Lenny zeltser social engineering attacks

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses. These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.

1 Copyright 2010-2011 Lenny Zeltser

Just like “con artists” have done for centuries.

Copyright 2010-2011 Lenny Zeltser 2

As the result, outsider == insider, since someone is bound to let an outsider in.


This may help with educating users, customers and security staff. This may also help in adjusting the security architecture.




http://isc.sans.org/diary.html?storyid=5797



http://blogs.paretologic.com/malwarediaries/index.php/2011/09/30/trademark-rogue-business/


http://evilcodecave.blogspot.com/2009/08/malware-26xpl-ssh-propagating-exploit.html http://isc.sans.org/diary.html?storyid=4507 Hosted on compromised servers.


http://evilcodecave.blogspot.com/2009/08/malware-26xpl-ssh-propagating-exploit.html











http://www.bankinfosecurity.com/articles.php?art_id=1858




… with an element of social engineering.


Conficker set up the autorun.inf file on infected USB keys so that the worm would run when the victim inserted the USB key into a computer, thereby infecting the PC. The autorun.inf file that Conficker created on the USB key was carefully crafted to confuse the user once the key was inserted into the computer. When the victim inserted the USB key, Windows typically brought up the AutoPlay dialog box, asking the person what to do next. Normally, the AutoPlay action box presents the user with options to run the program on the USB key or to browser the USB key’s files. The autorun.inf file that Conficker created manipulated the options presented to the user, so that the option to run the program looked like the option to browse the drive’s contents. The user was likely to click on the first option to browse the files, not realizing the he or she is actually launching a program. As a result, the user inadvertently launched the Conficker worm from the USB key and infected the PC. http://isc.sans.org/diary.html?storyid=5695



Gawker sites include Gimodo, Lifehacker and TechCrunch. http://www.wired.com/threatlevel/2009/09/nyt-revamps-online-ad-sales-after-malware-scam/ “The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week.” ... “Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”


http://www.wired.com/threatlevel/2009/09/nyt-revamps-online-ad-sales-after-malware-scam/















http://www.businessinsider.com/henry-blodget-gawker-scammed-by-malware-pretending-to-be-suzuki-2009-10

























http://www.mediaite.com/online/gawker-duped-into-running-fake-ads-with-virus/

















Impersonated a legitimate advertising company



http://uk.answers.yahoo.com/question/index?qid=20100614105319AAznWTW




http://www.symantec.com/connect/blogs/technical-support-phone-scams











http://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android



Consider a variant of the Waledac worm. The worm directed its potential victims to a website that showed a news excerpt about a supposed explosion. The message was localized based on where the user was connecting from. For instance, visitors from New York would see a message “Powerful explosion burst in New York this morning.” The person was asked to download a video player for the full story. Personalization of the message increased the likelihood of the person downloading the trojan player in an attempt to see the video. http://securitylabs.websense.com/content/Alerts/3321.aspx


http://securitylabs.websense.com/content/Alerts/3321.aspx

http://securitylabs.websense.com/content/Alerts/3321.aspx

http://blog.zeltser.com/post/2685898823/social-engineering-in-online-scams












http://blog.webroot.com/2010/04/08/this-pc-will-self-destruct-in-ten-seconds/



















http://krebsonsecurity.com/2010/11/spear-phishing-attacks-snag-e-mail-marketers















http://www.symantec.com/connect/blogs/fake-av-talking-enemy









Attackers have been conducting the “stuck in London” scam for several years. Early campaigns were relying on compromised webmail accounts to reach potential victims through email. In an example recently documented by Rakesh Agrawal, this classic scam was conducted via Facebook chat. The scammer used a compromised Facebook account in an attempt to solicit emergency funds from the victim’s friend. The screenshot on this slide shows an excerpt from the chat transcript. With low-cost labor available throughout the world, scammers can employ humans for chatting with victims while keeping their costs relatively low. The scammer was using Matt’s Facebook account and, as far as I can tell, was a human being. However, such interactions could have easily been automated using a chat bot. For details regarding this Facebook chat scam see: http://rake.sh/blog/2009/01/20/facebook-fraud-a-transcript

