Social Engineering

A Wolf in Sheep’s Clothing

Roberto Salgadou Programmer / Security Researcher / Pentester

u Co-founder of Websec

u Websec = Information Security Solutions

u Pen-testing, training, monitoring, etc…

Contact Infou @LightOS

u rsalgado@websec.ca

u http://www.websec.ca

Overviewu What is Social Engineering?

u Definition

u Brief History

u Trending Topic

u The Evolution of S.E.

u Different Forms of S.E.

u How is Social Engineering Performed?

u Performing OSINT (Open-source Intelligence)

u Selecting a Delivery Method for Payload

u Creating a Command & Control Center

u Making Payload FUD (Fully UnDetectable)

u Live Demo

u How to Defend Against Social Engineering?

Social EngineeringWhat is it?

Definition

u S.E. is an attack vector which involves tricking the human element into breaking security procedures.

u Generally requires very little to NO technological or security knowledge. The very strongest security can be overcome by a clever social engineer.

u Comes in many shapes, forms & colors.

u ALL of us have been victims of it at some point throughout our lives. Affects both end-users and businesses.

Brief History of S.E

u Doesn’t have a defined starting moment.

u Has probably been around since the beginning of humanity.

u Countless examples of S.E. throughout history.

Brief History of S.E - Examplesu Adam & Eve - 4000-6000 BC

u The Trojan Horse - 1188 BC

u George Parker – Early 1900s

u Charles Ponzi – 1920s

u Victor Lustig (“The man who sold the Eiffel Tower”) – 1925

u Frank Abagnale (Catch Me If You Can) – 1960s

u Kevin Mitnick – Around 1980-1995

u Thomas Katona (treasurer of Alcona County, Michigan) – 2007

u Bernie Madoff - 2008

u RSA SecurID Breach – 2011

u AP Twitter Hacked – 2013

u Target (HVAC contractor) - 2013

Brief History of S.E – Personal Examplesu Myself (Gypsies) – 2003?

u Close Friend - 2013

u My Roommate – 2015

u ?

#SocialEngineering is Trending…

The Evolution of S.E.u S.E. is no longer confined to the physical realm.

u Technology has made some fraud more difficult to commit, however it's created all sorts of new opportunities for adaptable fraudsters.

u Nigerian phishing scams still work, however not as well as before.

u Attackers have gotten more clever with their techniques.

The Evolution of S.E.u Receiving an EXE file via e-mail is a thing of the past.

u Ever suspect that an Office document (Word, PowerPoint, Excel) could hack you?

u Heard of HTA? Supported by Windows since 1999.

u Like EXE, but currently undetectable by AV and can run PowerShell

u Unicode magic!

Unicode Magic!

uLeft-To-Right Override

u+U202D

uRight-To-Left Override

u+U202E

Live Demo!

Different forms of S.E.

u Baiting

u Phishing

u Pretexting

u Tailgating

u Quid Pro Quo

u Shoulder Surfing

u Dumpster Diving

Baiting

u Refers to leaving “bait” for the target to pick up, relying on the curiosity or greed of the person being targeted.

u The Trojan Horse is one of the greatest mythological examples of baiting.

u Modern day example is throwing USBs “Executive Salary Summary Q1 2016”.

u Free Music/Movies for downloading a “game” or providing personal info on a form.

Baiting

u Send Secretary a bouquet of USB flowers.

u Pretend to be from romantic lover/admirer.

u Curiosity will inevitably lead to the USB flower been plugged in.

u This scenario makes the target be less suspicious of an attack.

Baiting

u According to research, 76% of people plug in an unknown USB to their office computer.

Baiting

u USBs exist that can FRY your computer by just plugging in.

