“
Social engineering is an extremely effective technique used by hackers worldwide to compromise internal systems and proprietary information assets. In fact, it’s one of the top two hacking techniques used by criminals to compromise organizations like yours.
With the use of savviness and Open Source Intelligence (OSINT) from social media or other publicly-accessible websites, malicious “social engineers” weave a convincing pretext via phone, email or in person— all with the goal of fooling members of your team into trusting them.
”
– Kevin Mitnick, infamous hacker turned security consultant
Intro
As agreed, to maintain anonymity a cover company was created for this project, outlined in Appendix 1.
On 31st August a breach occurred on the website of a customer of Neuvium. Fortunately this was a white-hat attack (a real attack undertaken to probe a vulnerability with the goal of finding a solution to mitigate it.)
This report will cover the vulnerability, the successful attack, look at the risks involved, recommend steps for mitigation and finally guidance for implementation of a solution to avoid damaging company culture.
Ethical Considerations
- We will be conducting this project without the knowledge of product owners and business unit management at Neuvium. We need to be careful that this is not seen as a trap or a ‘gotcha’ attempt.
- I will be taking on the role of an attacker, wearing a black hat for part of this project. Given that I am exploring vulnerabilities in a real company, it will have real world implications. I have sought appropriate permissions from management and chief security engineer at Neuvium.
- We don’t want staff who lack the training, time or resources to defend against an attack of this nature to be framed as responsible. The chief security engineer at Neuvium has agreed and I will be withholding information from my report that could be used to personally identify staff members.
The Vulnerability
Once a product enters BAU (Business As Usual) operations, Neuvium has a support team which handles support enquiries for all products. They receive enquiries via a form on their public website. There is no requirement for the customer to provide any sort of authentication in this form. (See Appendix 2).
Hypothesis: an attacker can gain admin access to a Neuvium customer’s website by using the support form on Neuvium’s website.
The Attack
Preparation
I undertook OSINT (open source intelligence) recon and identified a customer of Neuvium. This was easier than I expected thanks to Google, I knew that Neuvium customers have a ‘built by Neuvium’ in the website footer, so figured a Google search would be fruitful. It turns out Neuvium has a search on their website that can be used to find any of their customers. It isn’t accessible through the Neuvium website, but is indexed in Google. A search of “my suburb school Neuvium” revealed this search page in the top 5 Google results.
After choosing a Neuvium customer as a target, their ‘about us’ page identified their marketing manager. I also found a list of board members for the school. I created a Gmail and an Outlook account with these people’s names and a reference to the school, eg Alice.doe.thisschool@gmail.com. For the purpose of the report:
- Neuvium’s customer, the educational institution, is Victor of Ark Boys College
- Educational Institution staff members I impersonated: Eve (marketing manager) and Mal (board member)
- Neuvium support member: Sean
Exploitation
With the prep done, I planned to impersonate Eve to have Mal added as an admin to the website. I filled out the support form on the Neuvium website as Eve and a chain of communication followed (see Appendix 3).
Outcome
Within two days of undertaking the initial recon, I had admin access to the targeted website. The new user was added as an admin to the website as requested and I’d also established a foothold for gaining access to other systems in future. Upon logging into the Outlook account I had set up for Mal (the board member), I found an email requesting me to update my password (see Appendix 4). I followed the link in the email and confirmed that I had admin access to the website.
Following this I notified Neuvium’s chief security engineer, Alice.
Risk Assessment
A risk assessment was undertaken which defined: stakeholders, scope, assets, threat model and enumerated & classified risks (full assessment in Appendix 5). Highlights from the risk assessment below.
Risk Matrix
Two medium and one high level risks were identified, with a malicious attacker posing the highest Harm Severity and also the most likely to occur.
| Probability | Harm severity | ||||
| Insignificant | Minor | Moderate | Major | Critical | |
| Rare | Low | Low | Low | Medium Present employee |
High |
| Unlikely | Low | Low | Medium | Medium Past employee |
High |
| Possible | Low | Medium | Medium | High | High Malicious attacker |
| Likely | Medium | Medium | High | High | Extreme |
| Almost Certain | Medium | High | High | Extreme | Extreme |
Rating scale for risk consequence
Below is a sample for the Critical level, corresponding with a malicious attack. The impact at this level has the potential to be very damaging to all stakeholders.
