for like, a good five, ten seconds and he’s like yeah, okay. He 00:32:24.900 --> 00:32:28.260 presses the button, unlocks the gate, and we get in. I’m thinking this is it; we’re gonna – while 00:32:28.260 --> 00:32:33.600 he’s in his office making calls, we’re gonna hack the whole NOC, we’re gonna be out. 00:32:33.600 --> 00:32:37.740 He lets us into the front, we’re sitting by these two computers which I’m like Ryan, as soon as he 00:32:37.740 --> 00:32:42.240 leaves, this is it. He goes ‘kay, you guys wait here. I gotta go to my office. We’re like sure, 00:32:42.240 --> 00:32:48.120 no problem. We won’t move. We’ll just sit here in the nice AC. Thanks for being so cool. He gets 00:32:48.120 --> 00:32:52.380 up and he puts his head around the corner and he yells something to some guy. I couldn’t understand 00:32:52.380 --> 00:32:58.440 what it was. A second later this dude, I swear, [MUSIC] he was the biggest man I’ve ever seen in 00:32:58.440 --> 00:33:04.740 my life and I am by no means a small person. This guy made me look like a miniature human. 00:33:04.740 --> 00:33:14.880 This guy must’ve been 6”10, 6”11, and he was as wide as a doorway. He had a flak jacket on that 00:33:14.880 --> 00:33:20.700 had knives at different intervals in his flak jacket. He had a giant billy stick on his one 00:33:20.700 --> 00:33:26.580 hip. On his other hip, he had a sawed-off shotgun, and then he had a handgun on the belt on his other 00:33:26.580 --> 00:33:33.240 side. This guy comes and he stands with his arms folded in the doorway. I just leaned over to touch 00:33:33.240 --> 00:33:37.680 the computer and he went mm-mm. Just like that. I went no, no, I’m not doing anything, man. Not 00:33:37.680 --> 00:33:43.200 doing anything. Ryan leans over and he’s like, I’m not gonna try it. I’m like, don’t try. Don’t try. 00:33:43.200 --> 00:33:48.420 JACK: At this point Chris makes a decision; this is not gonna work. Time to figure out a way to 00:33:48.420 --> 00:33:55.020 escape. But you don’t want to just get up and run while this big guy with weapons is staring at you. 00:33:55.020 --> 00:34:02.100 But Chris has prepped really well for this and has a plan. [MUSIC] [00:35:00] That morning, 00:34:02.100 --> 00:34:06.120 before coming into this building, he compiled a lot of data on this company. 00:34:06.120 --> 00:34:10.260 He scoured the internet and researched a bunch of employees here and even made 00:34:10.260 --> 00:34:14.580 some phone calls to talk with some of those people. All this was done that same morning. 00:34:14.580 --> 00:34:19.680 CHRIS: We went to LinkedIn and we pulled up the employees of this bank. Then we found ones 00:34:19.680 --> 00:34:24.420 who listed their phone numbers and we started calling people who were in positions that we 00:34:24.420 --> 00:34:30.660 thought would be able to say, like, that would be our contacts if we were legitimate auditors. So, 00:34:30.660 --> 00:34:36.900 calling the CISO or the CIO. What we wanted to do was call them, ask them a couple weird questions 00:34:36.900 --> 00:34:40.800 and nothing about audits. Just be like oh, hey, is this Joe? They’d be like, no, this is not Joe; 00:34:40.800 --> 00:34:49.140 to hear their voice and we were hoping that if one of them sounded a lot like our Jamaican contact, 00:34:49.140 --> 00:34:52.920 like, if they were older or if they had a rough voice or whatever, if they sounded similar, 00:34:52.920 --> 00:34:59.400 then we could have that guy play the part of the CISO and then give us that fake permission. 00:34:59.400 --> 00:35:02.280 JACK: You get it, right? They were trying to find somebody within the 00:35:02.280 --> 00:35:05.880 company that sounded like their third guy in the van so that he could pretend 00:35:05.880 --> 00:35:09.720 to be the person on the phone. One of the people they tried calling was the 00:35:09.720 --> 00:35:14.160 Chief Information Officer. But when they called the CIO, they never got through. 00:35:14.160 --> 00:35:17.880 CHRIS: The secretary said oh, he’s not in today. He’s on a business trip. He 00:35:17.880 --> 00:35:22.140 flew to another island. Then I just asked so, when will he be back? Well, 00:35:22.140 --> 00:35:26.520 not ‘til later this afternoon. Okay, great. We’ll call back then. 00:35:26.520 --> 00:35:30.480 JACK: Now, he took this little bit of information he learned earlier that day 00:35:30.480 --> 00:35:33.360 and he’s sitting in the building with the NOC and this huge armed 00:35:33.360 --> 00:35:37.440 guard is staring at him. He waits for the other guard to come back. 00:35:37.440 --> 00:35:41.340 CHRIS: When the guy came back, he’s like look, I can’t verify you. No one knows who you are. 00:35:41.340 --> 00:35:46.740 I’m a little worried. I said ah, you know, the guy who’s supposed to be in contact with us, 00:35:46.740 --> 00:35:50.760 I heard he’s off the island today. He’s on a business trip somewhere. He said yeah, 00:35:50.760 --> 00:35:56.640 that’s what they told me. That was the only thing that saved us because I knew a story 00:35:56.640 --> 00:36:01.860 that he had found out just now on the phone. I said yeah, well, that guy’s our contact. You 00:36:01.860 --> 00:36:06.180 know what? Why don’t we do this; he’s supposed to be back in a couple hours so why don’t we go? 00:36:06.180 --> 00:36:10.560 We have another site that we’re supposed to go to. We’ll go do that site and then we’ll come 00:36:10.560 --> 00:36:13.620 back in a couple hours when he’s landed from his business trip. He’s like okay, 00:36:13.620 --> 00:36:17.880 that’s cool. We got the heck out of there and left and never came back. We had no other sites; 00:36:17.880 --> 00:36:19.052 we were done but we were like, we just needed to get out of there before King Kong broke us into 00:36:19.052 --> 00:36:21.900 little pieces, you know? We did nothing there. We didn’t hack that. We completely failed on 00:36:21.900 --> 00:36:26.160 that job but it was like, this guy could break both of us in half without thinking about it. 00:36:26.160 --> 00:36:29.880 JACK: Failing is actually good. It means their security was better than Chris, 00:36:29.880 --> 00:36:32.460 and Chris is a professional. At this point, 00:36:32.460 --> 00:36:36.960 Chris and Ryan write up a full report and have a meeting with the client to go over everything. 