Lenny zeltser social engineering attacks
-
Upload
travis-barnes -
Category
Technology
-
view
634 -
download
1
Transcript of Lenny zeltser social engineering attacks
Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses. These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.
1 Copyright 2010-2011 Lenny Zeltser
Just like “con artists” have done for centuries.
Copyright 2010-2011 Lenny Zeltser 2
As the result, outsider == insider, since someone is bound to let an outsider in.
Copyright 2010-2011 Lenny Zeltser 3
This may help with educating users, customers and security staff. This may also help in adjusting the security architecture.
Copyright 2010-2011 Lenny Zeltser 4
Copyright 2010-2011 Lenny Zeltser 5
Copyright 2010-2011 Lenny Zeltser 6
http://isc.sans.org/diary.html?storyid=5797
Copyright 2010-2011 Lenny Zeltser 7
http://blogs.paretologic.com/malwarediaries/index.php/2011/09/30/trademark-rogue-business/
Copyright 2010-2011 Lenny Zeltser 8
http://evilcodecave.blogspot.com/2009/08/malware-26xpl-ssh-propagating-exploit.html http://isc.sans.org/diary.html?storyid=4507 Hosted on compromised servers.
Copyright 2010-2011 Lenny Zeltser 9
http://www.bankinfosecurity.com/articles.php?art_id=1858
Copyright 2010-2011 Lenny Zeltser 10
… with an element of social engineering.
Copyright 2010-2011 Lenny Zeltser 11
Conficker set up the autorun.inf file on infected USB keys so that the worm would run when the victim inserted the USB key into a computer, thereby infecting the PC. The autorun.inf file that Conficker created on the USB key was carefully crafted to confuse the user once the key was inserted into the computer. When the victim inserted the USB key, Windows typically brought up the AutoPlay dialog box, asking the person what to do next. Normally, the AutoPlay action box presents the user with options to run the program on the USB key or to browser the USB key’s files. The autorun.inf file that Conficker created manipulated the options presented to the user, so that the option to run the program looked like the option to browse the drive’s contents. The user was likely to click on the first option to browse the files, not realizing the he or she is actually launching a program. As a result, the user inadvertently launched the Conficker worm from the USB key and infected the PC. http://isc.sans.org/diary.html?storyid=5695
Copyright 2010-2011 Lenny Zeltser 12
Gawker sites include Gimodo, Lifehacker and TechCrunch. http://www.wired.com/threatlevel/2009/09/nyt-revamps-online-ad-sales-after-malware-scam/ “The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week.” ... “Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”
Copyright 2010-2011 Lenny Zeltser 13
http://www.businessinsider.com/henry-blodget-gawker-scammed-by-malware-pretending-to-be-suzuki-2009-10
Copyright 2010-2011 Lenny Zeltser 14
http://www.mediaite.com/online/gawker-duped-into-running-fake-ads-with-virus/
Copyright 2010-2011 Lenny Zeltser 15
Impersonated a legitimate advertising company
Copyright 2010-2011 Lenny Zeltser 16
Copyright 2010-2011 Lenny Zeltser 17
http://uk.answers.yahoo.com/question/index?qid=20100614105319AAznWTW
Copyright 2010-2011 Lenny Zeltser 18
http://www.symantec.com/connect/blogs/technical-support-phone-scams
Copyright 2010-2011 Lenny Zeltser 19
Copyright 2010-2011 Lenny Zeltser 20
http://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android
Copyright 2010-2011 Lenny Zeltser 21
Copyright 2010-2011 Lenny Zeltser 22
Consider a variant of the Waledac worm. The worm directed its potential victims to a website that showed a news excerpt about a supposed explosion. The message was localized based on where the user was connecting from. For instance, visitors from New York would see a message “Powerful explosion burst in New York this morning.” The person was asked to download a video player for the full story. Personalization of the message increased the likelihood of the person downloading the trojan player in an attempt to see the video. http://securitylabs.websense.com/content/Alerts/3321.aspx
Copyright 2010-2011 Lenny Zeltser 23
http://blog.zeltser.com/post/2685898823/social-engineering-in-online-scams
Copyright 2010-2011 Lenny Zeltser 24
Copyright 2010-2011 Lenny Zeltser 25
http://blog.webroot.com/2010/04/08/this-pc-will-self-destruct-in-ten-seconds/
Copyright 2010-2011 Lenny Zeltser 26
Copyright 2010-2011 Lenny Zeltser 27
Copyright 2010-2011 Lenny Zeltser 28
http://krebsonsecurity.com/2010/11/spear-phishing-attacks-snag-e-mail-marketers
Copyright 2010-2011 Lenny Zeltser 29
http://www.symantec.com/connect/blogs/fake-av-talking-enemy
Copyright 2010-2011 Lenny Zeltser 30
Attackers have been conducting the “stuck in London” scam for several years. Early campaigns were relying on compromised webmail accounts to reach potential victims through email. In an example recently documented by Rakesh Agrawal, this classic scam was conducted via Facebook chat. The scammer used a compromised Facebook account in an attempt to solicit emergency funds from the victim’s friend. The screenshot on this slide shows an excerpt from the chat transcript. With low-cost labor available throughout the world, scammers can employ humans for chatting with victims while keeping their costs relatively low. The scammer was using Matt’s Facebook account and, as far as I can tell, was a human being. However, such interactions could have easily been automated using a chat bot. For details regarding this Facebook chat scam see: http://rake.sh/blog/2009/01/20/facebook-fraud-a-transcript
Copyright 2011 Lenny Zeltser 31
Consider a scam that promises Facebook users to find out who has been viewing their Facebook profile. The implication is that the user can get access to these details (that feed the narcissist in all of us) by installing the Profile Spy application. The scam attempts to trick the victim into revealing personal details, including a mobile phone number. The malicious site shows a fake Facebook page in the background, to make victims think they are within the “walled garden” of Facebook…
32 Copyright 2011 Lenny Zeltser
Copyright 2010-2011 Lenny Zeltser 33
After infecting the computer, one malware specimen edited the victim’s “hosts” file to redirect attempts to connect to technology product review sites, including CNet, PCMag, and ZDNet. The goal seemed to provide the victim with a spoofed review of a fake anti-virus tool “Anti-Virus-1” to trick the person into purchasing this software. Fake anti-virus is not unlike the fake pen for detecting counterfeit money. For additional details about this incident, see: http://www.bleepingcomputer.com/forums/topic204619.html
Copyright 2010-2011 Lenny Zeltser 34
Copyright 2010-2011 Lenny Zeltser 35
Copyright 2010-2011 Lenny Zeltser 36
Koobface spread by including links to malicious websites in Twitter and Facebook profiles. Once the potential victim clicked on the link, he or she was typically directed to a website that attempted to trick the person into installing malware. A common tactic involved presenting the user with a message that to view the video, a Flash Player upgrade was required. Of course, the executable the person was presented was not Flash Player, but was malware.