| Severity/Stakeholder Impact | Impact to community (parents and/or students) | Impact to Education Institution reputation | Impact to Neuvium reputation |
| Harm Severity: Critical | Sufficient PII leaked for identity theft to be performed. | Widespread public awareness. Media news or social media coverage. Control will require the involvement of the community | Widespread public awareness. Media news or social media coverage. Control will require PR, the involvement of the customer and their community |
Recommendations
Malicious Attacker
These recommendations will aid in mitigating the attack vector used in this report.
| Recommendation | Justification | |
| 1 | Move support form/contact inside product admin portals | Neuvium’s support team are at the core of its business, they have access to and rights to give access to all of Neuvium’s products. Combined with a lack of training and procedures, the public support form is a vulnerability giving access to this core, which is open to exploitation. Moving the form (or access to it) will restrict access to those already authorised, reducing the risk of this type of attack. |
| 2 | Establish a primary contact and list of authorised staff for each customer | A primary contact at the customer will:Make support requestsNominate and manage authorised staff members who can make support requests on their behalf (only the primary contact can authorise staff)Act as a point of contact if support requests need to be authenticatedThe list of authorised staff will comprise of the primary contact and any staff they nominate. |
| 3 | Create and follow a procedure for authenticating all support requests | Requests for support should only be accepted from the people on the list of authorised staff. All requests for support need to be authenticated, even the most trivial because an attacker will use each little interaction to build trust quite quickly. At the least this should involve:All support requests go through the support teamVerifying the name and email used for the request against the authorised staff listOnly replying to emails that are on the authorised staff list (the actual email, not just the name)Reporting any support requests from non-approved staff to the primary contact for authenticationA mechanism for recording unauthorised support requests |
| 4 | Educate Neuvium staff on the importance of user authentication | Educate Neuvium Support and Product team staff on the importance of user authentication. People who request support must be authenticated. This will help maintain adherence to authentication procedures. |
| 5 | Neuvium review their public listing of customers | The search on their website made it easy to find customers of theirs to use for impersonation. This needs to be looked at in the context of the other recommendations. |
Staff (present and former)
These recommendations apply to both Neuvium and it’s customers. They will help mitigate the risk of disgruntled and former staff accessing websites .
| 1 | Educate customers and Neuvium staff about the value of admin privileges and how to manage them. | This will help limit people with admin access to websites. This should include:Role Based AccessWhich roles need admin access,How long they have it for,Revoking of access when it is no longer required, when staff change roles or move on. |
| 2 | Annual review of each customer’s admin users and approved staff list | In the real world we know that sometimes best intentions get left until later, or admin can slip through the cracks due to time pressure. This will be initiated by Neuvium and actioned by the customer, it will create an opportunity to pick up any loose ends each year and ensure appropriate staff have access. |
| 3 | Review of Neuvium’s admin access to its customers’ websites | It was noted during this investigation that Neuvium has various staff (past and present) added to its customers’ websites with admin privileges. Neuvium should review all sites immediately and then fallback to recommendation 2 |
| 4 | Recommend to customers that they do not list details of staff on their websites. | In most cases, generic contact details on a website are sufficient. Attackers are able to use staff details to impersonate them as our attack demonstrated. Each customer will need to consider if any regulatory requirements impact this recommendation |
Out of Scope
Other insecure behaviours were noted during this investigation, leading to two out of scope recommendations.
| 1 | Neuvium stop accepting/asking for customer credentials | During the course of this investigation, it was noted that on numerous occasions, Neuvium staff accepted and internally shared customer’s login credentials. This presents risks to the customer and Neuvium. |
Implementation
Probing social engineering vulnerabilities and implementing solutions can be risky for workplace culture. By undertaking an attack there is a potential to damage trust between staff and management – staff can feel like they have been tricked or trapped, especially if they are singled out as the victim of the attack. On the other hand, if staff are forewarned, hyper vigilance can mask any systemic vulnerabilities that can later resurface once behaviours settle back into BAU.
To avoid damaging staff trust, it is recommended that the actual attack and these sections of this report are kept on a need to know basis:
- Report sections: Intro, The Attack, Implementation, Conclusion
- Appendices 1-4
By doing this, any security changes can be implemented as a response to identification and assessment of the vulnerability itself, thus preserving trust with staff while mitigating the vulnerability.
Conclusion
During the course of this investigation a potential vulnerability was identified in the Neuvium customer support process which could give an attacker admin privileges to their customers’ websites. A white-hat attack was undertaken and admin access was gained. Following this, a risk assessment was undertaken and recommendations to mitigate the risks were developed and presented along with implementation guidance.