00:36:36.960 --> 00:36:41.813 CHRIS: Yeah, you know, that’s what I love about working with clients like that, is they were very 00:36:41.813 --> 00:36:46.740 happy. They weren’t mad, they weren’t like oh, you guys are jerks. They really loved the story, they 00:36:46.740 --> 00:36:53.220 loved how far we went, they loved that we also didn’t try to hurt anybody or damage anybody. They 00:36:53.220 --> 00:36:56.460 loved that we followed all the rules but mostly they just loved that we proved where 00:36:56.460 --> 00:37:01.440 their vulnerabilities were. ‘Cause at the end they said well, what could have stopped you? I 00:37:01.440 --> 00:37:05.280 gave them three or five different points or where we could have been stopped at any point in time. 00:37:05.280 --> 00:37:07.920 JACK: I’m interested to hear those points. 00:37:07.920 --> 00:37:13.080 CHRIS: Sure. The first point was when we entered the building on the phone. The security guard 00:37:13.080 --> 00:37:18.120 didn’t stop us and he should have. He should have said whoa, whoa, hang on, before you get upstairs, 00:37:18.120 --> 00:37:22.560 who are you here to see? I would have came up with the same fake name and he would have went, I don’t 00:37:22.560 --> 00:37:26.580 see you on the list. Let me call upstairs and see if Jack is there, and when he called upstairs and 00:37:26.580 --> 00:37:30.780 there’s no Jack, I would have been stopped. That was the first time I could have been stopped. The 00:37:30.780 --> 00:37:37.080 second time is when I entered the ATM center with Ryan and the lady turned around and went whoa, 00:37:37.080 --> 00:37:41.820 what are you doing in here? I said, PCI audit. She should have said well, I don’t have you authorized 00:37:41.820 --> 00:37:46.740 in this room. This is a private room. It had a whole separate security system. She could have 00:37:46.740 --> 00:37:49.860 called downstairs to security and say hey, are there supposed to be auditors doing the 00:37:49.860 --> 00:37:53.700 ATM center? That may have triggered them to check in and I could have been stopped there. 00:37:53.700 --> 00:37:56.040 JACK: Yeah, or just, she could have just shut the door and said… 00:37:56.040 --> 00:38:02.160 CHRIS: Yeah, you’re not allowed in. The third time was when we were in the call center and I said to 00:38:02.160 --> 00:38:05.340 that woman, put your password in here. She should have said, I don’t think I’m allowed to do that; 00:38:05.340 --> 00:38:11.220 let me go get my manager, or just rejected entering her password. She didn’t do that. 00:38:11.220 --> 00:38:15.720 The fourth time was when we went over to the computer that the guy didn’t lock. He could 00:38:15.720 --> 00:38:21.120 have stopped us by locking his computer before he left for the bathroom. Then the fifth time 00:38:21.120 --> 00:38:26.520 was back at the security guards when we called the fake Jack and said, hey, yeah, here, talk to 00:38:26.520 --> 00:38:33.360 our contact here. He accepted that we were telling the truth and let us – was gonna let us back in. 00:38:33.360 --> 00:38:37.800 That could have stopped us, if he was like, I’m not handling your phone. I want to call this guy 00:38:37.800 --> 00:38:43.620 directly on the extension I know. He took my phone which could have been any person and spoke to him 00:38:43.620 --> 00:38:50.700 as a bank contact. He could have just called the extension directly instead of trusting me. When 00:38:50.700 --> 00:38:55.620 I told him those five things, they were like yeah, those are all good points. I’m [00:40:00] like you 00:38:55.620 --> 00:39:00.360 know, you set training and you set policies in place and then you train them on those policies 00:39:00.360 --> 00:39:05.300 and you give them avenues to do this smart, and next time we will not be able to break in. 00:39:05.300 --> 00:39:18.660 JACK: [MUSIC] A 00:39:18.660 --> 00:39:23.100 few years later, Chris and Ryan were back in the United States. They got a job to break 00:39:23.100 --> 00:39:27.780 into a building and gain remote access to the network inside. The guy who hired Chris and 00:39:27.780 --> 00:39:33.300 Ryan to try to break in was the head of physical security of the building. The head of security 00:39:33.300 --> 00:39:38.460 authorized this which is what made it legal and Chris had printed out this authorization 00:39:38.460 --> 00:39:43.260 letter and put it in his pocket because if all goes wrong, they’ve got this letter which says 00:39:43.260 --> 00:39:48.300 the head of security paid them to test this facility. They plan out their pretext or ruse. 00:39:48.300 --> 00:39:54.660 They were going to pose as pest control which could get them access into the building and then 00:39:54.660 --> 00:39:59.880 from there, they could try to sneak a USB drive into one of the computers. They had a uniform, 00:39:59.880 --> 00:40:06.720 spray bottles, boxes, and more to look like they were actually doing pest control. They 00:40:06.720 --> 00:40:11.520 decided to go the night before to scout out the place. [MUSIC] It’s a big office building; 00:40:11.520 --> 00:40:17.820 lots of glass windows and even a glass door in the front. They came by at night. There was no 00:40:17.820 --> 00:40:24.780 security around. They tugged on the doors but they were locked. So, they decided to try an old trick. 