ServiceNow Security – Social Engineering

Author by Scott Poling

Protecting your business practice, assets, and proprietary information will always be a never-ending battle. For every security patch that is released, there are operators reverse engineering different aspects of every platform looking for exploits. Nothing, I mean nothing is ever 100% secure. Even in a perfect world if your instance was 100% secure, the unfortunate reality is, humans are not 100% secure. Social engineering is the most common and easiest methods of breaches. Social engineering is a term that encompasses a broad spectrum of malicious activities, the most common of that being phishing. In this series I will go full circle with malicious attacks. I will show you how attacks originate, as well as how you prevent them. If you have a full understanding of how attacks are pulled off, it makes prevention and mitigation easier. Please note that there are many ways that malicious activities can occur. I go through one as an example scenario. You must be vigilant for any suspicious activities to protect yourself.  

Origination of Attack

Generally, it is hard to find out what sort of platforms a company is running. This was more difficult when platforms were self-hosted on-premise. With the boom of cloud computing, this introduces another level of danger. The ServiceNow cloud hosts all of their instances and does not let you host on premise. With the right System Administrators, I would argue that on-premise hosting is more secure than cloud, however this is not without all the other negatives of self-hosting. So how would one figure out who is running ServiceNow? Easy, and the answer is DNS enumeration. There are plenty of tools available to run DNS enumeration that will show you who has a domain publicly accessible. To protect privacy of companies, I will not be going into any details regarding this process.

Now you have a target company, who is running ServiceNow on a publicly accessible domain. One method of phishing is known as Email Spoofing. An email spoofing attack is extremely easy to pull off, I will go over a quick social engineering test to show you how easy it is. It requires a domain, local hosting (running PHP) and some insider knowledge about the company you are attacking. Thanks to social media, finding information on companies, particularly employee names, is relatively easy. Most people will be happy to accept your connection request. The information you need to gain from this is an email (which can be guessed) and a name of an employee. You can continue adding people within the target company until you find an ideal breach candidate. Generally, you will spoof a VP, President, or someone higher in the company, targeting a regular employee like an engineer. This is usually done because most people do not want to scrutinize their own leaders. For this example, I will be the mark.

Once you have your neat little PHP script finished, you can run it on any host. I am obfuscating some of the process here, as I would like to focus more on Threat Mitigation opposed to how to Compromise someone. Knowing how a threat originates is important in knowing how to protect against it.


Here is what the PHP script looks like in a browser.


This is how it was received. Outlook recognized this was spam and placed it in Junk Email, but it even attached the user profile correctly.



Employee Education

If you are reading this and thinking “Wow this is scary.” Well it is. You could get creative with these emails and even attach images to make it look like your own ServiceNow instance sent it to you automatically. Thankfully, there is a lot you can do to prevent even the possibility of social engineering. The easiest prevention technique is employee education. The System Administrator / Security team should regularly educate all employees on social engineering and security best practices. This is the best and easiest way to prevent compromise from social engineering attacks, however as I said before, humans are not 100% secure.

URL Masking

As mentioned previously, if you leave the out of box settings, you will be provided a FQDN. You can see public ServiceNow instances with DNS enumeration. A good way to prevent selective attacks is by not allowing malicious operators to even know you are running ServiceNow. All information the attacker can gain will be used against you. A great mitigation tactic for this is setting a custom URL as an instance URL. If the attacker cannot find your login URL, they will have a much harder time pulling off the attack.

Multifactor Authentication

Multifactor Authentication, or Two Step Authentication is a very good way to harden your instance from unauthorized intruders. If you use SSO – Single Sign On, you can have Microsoft MFA take care of authentication. Alternatively, ServiceNow offers its own (Google based) authentication. With Multifactor Authentication, it is nearly impossible to compromise an instance as you would have to have a user’s device, or the like. Remember, anything is possible.


High Security Plugin

ServiceNow has released a high security plugin that is active and defaulted on all instances (Geneva and Newer) that is very helpful for instance hardening. The configurations are defaulted so you do not have to set anything up. If you are on an instance than does not have this available, you should probably consider updating your version, but you can request the plugin if all else fails. Paired with the High Security Plugin you should utilize the Instance Security Dashboard. This dashboard lets you have insight into Failed Logins, Security Elevations, Compliancy, Metrics, and even includes a Security knowledge base. This is newly released within the past year, if you would like to read up on it, there’s a link below.

Closing Thoughts

The contents of this blog do not cover every aspect of protecting your instance. Hopefully this will allow you to start conversations from within your company about security and best practices. The threat of a breach is a constant possibility, I would like to stress that you should be doing everything you can to protect your company from malicious activity. In some rare cases, a breach can cause unrepairable damage to a company’s assets and day to day business activities, not to mention lawsuits in some scenarios. Security is not to be taken lightly.


All information contained in this blog is for informational and educational purposes only. I believe that information security and cyber security should be familiar subjects to anyone using digital information and computers. I believe that it is impossible to defend yourself from hackers without knowing how hacking is done. Concurrency is against misuse of this information and we strongly suggest against it.