Accuvant’s Martin Bos and Eric Milam now demonstrate a demo on building a list of company employees based on Jigsaw data and some social engineering tricks.
Martin Bos: Basically, what we’re doing here is we’re going to look for a company. The first thing you want to do is do an ‘-s’ and search for the company. We’re going to pick on Humana – sorry if anybody works there. Just a disclaimer: we didn’t send Humana any emails; we didn’t do anything to their organization, this is all passive.And so, basically what it will do is it will search for Humana. Jigsaw operates by ID, so this is everything that it found for Humana (see image), but you can see at the top: it gives us the ID for Humana Inc., which is the real health care place, and it’s given us 1871 employees. And that’s quite a bit more than any of these other old school email harvesting scripts usually ever find.
So, you just give it an ID number, and then you just give it an ‘-r’, and you give it a report name, and it writes it out to a CSV file. The only other thing that it asks you is that if it finds multiple domains that are linked to Humana, you just have to choose the domain, so we’re just going to do ‘Humana’.
Eric Milam: When a company buys another company and still got the domain, what this will do is that when it builds the actual emails for you in a CSV, this is the domain that will be used for the email examples.
Martin Bos: And this takes a while, so we’ve actually got it already listed out here: so, basically, you just open it up.
Martin Bos: And what we like to do is go over here to department, for example, and we can grab all the IT and IS people, and we can go ahead and filter them out of there (bottom left-hand image). Of course, we would leave in the director though, because we know he can click our link and that will be the most embarrassing thing. So, that’s just one of the tools we use for email harvesting, but you can see that gave us 1800 targets just to begin with, by just a couple of commands.Eric Milam: Here’s the cool thing about that list. So, you’ve got a list of 1800 emails; we know that probably not all of them are right. Here’s something that we like to do that not a lot of other people do – normally, they’ll just send out an email to those 1800 contacts. What I like to do is I like to use my fake Gmail account Jim Smith, and I just create a fake email that says: “Sylvia’s 60th Birthday Party,” Sylvia’s my Mom’s name, and I just basically say: “Howdy friends & family,” make something else up. I send it out to those 1800 (see screenshot).
I like to do this about a week ahead of time, because what happens is, first of all, most of the time it will filter out what email addresses are invalid. We’ve been told plenty of times by plenty of companies that if you send it to an invalid email address, it will just drop it. That’s 99.9% of the time not the case. It doesn’t matter if they’ve configured it or work with Microsoft, whatever – we’re still getting bounce back, so we’re able to filter that out.
Another cool thing that we get out of this is, especially during summer holidays, we get kickback saying: “Hey, I’m out of the office, but you can talk to so and so.” And then we can look up and say: “Oh, so and so is not on our list,” so we add them to our list. So, we start getting more people: we get the title of the people, we get phone numbers for the people, we get all kinds of information.
And one of the cool things we got recently is that there was a legal disclaimer in the footer for their emails. So, all these things help us build our email that we’re going to send out. It builds that trust level: if the language looks the same, if it’s laid out the same; we see how their emails are laid out, we see how their signatures are laid out; whether or not the email includes an image, etc. So, we can mimic that as closely as we can, because we want to exploit the trust that exists there.