Social Engineering &
Social Networking
Sharon Conheady
sconheady@FirstDefenceIS.com
A Definition
efforts to influence popular attitudes and social
behaviour on a large scale, whether by
governments or priva...
What is Social Engineering?
techniques hackers use to deceive a trusted
computer user within a company into revealing
sens...
Why social engineering works
• Tendency to trust
• People want to help
– Customer service focussed society (e.g. call cent...
What is Social Engineering from a
Social Networking Perspective?
• An exploitation of TRUST
• A social engineer is an expl...
Social Engineering & Social Networking
1. Why social engineers use social networking
2. Why social engineering over social...
#1 Why social engineers use
social networking
Why social engineers use social
networking
• HUGE attack surface
• Quick and easy, even automated
• E.g. Set up a botnet t...
#2 Why social engineering over
social networks works
Why Social Engineering over
Social Networking works
• Trust model
• No real authentication
• Easy to impersonate someone e...
Impersonation in the Real World
http://www.silicon.com/technology/hardware/2007/12/10/criminals-posing-as-police-burgle-ve...
Impersonation in the Real World
• Takes money (to buy police costumes)
• May involve other criminal activities
(“procuring...
The Robin Sage Experiment
• 28 day experiment run by Provide Security
• Security researchers created a fake Facebook, Twit...
Some Clues
• 10 years of cyber security experience at
25 years of age
• Robin Sage is the name of a military
exercise
• AN...
#3 How social networking is
used by social engineers
3 ways in which social networking
is used by social engineers
1. To execute an attack
2. To propagate an attack (e.g. spre...
Using LinkedIn for SE
• Tactical research:
• Build an organisation chart for the target organisation
• Identify staff name...
Using other social networking
sites for social engineering
1. Find the name of someone who works at the
target organisatio...
#3.1 Executing attacks on social
networks
Old attacks reworked on Social
Networks
• Nigerian 419 scam
• Instead of coming from a stranger in
Nigeria attack comes fr...
The London Mugging
Oh my God i am sorry i didn't inform you about my traveling to London, UK.
It as been a very sad and ba...
Volcano Friend Scam?
I’m stranded in <random foreign location> because
of the volcanic activity in Iceland. Please could
y...
Hijack someone’s account to
launch attacks against other users
• Attackers take over someone’s account
and target their fr...
http://www.ft.com/cms/s/2/c18091ee-09ee-11df-8b23-00144feabdc0.html
Terremark: Company Picnic, 2009
• An employee, Bob, posted on his Facebook profile that he would be
attending a company pi...
#3.2 Propagating attacks via
social networks
Social Networks as Malware
Distribution Platforms
• Malware inserted via user-contributed content,
ads, compromised hostin...
Example 1: Set up a group people
want to join
From: "Your Facebook" <networks@facebook.com>
Date: 17 March 2010 07:45:06 GMT
Subject: Facebook Password Reset Confirmati...
Example 3: Koobface Virus
• Users receive a message in their Facebook inbox:
– You look funny in this new video
– Look, yo...
#3.3 Reconnaissance
Reconnaissance
• Personal information (phone numbers, dates of
birth, home addresses, work details, etc)
– often publicly ...
Bob’s Profile
<screenshot removed>
How to social engineer Bob
1. You know what company and city Bob works in. Establish which office
he is located in.
• More...
Jo’s profile
<screenshot removed>
Some more SE scenarios…
1. Jo has 45 friends on his MySpace page. Send Jo a birthday
card on behalf of one of his friends ...
Some interesting social
networking sites for
reconnaissance
www.blippy.com
Hi, I’m emailing/calling from Netflix to see how you enjoyed watching
Spartacus recently...
<screenshot rem...
Screenshot from Mashable.com Search Term: site:blippy.com +”from card”
www.foursquare.com
www.pleaserobme.com
Go to Corcoran’s on 23 Boulevard Poissonniere, Paris. You know what
your target looks like. Buy them a drink. Steal their ...
#4 Some ideas on how to avoid
social engineering attacks over
social networking
Tips on how not to be a victim
• User awareness
• Acceptable use policy
• Use privacy settings
• Be careful what you post ...