00:40:24.780 --> 00:40:27.900 CHRIS: Yeah, there was like, two glass doors that led into the place and they 00:40:27.900 --> 00:40:31.620 had a gap in-between them that was wide enough for us to shove a USB key through. 00:40:31.620 --> 00:40:35.880 JACK: Their theory is that if they slip one of their malicious USB sticks through the gap of 00:40:35.880 --> 00:40:41.820 the door and into the building, when someone finds it the next day, they might be just curious enough 00:40:41.820 --> 00:40:48.540 to see what’s on it and plug it into a computer, which by the way, you should never do. USB keys 00:40:48.540 --> 00:40:55.920 can contain a ton of icky malware that you want to avoid. But if a user opened any of the files 00:40:55.920 --> 00:41:00.300 that were on this USB drive, it would create a reverse connection back to Chris’s server 00:41:00.300 --> 00:41:06.720 which would allow him remote access to that computer the user plugged the USB key into. 00:41:06.720 --> 00:41:10.500 They shoved this USB stick through the gap of the door. 00:41:10.500 --> 00:41:14.940 CHRIS: There was two sets of these doors and what – sadly, the first door, perfect; 00:41:14.940 --> 00:41:22.320 we did great. The second door, nobody ever uses it and we didn’t know that. When we slid the USB key 00:41:22.320 --> 00:41:27.600 through, when someone found it the next morning, they went hey, you know that door that is like, 00:41:27.600 --> 00:41:32.820 totally never used? There’s a USB key on the floor there. That made security go look at the 00:41:32.820 --> 00:41:39.600 video tapes from the night before. They saw Ryan and I at the building outside sliding these keys 00:41:39.600 --> 00:41:44.460 through the door. We didn’t know that. None of this we knew. The next day we come and I’m 00:41:44.460 --> 00:41:51.360 reversing into my parking spot. I’m in this big, huge SUV and I’m reversing into the parking spot. 00:41:51.360 --> 00:41:55.380 I had just turned around to make sure I wasn’t hitting anything and I heard the door open. 00:41:55.380 --> 00:42:01.200 I thought Ryan was getting out and when I turned back, there’s a cop that ripped Ryan out – a 00:42:01.200 --> 00:42:06.900 security guard, but an armed security guard who ripped Ryan out of the front door [MUSIC] and had 00:42:06.900 --> 00:42:12.480 him slammed on the hood and was cuffing him. Now, Ryan knows this, everyone knows this; 00:42:12.480 --> 00:42:15.780 look, if we gotta get away, I may run so I can come back and break in later. Like, 00:42:15.780 --> 00:42:21.240 you’re gonna have to deal with it. I put the car in drive like I’m gonna flee. He’s looking at me 00:42:21.240 --> 00:42:26.820 shaking his head like don’t leave me, man. I’m like, see ya, sucker. I’m just about to take my 00:42:26.820 --> 00:42:31.500 foot off the break and a woman jumps out in front of the car with her gun drawn and she’s like, 00:42:31.500 --> 00:42:36.720 get out of the car. I’m like hey, hey, put the gun away. We’re all good. I put it in park and 00:42:36.720 --> 00:42:40.200 she’s like, get out of the car. I’m like, I’m not getting out of the car until you put the gun away. 00:42:40.200 --> 00:42:43.560 I need you to put the gun away. She’s like, I’m not putting the gun away. We’re yelling 00:42:43.560 --> 00:42:48.660 back and forth and eventually I get out of the car. She was short. She must’ve been like, 5”2, 00:42:48.660 --> 00:42:55.020 5”3, and I’m 6”3. She slammed me on the hood so hard that it knocked my hat [00:45:00] and my 00:42:55.020 --> 00:42:59.700 sunglasses off and they flew across the hood. Before my face bounced off the hood, she had 00:42:59.700 --> 00:43:07.020 both my arms in cuffs. It was so impressive, I said, whoa, that was maybe the quickest cuffing 00:43:07.020 --> 00:43:11.640 I’ve ever had. It just came out of my mouth, right? She goes, you get cuffed all the time, 00:43:11.640 --> 00:43:17.880 don’t you, scumbag? I’m like, okay, I can see you’re very angry. I don’t know why you’re so 00:43:17.880 --> 00:43:22.500 angry. We’re just driving, pulling in here. We’re doing some pest control. She’s like, 00:43:22.500 --> 00:43:27.480 you’re not doing pest control, scum. Then she like, takes me up and she stands me up. 00:43:27.480 --> 00:43:33.720 I’m like hey, it’s really hot here. It was the summertime in a really hot area. I’m like, 00:43:33.720 --> 00:43:38.220 can we go over to the shade? She takes us over to the shade. Ryan and I are now kneeling on 00:43:38.220 --> 00:43:45.180 the ground like in execution-style. We’re on our knees, both of us cuffed behind our back. 00:43:45.180 --> 00:43:49.680 They’re like, what are you doing here? Ryan whispers to me, give her the letter. 