Copyright 2010-2011 Lenny Zeltser 37
The malicious website embedded, though a series of steps, a Facebook page in an invisible iframe that floated above the button that the user click on. The victims didn’t realize that they were actually clicking on the Facebook “Share” button, which shared the malicious website with the victim’s Facebook friends. http://fitzgerald.blog.avg.com/2009/11/new-facebook-worm-dont-click-da-button-baby.html
Copyright 2010-2011 Lenny Zeltser 38
<html><head></head><body><div style=”overflow: hidden; width: 56px; height: 24px; position: relative;” id=”div”> <iframe name=”iframe” src=”http://EVILURI/index.php?n=632″ style=”border: 0pt none ; left: -985px; top: -393px; position: absolute; width: 1618px; height: 978px;” scrolling=”no”></iframe></div></body></html>
HTML Source: theinvisibleguy
http://thompson.blog.avg.com/2010/07/remote-control-facebook.html
Copyright 2010-2011 Lenny Zeltser 39
Copyright 2010-2011 Lenny Zeltser 40
http://staff.washington.edu/dittrich/papers/dittrich-login0809.pdf
Copyright 2010-2011 Lenny Zeltser 41
This is a sample screenshot—not representative of the sites manipulated by Nugache.
Copyright 2010-2011 Lenny Zeltser 42
Copyright 2010-2011 Lenny Zeltser 43
Copyright 2010-2011 Lenny Zeltser 44
http://blog.zeltser.com/post/2685898823/social-engineering-in-online-scams
Copyright 2010-2011 Lenny Zeltser 45
Copyright 2010-2011 Lenny Zeltser 46
Copyright 2010-2011 Lenny Zeltser 47
Copyright 2010-2011 Lenny Zeltser 48
Copyright 2010-2011 Lenny Zeltser 49
Copyright 2010-2011 Lenny Zeltser 50
Copyright 2010-2011 Lenny Zeltser 51
Copyright 2010-2011 Lenny Zeltser 52
http://sunbeltblog.blogspot.com/2010/08/new-trojan-offers-choice-of-rogue.html
Copyright 2010-2011 Lenny Zeltser 53
http://blogs.paretologic.com/malwarediaries/index.php/2010/04/15/are-spammers-getting-lazy/
Copyright 2010-2011 Lenny Zeltser 54
Copyright 2010-2011 Lenny Zeltser 55
Copyright 2010-2011 Lenny Zeltser 56
There is no “Google Approved Pharmacy Directory”
Copyright 2010-2011 Lenny Zeltser 57
http://www.f-secure.com/weblog/archives/00002017.html “I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.”
Copyright 2010-2011 Lenny Zeltser 58
Left side: cert obtained through identity theft: http://www.f-secure.com/weblog/archives/00002017.html Right side: stolen cert used to sign Stuxnet: http://www.f-secure.com/weblog/archives/00001993.html
Copyright 2010-2011 Lenny Zeltser 59
Copyright 2010-2011 Lenny Zeltser 60
http://www.f-secure.com/weblog/archives/00002051.html
Copyright 2010-2011 Lenny Zeltser 61
Copyright 2010-2011 Lenny Zeltser 62
Copyright 2010-2011 Lenny Zeltser 63
Need solid research: Will training users or customers in social engineering tactics improve their resistance to scams?
Copyright 2010-2011 Lenny Zeltser 64
Copyright 2010-2011 Lenny Zeltser 65
Copyright 2010-2011 Lenny Zeltser 66
Copyright 2010-2011 Lenny Zeltser 67
If you have any questions for me, please let me know. I’ll do my best to answer them as accurately as I can. I’d also love to hear from you if you have any comments regarding this briefing, either what you liked about it, or your suggestions for improving it. If you want to keep an eye on my research and related activities, take a look at blog.zeltser.com. You can also find me on Twitter at twitter.com/lennyzeltser.
68 Copyright 2010-2011 Lenny Zeltser