Final Thought
Most of the time people spend on
social networking is during work
hours and on work computers
How does this ...
Social Engineering &
Social Networks
Sharon Conheady
sconheady@FirstDefenceIS.com
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs Utrecht)
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs Utrecht)
Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs Utrecht)
Upcoming SlideShare
Loading in...5
×

Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs Utrecht)

1,803

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,803
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
81
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sharon Conheady - Social engineering & social networks (4 novmber Jaarbeurs Utrecht)

  1. 1. Social Engineering & Social Networking Sharon Conheady sconheady@FirstDefenceIS.com
  2. 2. A Definition efforts to influence popular attitudes and social behaviour on a large scale, whether by governments or private groups - Wikipedia definition
  3. 3. What is Social Engineering? techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through - Kevin Mitnick
  4. 4. Why social engineering works • Tendency to trust • People want to help – Customer service focussed society (e.g. call centres) • Respect for authority – Milgram experiment • Complacency – It’s easier to give people information to get rid of them • People don’t like confrontations – The Yes Rule • Social engineers are good at evoking emotion – Greed (passwords for chocolate) – Fear (of getting into trouble for not doing their job, of their credit card being cut off) – Sympathy
  5. 5. What is Social Engineering from a Social Networking Perspective? • An exploitation of TRUST • A social engineer is an exploiter of trust, who leverages the TRUST of their victim to gain access to sensitive information or resources or to elicit information about those resources What is social networking? • A TRUST platform
  6. 6. Social Engineering & Social Networking 1. Why social engineers use social networking 2. Why social engineering over social networking works 3. Examples of how social networking is used by social engineers 4. Tips on how to prevent social engineering attacks that make use of social networks
  7. 7. #1 Why social engineers use social networking
  8. 8. Why social engineers use social networking • HUGE attack surface • Quick and easy, even automated • E.g. Set up a botnet to gather email addresses for phishing • Low barrier entry point (skillz not necessarily required) • Often relies on publicly available information (no obvious wrongdoing) • No more dumpster diving☺
  9. 9. #2 Why social engineering over social networks works
  10. 10. Why Social Engineering over Social Networking works • Trust model • No real authentication • Easy to impersonate someone else or set up a fake profile • Influential (Cialdini’s principles of influence) • Social proof: people do things that other people are doing • Similarity: people are influenced by people they like • Hey, look at this. John says it’s cool.
  11. 11. Impersonation in the Real World http://www.silicon.com/technology/hardware/2007/12/10/criminals-posing-as-police-burgle-verizon-data-centre-39169416/
  12. 12. Impersonation in the Real World • Takes money (to buy police costumes) • May involve other criminal activities (“procuring” police costumes, impersonating a public official, physically harming victims) • Takes a lot of planning • Usually involves several people (5 people in this instance) • Much easier to get caught
  13. 13. The Robin Sage Experiment • 28 day experiment run by Provide Security • Security researchers created a fake Facebook, Twitter and LinkedIn profile under the alias Robin Sage • They used a photo of an attractive girl from an adult website • They gave her the job title “Cyber Threat Analyst” • Established connections with more than 300 people in the security industry, including National Security Agency, DoD and Global 500 companies • Revealed information that violated operational security and personal security restrictions, such as troop locations, what time helicopters were taking off
  14. 14. Some Clues • 10 years of cyber security experience at 25 years of age • Robin Sage is the name of a military exercise • AND • You DEFINITELY don’t know her – she doesn’t exist!
  15. 15. #3 How social networking is used by social engineers
  16. 16. 3 ways in which social networking is used by social engineers 1. To execute an attack 2. To propagate an attack (e.g. spread malware) 3. Reconnaissance phase for a larger attack
  17. 17. Using LinkedIn for SE • Tactical research: • Build an organisation chart for the target organisation • Identify staff names and roles • Target these individuals • Pretend to be these individuals • Name drop: <insert CEO’s name here> said... Or <insert CEO’s name here> needs this document... • Check who is on holidays (Trippit). • Set up fake profiles and link in to your target • E.g. It’s highly likely John from Company A knows Jane from Company B. If they are not already linked in, set up a profile that looks like Jane and send a LinkedIn invitation. • Lots of people will connect with people they don’t even know, so you don’t necessarily need Jane’s profile. • You don’t even need to use LinkedIn. You know what a LinkedIn invitation looks like. Make one yourself with malicious links or malware... Your target doesn’t even need to use LinkedIn – we ALL get invitations.