00:43:49.680 --> 00:43:55.260 I’m like, no, no, we can get out of this. I’m like, we’re here doing pest control. She’s like, 00:43:55.260 --> 00:44:00.000 you’re not doing pest control. I’m like, we are. I said look, go open the back of our SUV; you’ll 00:44:00.000 --> 00:44:05.520 see the – we had pest control sprayers and we had fake chemical cartons and everything. We had all 00:44:05.520 --> 00:44:10.860 the stuff that looked the deal. She’s like, you’re not here doing pest control. I’m like, just open 00:44:10.860 --> 00:44:16.680 it up and look. So, they see the pest control equipment and she’s like, I don’t believe you. 00:44:16.680 --> 00:44:20.340 I’m like, I don’t know why you don’t believe me. Look, I got a work order. My clipboard’s 00:44:20.340 --> 00:44:24.180 in the car if you want to get it. She’s like, I’m not going anywhere, scum. What 00:44:24.180 --> 00:44:28.860 are you doing here? I’m like, I’m telling you, I don’t know how many ways to answer it. 00:44:28.860 --> 00:44:35.580 Then Ryan’s like dude, the letter. They’re getting mad. I’m like no, we don’t need the letter. 00:44:35.580 --> 00:44:41.580 Then the guy guard comes over and he’s like, why were you here at 11:00 last night? 00:44:41.580 --> 00:44:48.720 I’m like, crap. I’m quickly thinking and I’m like well, one of the things we were hired to spray for 00:44:48.720 --> 00:44:54.240 were scorpions and they don’t come out in the daytime. This breed of scorpion only comes out 00:44:54.240 --> 00:44:59.700 at nighttime so we came at night to just check the area to make sure that we were gonna spray 00:44:59.700 --> 00:45:04.980 at night. He said, we saw you on video. We didn’t see any sprayers. You were just walking 00:45:04.980 --> 00:45:09.900 around the building looking at our doors. I’m like well, we were just scoping it out. 00:45:09.900 --> 00:45:15.540 We’re gonna do the spraying now and tonight. He’s like, what are you really doing here? I’m like no, 00:45:15.540 --> 00:45:20.340 I’m telling you, that’s the truth. Ryan’s like, give him the letter, dangit. I’m like no, man, 00:45:20.340 --> 00:45:25.800 we can do this. I’m feeling like we’re gonna win this, right? Then he goes, what about 00:45:25.800 --> 00:45:31.140 the USB keys you dropped? Then I’m like, crap. Yeah, now it’s over. I’m like okay, look man, 00:45:31.140 --> 00:45:36.000 there’s a letter in that clipboard. He’s like, I’m not grabbing your clipboard. For all I know, 00:45:36.000 --> 00:45:40.920 it’s some kind of device. I’m like no, no, just grab the letter please. You can grab 00:45:40.920 --> 00:45:44.820 the letter. The lady goes over, she grabs the letter, they open it and they see the 00:45:44.820 --> 00:45:49.920 contact name and they know him personally and they’re like that mother. I can’t believe it. 00:45:49.920 --> 00:45:57.180 I’m like, yeah. Yeah, he’s a real jerk. That guy’s a jerk; you should uncuff us. We’re buddies. She’s 00:45:57.180 --> 00:46:01.200 like, we’re not uncuffing you, scum. I’m like, no, come on, we’re not scum anymore. Now you 00:46:01.200 --> 00:46:07.860 know we’re good guys, right? She’s like, no. We stayed kneeling there on the ground for like, 00:46:07.860 --> 00:46:13.020 ten more minutes while we waited for our contact to come out who we found out was in the bushes 00:46:13.020 --> 00:46:20.400 filming us getting arrested. We’re like, really, man? He’s like, this was great. These guys did so 00:46:20.400 --> 00:46:24.660 good. I’m like yeah, they did great, but you could have saved us. He’s like no, this was awesome. 00:46:24.660 --> 00:46:31.320 JACK: The name on the letter was actually the security guard’s boss. Once they called 00:46:31.320 --> 00:46:37.320 him and he said yep, this is all a test, the situation calmed down and the security guards 00:46:37.320 --> 00:46:41.640 eventually started laughing about this whole situation and started asking Chris and Ryan 00:46:41.640 --> 00:46:46.200 what are their jobs as pen testers? Everyone started being more friendly. 00:46:46.200 --> 00:46:52.380 CHRIS: The whole time, I’m grilling them for info. I’m like, so yeah, you guys did really good. We 00:46:52.380 --> 00:46:55.620 should have came later but you’re probably here twenty-four hours, right? They’re like no, no, no. 00:46:55.620 --> 00:47:01.320 No security here is after 7:00 p.m. I’m like oh, yeah, we should have chose then. That’s too bad. I 00:47:01.320 --> 00:47:06.480 got their schedules, you know, like from them just by talking. Then we come back that night at like, 00:47:06.480 --> 00:47:13.200 9:00 p.m. after they’re gone and we break into the place and we break into their office. 00:47:13.200 --> 00:47:20.100 We stole their badges and some of their stuff for getting into other buildings. Then I left all of 00:47:20.100 --> 00:47:28.800 my pest control equipment on their desks with a big thank you note and a couple smiley hearts. The 00:47:28.800 --> 00:47:33.480 next day when they came in, they knew that we had broken into all the cameras and us stealing their 00:47:33.480 --> 00:47:38.700 stuff, but then our pest control equipment was on their desk. A little fun humor back and forth. 00:47:38.700 --> 00:47:46.800 JACK: [MUSIC] Okay, for this next story – actually, can I just take 00:47:46.800 --> 00:47:52.020 a moment and say thank you for being here as a listener? I mean, look at this; we’re what, 00:47:52.020 --> 00:47:56.880 forty minutes into this episode and you’re still with me? [00:50:00] It’s unbelievable. Just, 00:47:56.880 --> 00:48:03.540 thanks so much for being here with me, right here, right now. 00:48:03.540 --> 00:48:07.860 For you, the listener who’s made it this far, I have something I’m really excited to be able 00:48:07.860 --> 00:48:11.760 to share with you. This is a rare find and I’ve been looking for something like this for quite a 00:48:11.760 --> 00:48:17.040 while so I was really excited when Chris said he could do it. The story starts with Chris doing a 00:48:17.040 --> 00:48:21.840 phishing campaign against a company with the goal of raising security awareness for the company. 