Copyright 2011 Lenny Zeltser 31

http://rake.sh/blog/2009/01/20/facebook-fraud-a-transcript








Consider a scam that promises Facebook users to find out who has been viewing their Facebook profile. The implication is that the user can get access to these details (that feed the narcissist in all of us) by installing the Profile Spy application. The scam attempts to trick the victim into revealing personal details, including a mobile phone number. The malicious site shows a fake Facebook page in the background, to make victims think they are within the “walled garden” of Facebook…

32 Copyright 2011 Lenny Zeltser


After infecting the computer, one malware specimen edited the victim’s “hosts” file to redirect attempts to connect to technology product review sites, including CNet, PCMag, and ZDNet. The goal seemed to provide the victim with a spoofed review of a fake anti-virus tool “Anti-Virus-1” to trick the person into purchasing this software. Fake anti-virus is not unlike the fake pen for detecting counterfeit money. For additional details about this incident, see: http://www.bleepingcomputer.com/forums/topic204619.html


http://www.bleepingcomputer.com/forums/topic204619.html

http://www.bleepingcomputer.com/forums/topic204619.html



Koobface spread by including links to malicious websites in Twitter and Facebook profiles. Once the potential victim clicked on the link, he or she was typically directed to a website that attempted to trick the person into installing malware. A common tactic involved presenting the user with a message that to view the video, a Flash Player upgrade was required. Of course, the executable the person was presented was not Flash Player, but was malware.


The malicious website embedded, though a series of steps, a Facebook page in an invisible iframe that floated above the button that the user click on. The victims didn’t realize that they were actually clicking on the Facebook “Share” button, which shared the malicious website with the victim’s Facebook friends. http://fitzgerald.blog.avg.com/2009/11/new-facebook-worm-dont-click-da-button-baby.html


<html><head></head><body><div style=”overflow: hidden; width: 56px; height: 24px; position: relative;” id=”div”> <iframe name=”iframe” src=”http://EVILURI/index.php?n=632″ style=”border: 0pt none ; left: -985px; top: -393px; position: absolute; width: 1618px; height: 978px;” scrolling=”no”></iframe></div></body></html>

HTML Source: theinvisibleguy

http://fitzgerald.blog.avg.com/2009/11/new-facebook-worm-dont-click-da-button-baby.html















http://thompson.blog.avg.com/2010/07/remote-control-facebook.html








http://staff.washington.edu/dittrich/papers/dittrich-login0809.pdf






This is a sample screenshot—not representative of the sites manipulated by Nugache.






















http://sunbeltblog.blogspot.com/2010/08/new-trojan-offers-choice-of-rogue.html













http://blogs.paretologic.com/malwarediaries/index.php/2010/04/15/are-spammers-getting-lazy/












There is no “Google Approved Pharmacy Directory”


http://www.f-secure.com/weblog/archives/00002017.html “I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.”


http://www.f-secure.com/weblog/archives/00002017.html



Left side: cert obtained through identity theft: http://www.f-secure.com/weblog/archives/00002017.html Right side: stolen cert used to sign Stuxnet: http://www.f-secure.com/weblog/archives/00001993.html
















Need solid research: Will training users or customers in social engineering tactics improve their resistance to scams?





If you have any questions for me, please let me know. I’ll do my best to answer them as accurately as I can. I’d also love to hear from you if you have any comments regarding this briefing, either what you liked about it, or your suggestions for improving it. If you want to keep an eye on my research and related activities, take a look at blog.zeltser.com. You can also find me on Twitter at twitter.com/lennyzeltser.

68 Copyright 2010-2011 Lenny Zeltser

http://blog.zeltser.com/

http://twitter.com/lennyzeltser

http://twitter.com/lennyzeltser

Technology

Lenny zeltser social engineering attacks