Given that an attacker using this method could access PII about Neuvium’s customers’ staff, students and parents and that Neuvium has responsibilities under the Notifiable Data Breach Scheme, mitigation of at least the malicious threats is critical.
More broadly, security is an aspect that needs to be considered at all stages of the product lifecycle and business processes, not just when a product enters BAU. Implementing Security-by-Design practices could benefit Neuvium, including:
- Consider security for each part of the organisation, it’s services and/or products
- Consider security in their C2C process
- Role Based Access (system/resource access, customer websites/systems access, right to delegate)
- Encouraging reporting of issues
- Implementing a system or process for assessing raised issues and adding new risks
Security is a dynamic and continuous process. But implementing Security-by-Design principles, security becomes an inherent property of the business and it’s products. This will place Neuvium in a proactive position to be prepared for attacks when they come, rather than reponsiding reactively to attacks when they occur. The likelihood of vulnerabilities will be reduced and so will their exploitation.
Appendix
Appendix 1: Neuvium background
Neuvium is an Australian tech company. They develop, sell and service a range of products focused on education, with products across a range of abilities and functions in the educational sector. These include:
| Target markets | Products |
| Figetium: K – 12 primary and secondary level Digitium: Tertiary level Wigetium: Academic level | Websites, a website service for educational institutions. Owned and managed by Neuvium but content is managed and owned by the institution. Teacher rostering cloud based software. Includes a teacher’s personal contact details, current and historical roster and location of classes. Student management cloud based software. Allows for reporting of students at a particular school, includes their personal contact details, school results, current enrolments, timetable and class locations. |
Following familiarisation with Neuvium’s support process, I identified a possible social engineering vulnerability. I approached the chief security engineer at Neuvium, Alice, and notified her of the potential vulnerability and offered to test it. Alice agreed to let me test it. I undertook my attack and within two days had gained admin privileges to a customer’s website. Alice was shocked and agreed that I could use this case as the basis for this project.
Appendix 2: Neuvium support request form
Appendix 3: Communication with Neuvium
| From Me / comments (in bold) | From Neuvium / comments (in bold) |
| Hi there,We have a new board member who is familiar with word press and has offered to help us manage our website as I move into a new role. How do I have him added to the site? Thanks | This was the original form submission. I made a simple and relatively vague request for help through the public form on Neuvium’s website. |
| Neuvium support response | Hi there, Thanks for your email to Neuvium. So that we can add in the new admin for you can you please confirm their email and full name and also the site URL? Kind RegardsSean |
| Hi there Sean, Thanks for your speedy reply, I appreciate it. I should have done this last week, but have been snowed under with other tasks before I officially go part time. Her name is <redacted> and email is <redacted> and our website address is <redacted>. Thanks again for your help! Hope you are well during these trying times. Best wishes Eve Eve SwiftsonMarketing Coordinator (part time)Victor of Ark Boys College | I created some urgency by expressing gratitude and admitting that I should have done this earlier and am feeling under pressure. People don’t expect attackers to be personable, so I added the personal touch at the end. This also gives the impression that I am a chatterbox and over-sharer so that when/if I stretch the ‘friendship’ in future they will just think it is my personality. People also tend to think of people with these traits as being a little daft and want to help them. |
| Neuvium support response, user has been added! | Hi Eve, This user has now been added, Mal should receive a password reset link to help her complete her access requirements. Please let me know if you need any additional assistance.Kind RegardsSeanSupport team Neuvium |
| Thank you Sean! Mal has just emailed me saying she has logged in, she’s very hands on. I just had a thought, she may be helping with managing our other systems, it’s out of my depth and I think we’ll be ok, but if she needs help can she contact Neuvium on this email address? Thanks so much again for your help. Best wishes Eve Eve SwiftsonMarketing Coordinator (part time)Victor of Ark Boys College | I learnt from The Art of Deception not to close comms after achieving a goal So I continued the daft over-sharer persona and closed off with asking a generic question about future assistance, the reply confirming that the newly created account should be able to seek assistance with gaining access to other systems. And we can also drop Sean’s name with the next support person we encounter. |
| I think Sean has had enough of me, but he should remember me as the nice but slightly daft and annoying customer if anyone asks about Eve in future. | Hi Eve, Yes please feel free to email <redacted> and our team will be able to help out. |
Appendix 4: Confirmation of admin access
Appendix 5: Risk Assessment
Stakeholders
- Neuvium – tech company that builds and runs a number of digital platforms for educational Institutions
- Neuvium’s customers – educational institutions
- Community
- Students – of Educational institutions, these range in age from 4 – adult
- Parents – of students where they are minors
Scope
Being a tech company, Neuvium has a broad range of security risks. They already have a security risk assessment and plan in place and Neuvium engages a third party to help with technical testing such as pen testing. However, for social engineering risk, their assessment and preparation is limited to phishing, this is preceded with a phishing awareness campaign.