00:48:21.840 --> 00:48:28.920 CHRIS: In this particular test, we started off with a phishing e-mail and it was out to 1,000 00:48:28.920 --> 00:48:34.860 people. It was about a brand-new iPhone. To register to win one of the brand-new iPhones, 00:48:34.860 --> 00:48:40.800 all you had to do was go to this website and put in your credentials for your computer. 00:48:40.800 --> 00:48:47.940 It was a corporate-sponsored raffle so you went to a site that looked like your corporate site, 00:48:47.940 --> 00:48:51.600 entered the info, and then you were entered to win one of these iPhones. 00:48:51.600 --> 00:48:55.680 JACK: So many of the people in this company wanted a free iPhone and the e-mail looked like 00:48:55.680 --> 00:48:59.580 it was sponsored by the company itself, so the employees were like heck yeah, 00:48:59.580 --> 00:49:06.180 let me register to win this thing. From this e-mail alone, Chris got 750 people to click 00:49:06.180 --> 00:49:14.460 the link and then go to his website and enter in their work username and password. It’s insane. 00:49:14.460 --> 00:49:17.880 At this point, you could send each of these people an e-mail explaining how 00:49:17.880 --> 00:49:21.240 the raffle was just a test and they failed. That could be the end of the 00:49:21.240 --> 00:49:25.680 security awareness training. But besides raising awareness, Chris had a secondary 00:49:25.680 --> 00:49:32.460 objective which was to also gain remote access to the network inside. He comes up with a plan. 00:49:32.460 --> 00:49:38.220 CHRIS: We had their username and password but our job was to gain access to their 00:49:38.220 --> 00:49:45.060 network remotely. The goal was to call each one of these people and tell them 00:49:45.060 --> 00:49:54.540 that the link they just clicked on was a phish and that they had the – hopefully they went 00:49:54.540 --> 00:49:59.400 when they were notified of that, that it was a phish, that they had to go change their password 00:49:59.400 --> 00:50:06.420 and that once they changed their password, we had to just make sure that there was no residual 00:50:06.420 --> 00:50:14.400 malware on the computer from clicking that phish. To clean their system, we created a PC cleaner 00:50:14.400 --> 00:50:20.400 program for them that would clean their machine from any malware. Of course, it was not a PC 00:50:20.400 --> 00:50:25.500 cleaner; it was a meterpreter reverse-shell that gave us access into their machine. 00:50:25.500 --> 00:50:28.080 JACK: The goal was to call like, 00:50:28.080 --> 00:50:33.900 twenty-five people who clicked the link and somehow convince them to run some malware. 00:50:33.900 --> 00:50:40.260 This is vishing which is voice-phishing, but like I was saying earlier, it’s the same thing that con 00:50:40.260 --> 00:50:46.440 artists have been doing for a hundred years. Chris changed into Paul and acted like he’s 00:50:46.440 --> 00:50:51.480 from tech support. He e-mails one of the people who clicked the phish and told them hey, look, 00:50:51.480 --> 00:50:56.100 this was a phishing e-mail. You clicked it. You shouldn’t have; change your password immediately. 00:50:56.100 --> 00:51:04.800 Then Chris, or Paul now, calls up the employee. Here’s the actual vishing call that took place. 00:51:04.800 --> 00:51:07.200 CHRIS: This is Paul from tech support. How you doing? 00:51:07.200 --> 00:51:08.940 MSPKR: Good. 00:51:08.940 --> 00:51:13.117 CHRIS: We got that you filled out for that iPhone, the iPhone… 00:51:13.117 --> 00:51:13.133 MSPKR: Yep, yep. 00:51:13.133 --> 00:51:16.020 CHRIS: You went in and did your password change? 00:51:16.020 --> 00:51:17.040 MSPKR: Yes, I did. 00:51:17.040 --> 00:51:18.780 CHRIS: Okay, excellent. Just wanted to tell you 00:51:18.780 --> 00:51:20.640 that was really good. That’s the way it should have been handled. 00:51:20.640 --> 00:51:24.840 MSPKR: Okay, yeah. As soon as we realized it, two of us jumped right on it. 00:51:24.840 --> 00:51:27.600 CHRIS: Okay, so there was another guy on your team that – also? 00:51:27.600 --> 00:51:29.333 MSPKR: Yeah, I think it was JR [CENSORED]. 00:51:29.333 --> 00:51:34.380 CHRIS: JR? Okay. Just gonna write down that I’ll be talking to him later on. Just to 00:51:34.380 --> 00:51:38.100 follow-up what we’re doing, are you on the VPN right now? You’re on your work machine? 00:51:38.100 --> 00:51:39.060 MSPKR: Yes. 00:51:39.060 --> 00:51:43.500 CHRIS: Okay, I’m gonna give you an internal address. It’s an FTP site 00:51:43.500 --> 00:51:47.580 that we set up for the [CENSORED] employees. You can go there; 00:51:47.580 --> 00:51:51.660 you can see there’s one file there you’ll be able to download and it will just clean 00:51:51.660 --> 00:51:55.620 up any residual mess from that website that we did – that we used for the audit. 00:51:55.620 --> 00:51:56.580 MSPKR: Okay. 00:51:56.580 --> 00:52:02.820 CHRIS: So, if you’re at your machine, just open up a browser and I’ll give you the address. 00:52:02.820 --> 00:52:05.880 MSPKR: You mean like go on like I’m gonna send an e-mail? I’m not real… 00:52:05.880 --> 00:52:08.513 CHRIS: Well, Internet Explorer? You can open up that. 00:52:08.513 --> 00:52:09.960 MSPKR: Okay, yep, I got the – okay. 00:52:09.960 --> 00:52:14.333 CHRIS: Then up at the top line, the address, type in ftp… 00:52:14.333 --> 00:52:15.000 MSPKR: Ftp? 00:52:15.000 --> 00:52:23.520 CHRIS: Yep, F as in Frank, T as in Tom, and then P as in Paul, and then a colon. Then two slashes and 00:52:23.520 --> 00:52:26.940 these are the slashes that are by your question mark, the same button as your question mark. 00:52:26.940 --> 00:52:28.800 MSPKR: Gotcha; ftp. Okay. 00:52:28.800 --> 00:52:33.420 CHRIS: Then the word is update- and the dash is like the minus sign. 00:52:33.420 --> 00:52:34.140 MSPKR: Gotcha. 