Phishing

u Involves fake emails, websites, ads designed to impersonate real systems with the tricking the user.

u One of the more prevalent forms of Social Engineering seen today.

u Fake Anti-Virus infection warning (Scareware), Paypalphishing sites, offers for free music, etc…

Phishing

Phishing

Phishing

Phishing

Phishing

u Fake SMS message from “Rogers”

u Number 7000 can be spoofed

u Website http://rogers-clients.com/login/

Phishing

Pretextingu Invented scenario to trick victim to perform actions that

normally be unlikely (human equivalent of Phishing)

u Impersonate trustworthy figure: fake IT support needing to do maintenance, false investigator performing a company audit, co-workers, police, tax authorities, etc...

Pretexting

Quid Pro Quou Means “something for something”.

u A malicious actor calls several IT companies claiming to be

IT service.

u Eventually the attacker will encounter a company that

actually requires the service offered.

Shoulder Surfing

u Looking over someone's shoulder to obtain personal access information.

u Someone's ATM/Smartphone PIN, computer passwords.

u Can be done from a distance too with cameras.

Dumpster Diving

u Involves going through a person/company’s garbage to obtain confidential information.

u Can find bank statements, credit card numbers, contracts, corporate policies, etc..

Social EngineeringHow is it done?

Open-Source Intelligence

u Intel gathered from publically available sources.

u Many platforms available: Google, Facebook, LinkedIn, etc…

u Software available to help: Maltego, theHarvester, creepy, etc…

Delivery Method for Payload

u Several forms: In person, phone, email, website, USB drops.

u E.g.: Pretend to work for their ISP and claim you’ve detected malware installed on their computer.

u Consider what we know about the target.

u Which method would seem the least suspicious?

u Identify your strengths and weaknesses. Practice.

Picking a Domain

u Character omission, repetition, swapping, replacement,

insertion

u Missing dot

u Singularize or pluralize

u Bit flipping

u Homoglyphs

u Wrong TLD

u URLCrazy tool

Command & Control Center

u Server to host: Load an AWS instance

u Amazon = affordable + trusted IP address

u Different open-source and commercial tools available:

u Metasploit Framework

u PowerShell Empire Framework

u Wide variety of RATs

MSF C&C

u Free (community edition) & reliable.

u Constantly being improved and added to, has a community contributing stuff.

u Multiplatform.

u Resource Scripts (neat feature to automate).

u Developed and maintained by Rapid7.

Making Payload FUD

u There are many publicly available crypters, packers and code obfuscators.

u Crypters & RATs are shared in online communities, e.g. indectectables.NET

u Mini-Challenges to obtain crypters so they remain FUD for longer.

u Few attack vectors still aren’t well detected (macros, HTAfiles, PowerShell)

Making Payload FUD

LIVE DEMO

Social EngineeringHow to defend against it?

Am I a target?

u Most definitely!

Heard of Ransomware?

Tips For Staying Safe!

First we have to ask ourselves, why are these techniques so effective?

Carelessness or lack of awareness? Maybe a bit of both…

Tips For Staying Safe!

From Kevin Mitnick’s book “The Art of Deception”:

u People inherently want to be helpful and therefor are

easily duped.

u They assume a level of trust to avoid conflict.

u It’s all about gaining access to information that people

think is innocuous when it isn’t.

u Hear a nice voice over the phone and we want to be

helpful.

Tips For Staying Safe!

u Training & Awareness

u Reminders (Posters)

u Security Hygiene in Office

u Have Policies In-place

u Testing, Testing & More Testing!

u Follow Best Security Practices

u AV?

Tips For Staying Safe!

u Don’t trust what the link shows as the URL, it can be spoofed. Same with file extensions.

<a href="https://www.google.com/" onmousedown="this.href='http://websec.ca'">https://www.google.com/</a>

Don’t Re-use Passwords

u If an attacker obtains your credentials, they may be able to access multiple systems.

u I wrote a tool called “credmap” to test for credential re-use.

u Available at: https://github.com/lightos/credmap

Continuity

u Remember it takes patience, time and continuity.

u But keep on fighting off those pesky attackers and you’ll eventually get there!

Questions?

Contact Infou @LightOS

u rsalgado@websec.ca

u http://www.websec.ca

Don’t be shy!