The scope of this report is into social engineering attacks, specifically an attacker impersonating a Neuvium customer and gaining access to the customer’s website admin portal.
Assets
- Educational Institutions’ websites
- Website administrator details
- Neuvium customer details – this includes personal information about teastaffchers, students and their parents.
- Reputation (educational institution) – could be damaged with community partners (sponsors) and their communities (parents and students)
- Reputation (Neuvium) — could be damaged with customers (educational institutions and engaged members of their communities) and the broader EdTech space.
Threat Model
We are investigating access to the admin portal of Neuvium’s customers’ websites, which is open to a range of threats:
- Malicious attacker
- Hacker
- Fun, vandalism
- Ransomware type attack
- Mining for identity theft data
- Mining for credential stuffing attack data (getting passwords and usernames from a weak target to reuse on other platforms)
- Criminal wanting physical acquisition of educational institutions staff or community members (students, parents)
- Paedophiles wanting to access childrens details
- Estranged parent’s wanting to locate children or ex-partner
- Criminals engaged in kidnap/ransom demands
- Competitor (Educational Institution)
- Seeking to damage the Educational Institution’s reputation
- Wanting to poach students
- Competitor (Neuvium)
- Seeking to damage Neuvium’s reputation in market
- Wanting to poach educational institutions
- Hacker
- Past employee
- Past employee of educational institution, unrevoked access
- Past employee of Neuvium’s, unrevoked access
- Present employee
- Present employee of educational institution, illegitimate use of access
- Present employee of Neuvium’s, illegitimate use of access
Enumerate and Classify Risks
Looking at the threat matrix in the context of our specific attack, we have three risk types.
Risk types
- Impersonation to gain access
- Misused legitimate access
- Unrevoked legitimate access
Risk Matrix
| Probability | Harm severity | ||||
| Insignificant | Minor | Moderate | Major | Critical | |
| Rare | Low | Low | Low | MediumMisused legitimate access | High |
| Unlikely | Low | Low | Medium | MediumUnrevoked legitimate access | High |
| Possible | Low | Medium | Medium | High | HighImpersonation to gain access |
| Likely | Medium | Medium | High | High | Extreme |
| Almost Certain | Medium | High | High | Extreme | Extreme |
Rating scale for risk consequence
| Harm Severity | |||||
| Type of impact | Insignificant | Minor | Moderate | Major | Critical |
| Impact to community (parents and/or students) | No personal data accessed or stolen. Not involved. | Anonymised data leaked. Could be used in an inference attack. | Data leaked that can associate them with Educational Institution | Data leaked that can be used for further targeting eg: name and email or telephone number | Sufficient PII leaked for: identity theft to be performed; or physical acquisition undertaken |
| Impact to Education Institution reputation | No external awareness. Control of impact can be managed internally | Some community awareness. Control of impact can be managed internally | Broad community awareness. Control of impact can be managed internally, but the community will need to be notified. | Some public awareness. Control will require the involvement of community | Widespread public awareness. Media news or social media coverage. Control will require the involvement of the community |
| Impact to Neuvium reputation | Little to no impact; control of impact can be managed internally | Customer awareness; control of impact can be managed internally | Customer awareness and will need to be involved in control of the situation | Some public awareness. Control will require the involvement of the customer and their community | Widespread public awareness. Media news or social media coverage. Control will require PR, the involvement of the customer and their community |
Prioritise Risks
| Risk Source | Risk Type | Rank |
| Malicious, attacker | Impersonation | 1 |
| Malicious, Neuvium competitor | Impersonation, Unrevoked legitimate access | 1 |
| Malicious, Educational Institution competitor | Impersonation, Unrevoked legitimate access | 1 |
| Past Employee | Unrevoked legitimate access | 2 |
| Present Employee | Misused legitimate access | 3 |