00:52:34.140 --> 00:52:35.760 CHRIS: [CENSORED].com. 00:52:35.760 --> 00:52:36.900 MSPKR: Okay. 00:52:36.900 --> 00:52:40.800 CHRIS: When you close that, you should open up – it should say index sub and 00:52:40.800 --> 00:52:44.700 it should have one file. There’s a file called [CENSORED] PC Checker. 00:52:44.700 --> 00:52:47.640 MSPKR: Okay, yeah, no, it’s here. Okay, double-click on that? 00:52:47.640 --> 00:52:48.960 CHRIS: Yeah, click on that. 00:52:48.960 --> 00:52:50.580 MSPKR: Okay. 00:52:50.580 --> 00:52:57.720 CHRIS: It should download or it should ask you [00:55:00] if you want to Run or Save. Click Run. 00:52:57.720 --> 00:52:59.700 MSPKR: Okay. 00:52:59.700 --> 00:53:04.200 CHRIS: If everything goes good, you should get no alerts. If you 00:53:04.200 --> 00:53:09.120 have a residual problem from that site then you’ll get a message but if nothing happens, 00:53:09.120 --> 00:53:12.120 then everything’s clean and good and we’re done. 00:53:12.120 --> 00:53:14.700 MSPKR: Okay, I just got a second thing. It said, 00:53:14.700 --> 00:53:18.300 ‘The publisher could not be verified. Are you sure you want to run this software?’ 00:53:18.300 --> 00:53:19.860 CHRIS: Yeah, click OK. 00:53:19.860 --> 00:53:23.220 MSPKR: Run again? Okay, now it took me back to the original screen. 00:53:23.220 --> 00:53:29.460 CHRIS: Okay, that’s good. If you got no error message, then you’re good to go. You’re clean. 00:53:29.460 --> 00:53:31.320 MSPKR: Okay, well, thanks for the help. 00:53:31.320 --> 00:53:32.940 CHRIS: Not a problem. We’ll talk to you later. 00:53:32.940 --> 00:53:34.560 MSPKR: Yeah, sorry about clicking on that. 00:53:34.560 --> 00:53:37.800 CHRIS: It’s okay, thanks for thinking about it afterward though. 00:53:37.800 --> 00:53:39.240 MSPKR: Okay, man. Alright, thanks. 00:53:39.240 --> 00:53:41.040 CHRIS: Bye. 00:53:41.040 --> 00:53:47.580 JACK: Just like that, Chris has gained remote access to this guy’s computer. He can now do 00:53:47.580 --> 00:53:52.980 anything he wants on it; open a webcam, turn on the microphone, record keystrokes, transfer files, 00:53:52.980 --> 00:53:59.040 screenshot the desktop, or move to another computer deeper inside. This is fascinating 00:53:59.040 --> 00:54:03.900 so let me break it down for you. [MUSIC] The company had state-of-the-art network equipment, 00:54:03.900 --> 00:54:09.000 a firewall to block all the bad connections coming into the building or going out of the building, 00:54:09.000 --> 00:54:14.220 an intrusion detection system to inspect traffic coming and going and blocking anything that looks 00:54:14.220 --> 00:54:19.560 malicious. The employees all have antivirus on their PCs too, to stop any bad software 00:54:19.560 --> 00:54:24.780 from running. But of course, none of their security listens for phishing phone calls. 00:54:24.780 --> 00:54:30.600 It bypasses all that. That’s one problem. Then Chris got the employee to download this 00:54:30.600 --> 00:54:36.300 executable software. They downloaded it and ran it. There was a warning; are you sure you want to 00:54:36.300 --> 00:54:42.060 run this kind of thing? But the computer didn’t lock it from running. Once the program was ran, 00:54:42.060 --> 00:54:47.940 it started a reverse connection back to Chris’s computer. To all of the security devices in the 00:54:47.940 --> 00:54:52.860 network this simply looked like a regular web request, Chris’s server, and from there, 00:54:52.860 --> 00:54:58.680 Chris was able to ride that connection back into the employee’s PC and get in. 00:54:58.680 --> 00:55:02.700 This is easily set up, too, with a tool called Metasploit. This is 00:55:02.700 --> 00:55:07.380 just a reverse-shell put on the victim’s PC. Antivirus doesn’t stop it, either. 00:55:07.380 --> 00:55:11.040 CHRIS: No, because it wasn’t seen as a virus. 00:55:11.040 --> 00:55:15.540 JACK: It’s taking advantage of the built-in remote-control capabilities within Windows 00:55:15.540 --> 00:55:22.020 itself. Even a fully-updated computer has the ability to run remote-access commands on it and 00:55:22.020 --> 00:55:25.860 that’s all this did. When you get someone inside the company to run this program, 00:55:25.860 --> 00:55:31.560 it’s all it takes to bypass everything that’s supposed to stop it. Scary stuff. 00:55:31.560 --> 00:55:36.060 CHRIS: I think a lot of times when we talk about this topic, people go ‘I would never 00:55:36.060 --> 00:55:41.460 fall for that.’ When you hear this guy, he sounds like a normal, everyday guy, a guy you probably 00:55:41.460 --> 00:55:48.240 work with. He sounds like just an average dude. He’s not dumb, he’s not just throwing security 00:55:48.240 --> 00:55:52.920 to the wind. He sounds like your average, everyday guy and he’s just like oh my gosh, 00:55:52.920 --> 00:55:59.460 I can’t believe I clicked on that phish. Thanks for helping me. I don’t like that phrase ‘there’s 00:55:59.460 --> 00:56:02.640 no patch for human stupidity.’ We don’t use that because that means that everyone that 00:56:02.640 --> 00:56:06.840 falls for these things is stupid and I don’t think that’s true. This guy wasn’t stupid. I 00:56:06.840 --> 00:56:11.280 think when people hear the call, they get to put themselves in it and go yeah, I get that. 00:56:11.280 --> 00:56:16.440 That could have been me. There probably are some current steps that companies can take to 00:56:16.440 --> 00:56:23.040 stop these things. This was a couple years ago; now we’d probably have to do a little 00:56:23.040 --> 00:56:29.880 more fancier footwork with meterpreter. I do think a lot of antiviruses do detect 00:56:29.880 --> 00:56:37.560 reverse-shells now. Maybe a packet inspection system 00:56:37.560 --> 00:56:43.980 could have stopped this but we embedded this just in a normal exe. over an encrypted tunnel 00:56:43.980 --> 00:56:48.720 and had no malware in it, no trojans, and no viruses. We wanted to get on the machine and 00:56:48.720 --> 00:56:54.780 then exploit it once we were on. It literally was, for any lack – intents and purposes, it was 00:56:54.780 --> 00:56:59.700 like opening up an SSH server on the box. That’s it. It was just opening up a reverse connection. 00:56:59.700 --> 00:57:02.880 JACK: Now, a lot of my listeners ask me all the time, how can you 00:57:02.880 --> 00:57:05.265 practice social engineering? So, I asked Chris. 00:57:05.265 --> 00:57:08.820 CHRIS: [MUSIC] This is a question I get all the time in my classes ‘cause you really can’t just 00:57:08.820 --> 00:57:16.260 go out and break into places or phish people for fun. I say look, when you look at SE as a science, 00:57:16.260 --> 00:57:21.900 it is literally just learning how to communicate with people on a level that they like to be 00:57:21.900 --> 00:57:27.420 communicated with, learning how to get that person to open up to you. You could do that 00:57:27.420 --> 00:57:33.780 without having to be a pen tester. Maybe not now ‘cause of Covid-19 but you could do this 00:57:33.780 --> 00:57:37.320 with delivery people, you could do this when you go to Starbucks the next time. 00:57:37.320 --> 00:57:43.080 You can have a conversation with a complete stranger and get information from that stranger 00:57:43.080 --> 00:57:46.980 that’s non-malicious. What is their full name? Where do they live? What job do they have? How 00:57:46.980 --> 00:57:51.720 many kids do they have? Are they married? What did they do in their career? Where’d they go to 00:57:51.720 --> 00:57:57.900 school? All these questions which are [01:00:00] vital to understand about a person that you’re – 00:57:57.900 --> 00:58:04.260 if you’re a pen tester, you can get in a normal conversation. The more comfortable you are just 00:58:04.260 --> 00:58:06.300 having a conversation with a random human, 00:58:06.300 --> 00:58:10.680 the easier being a social engineer will be when it’s time to do it for a living. 00:58:10.680 --> 00:58:14.880 JACK: If you want to know more about social engineering, check out Chris’s book Social 00:58:14.880 --> 00:58:19.800 Engineering: The Science of Human Hacking. Make sure you get the updated second edition. 00:58:19.800 --> 00:58:25.020 This is a great book which breaks down all the concepts of how to be a great social engineer. 00:58:25.020 --> 00:58:29.640 CHRIS: That’s probably my favorite book that I’ve written. I’ve written four and that one 00:58:29.640 --> 00:58:33.960 is – I feel like it’s eleven years of my experience and science behind it, 00:58:33.960 --> 00:58:39.780 so unlike the first edition of that which was very new and it was not very well-written, this one I 00:58:39.780 --> 00:58:47.400 feel was like, really done well. Like Cialdini’s book called Influence, that’s an amazing book. 00:58:47.400 --> 00:58:51.840 Joe Navarro’s book on What Every Body is Saying is just a phenomenal book. 00:58:51.840 --> 00:58:58.380 Ekman’s book on Emotions Revealed, all about nonverbals, is truly a great book. 00:58:58.380 --> 00:59:03.780 Amy Cuddy’s book called Presence on getting yourself into character; 00:59:03.780 --> 00:59:08.640 I could just kind of list books after books about books that I’ve read that are integral to my life 00:59:08.640 --> 00:59:14.460 that may be not about social engineering but they’re about an aspect of communications and 00:59:14.460 --> 00:59:19.740 social engineering. Robin Dreeke’s book on The Top 10 Ways to Build Rapport with Anyone Fast. 00:59:19.740 --> 00:59:24.900 These books are integral to understand them if you are going to be a social engineer. 00:59:24.900 --> 00:59:28.860 JACK: Of course, I’ll have links to all these books and more in the show notes so make sure 00:59:28.860 --> 00:59:34.320 to visit darknetdiaries.com/episode/69. Besides being the Chief Human Hacker for his company and 00:59:34.320 --> 00:59:39.240 writing books on it, Chris has accomplished so much more. He’s the one who started the social 00:59:39.240 --> 00:59:44.400 engineering village at Defcon which is the most popular village at Defcon. It has some 00:59:44.400 --> 00:59:50.160 great talks but it also has a competition where contestants have to social engineer someone live 00:59:50.160 --> 00:59:55.680 on stage over the phone in front of a crowd. It’s awesome to watch and to learn new tricks. 00:59:55.680 --> 00:59:59.940 I might have to do an episode just on that village alone one day. On top of that, 00:59:59.940 --> 01:00:05.760 he started a non-profit called The Innocent Lives Foundation where people use OSINT and 01:00:05.760 --> 01:00:11.460 hacking skills to try to help authorities find and capture child predators or human traffickers. I 01:00:11.460 --> 01:00:15.300 think we’re gonna have to have Chris come back on to tell his stories about that and more, 01:00:15.300 --> 01:00:19.560 but we’ll have to save that for another time. Wow, thank you so much for sharing this. 01:00:19.560 --> 01:00:22.620 I’m gonna leave it with this last question; have you ever been phished? 01:00:22.620 --> 01:00:29.160 CHRIS: Yes. You know, I love that question because I think sometimes people that are in 01:00:29.160 --> 01:00:35.520 the industry don’t want to talk about the times they were hacked. Yeah, I got phished hardcore. I 01:00:35.520 --> 01:00:39.180 probably have been phished a couple times but the most notable to me, ‘cause I fell for this hook, 01:00:39.180 --> 01:00:47.820 line, and sinker, is – I am an Amazon junkie. I love – I buy everything on Amazon that I can. I 01:00:47.820 --> 01:00:53.100 was preparing for Defcon and I must have ordered like, ten, twenty things for the kid’s competition 01:00:53.100 --> 01:00:59.340 out of Vegas. I’m packing up my office for Defcon and I get an e-mail that looks just like an Amazon 01:00:59.340 --> 01:01:04.380 order e-mail and it says one of your recent orders will not be shipped due to a declined 01:01:04.380 --> 01:01:09.420 credit card. Everything I always tell my customers is don’t ever click those links in the e-mail. 01:01:09.420 --> 01:01:14.160 You open up your browser, you go to amazon.com, you log into your account, and it will tell you 01:01:14.160 --> 01:01:20.280 exactly what the problem is. But not critically thinking, being stressed about Defcon, packing 01:01:20.280 --> 01:01:24.960 my office, seeing that e-mail, going oh my gosh, how can it be declined? My credit card never gets 01:01:24.960 --> 01:01:32.880 declined. I clicked the link. The browser opens, I go to a page that says – it looks like Amazon 01:01:32.880 --> 01:01:38.760 login page. It looks identical to it but I’m one of those guys that has my username saved but not 01:01:38.760 --> 01:01:43.320 my password. I start typing my password and when I go to click the Submit button, 01:01:43.320 --> 01:01:47.760 before I click it, I realize my username’s not there. I’m like, what the heck? My username’s 01:01:47.760 --> 01:01:53.700 always there. I look up at the URL bar and it was like, somethingsomething.ru. I’m like, 01:01:53.700 --> 01:01:58.680 oh my gosh, I just got – I just clicked a phish and literally fell for it from a Russian site. 01:01:58.680 --> 01:02:03.420 Of course, you know, cleaned the computer, changed my passwords, burned the house down, sell 01:02:03.420 --> 01:02:08.760 the family, move to another country, do all the normal things you do when you click on a phish. 01:02:08.760 --> 01:02:14.520 Then I tell my team; I’m like, I just got phished. I’m never telling anyone. That’s so embarrassing. 01:02:14.520 --> 01:02:18.360 Then one of the people on my team, she’s like, you need to tell the whole world this story. This 01:02:18.360 --> 01:02:22.440 can help so many people ‘cause you’re the guy who wrote the book on phishing. You need to 01:02:22.440 --> 01:02:25.500 tell the story how you got phished. I thought about it and I’m like yeah, that’s a pretty 01:02:25.500 --> 01:02:36.060 good point. I do tell the story now but I fell for that 100% because that e-mail, if I did not 01:02:36.060 --> 01:02:42.540 look at that URL bar, I would have clicked Submit and given them my credentials. 01:02:42.540 --> 01:02:46.380 The only thing that caught me was the one flaw that my username was not in that box. 01:02:46.380 --> 01:02:50.520 Otherwise I fell for that thing 100%. Later on, when I went back and inspected 01:02:50.520 --> 01:02:55.740 the [01:05:00] e-mail, it was like, for a George Foreman Grill and some Lee press-on 01:02:55.740 --> 01:03:01.260 nails. It was like, not even real items that I would ever order. I’m like oh my gosh, 01:03:01.260 --> 01:03:04.440 if I had just read the dang e-mail, I could have caught it. If I had looked 01:03:04.440 --> 01:03:08.040 at the URL bar, I could have – if I opened my browser and typed the address. There’s like, 01:03:08.040 --> 01:03:13.320 five ways I could have caught that phish and I ignored them all because of stress and lack 01:03:13.320 --> 01:03:18.500 of critical thinking. I’m like yeah, yep, I’ve been phished, man. I’ve fallen for it. 01:03:18.500 --> 01:03:30.780 JACK (OUTRO): [OUTRO MUSIC] 01:03:30.780 --> 01:03:33.780 A big thank you to Christopher Hadnagy, the Human Hacker, 01:03:33.780 --> 01:03:39.540 for being here. You can learn more about him by visiting social-engineer.org or check out 01:03:39.540 --> 01:03:45.360 his podcast which is just called The Social Engineer Podcast. As always, for every episode, 01:03:45.360 --> 01:03:50.040 there’ll be links of all this stuff out on darknetdiaries.com so head over there. 01:03:50.040 --> 01:03:54.900 While there, check out the bonus Darknet Diaries episodes. These are exclusive to Patreon members. 01:03:54.900 --> 01:03:59.700 If this show brings value to you, if you’ve binged through all 69 episodes now and can’t 01:03:59.700 --> 01:04:04.740 wait for the next one, keep in mind, you got all that entertainment for free and it’s because of 01:04:04.740 --> 01:04:09.420 the help of Patreon members that this show keeps running, so please consider joining 01:04:09.420 --> 01:04:14.340 Patreon to help support the show and unlock some bonus episodes. This show is made by me, 01:04:14.340 --> 01:04:18.960 the ghost in the shell code, Jack Rhysider. Sound design and original music was created 01:04:18.960 --> 01:04:24.120 by the sometimes-bored Andrew Meriwether. Editing help this episode was by the devilish Damienne, 01:04:24.120 --> 01:04:29.580 and our theme music is by the maraca-wielding Breakmaster Cylinder. Even though when management 01:04:29.580 --> 01:04:36.300 sends me an e-mail, sometimes I write back with just ‘Unsubscribe’, this is Darknet Diaries.