  18. 18. Using other social networking sites for social engineering 1. Find the name of someone who works at the target organisation (maybe via LinkedIn, company website, etc). 2. MORE tactical research on that person.
  19. 19. #3.1 Executing attacks on social networks
  20. 20. Old attacks reworked on Social Networks • Nigerian 419 scam • Instead of coming from a stranger in Nigeria attack comes from your friend • Instead of getting an email you are contacted via a social networking site • Naturally, you want to help your friend
  21. 21. The London Mugging Oh my God i am sorry i didn't inform you about my traveling to London, UK. It as been a very sad and bad moment for me, the present condition that I found myself is very hard for me to explain. I am really stranded i am in some kind of deep mess right now,I came down here to London,UK for a short resort got mugged at gun point last night at the park of the hotel where i lodged.All cash,credit cards and cell were stolen,I've been to the U.S embassy and the Police here but they're not helping issues at all,Our flight leaves today and I'm having problems settling the hotel bills, passport,documents and other valuable things were kept on my way to the Hotel am staying, I am facing a hard time here because I have no money on me. I am now owning a hotel bill and they wanted me to pay the bill soon or else they will have to seize my bag and hand me over to the Hotel Management.,I need this help from you urgently to help me back home,I need you to help me with the hotel bill and i will also need to feed and help myself back home so please can you help me with a sum of 1720Pounds to sort out my problems here? I need this help so much and on time because i am in a terrible and tight situation here,I don't even have money to feed myself anymore
  22. 22. Volcano Friend Scam? I’m stranded in <random foreign location> because of the volcanic activity in Iceland. Please could you lend me some money...?
  23. 23. Hijack someone’s account to launch attacks against other users • Attackers take over someone’s account and target their friends • Contact comes from your friend, so you are more likely to trust it • Google.cn • Terremark
  24. 24. http://www.ft.com/cms/s/2/c18091ee-09ee-11df-8b23-00144feabdc0.html
  25. 25. Terremark: Company Picnic, 2009 • An employee, Bob, posted on his Facebook profile that he would be attending a company picnic. • Attackers hijacked Bob’s Facebook account and sent out a message after the picnic that read: • Hey Alice, look at the pics I took of us last weekend at the picnic. Bob” • Alice clicked on the accompanying link on her company laptop which installed a keystroke logger. • The attackers used Alice’s company logon to access the company network for two weeks, gaining control over 2 servers. • One of Bob’s friends mentioned to him that the photos he sent failed to render. • A closer look at network traffic uncovered the attacker’s probing.
  26. 26. #3.2 Propagating attacks via social networks
  27. 27. Social Networks as Malware Distribution Platforms • Malware inserted via user-contributed content, ads, compromised hosting networks and other third parties • How do you get someone to visit a website hosting malware? • Social engineering is the magic ingredient that makes these attacks work • 3 examples
  28. 28. Example 1: Set up a group people want to join
  29. 29. From: "Your Facebook" <networks@facebook.com> Date: 17 March 2010 07:45:06 GMT Subject: Facebook Password Reset Confirmation! Customer Message. Dear user of facebook, Because of the measures taken to provide safety to our clients, your password has been changed. You can find your new password in attached document. Thanks, Your Facebook. <Facebook_password_982.zip> Example 2: Send a malicious attachment that looks like it’s from Facebook
  30. 30. Example 3: Koobface Virus • Users receive a message in their Facebook inbox: – You look funny in this new video – Look, you were filmed all naked! – You look just awesome in this movie • User clicks on (malicious) URL to view video to a website that looks suspiciously like YouTube • A pop-up message says a Flash update is required to view the video; the viewer is prompted to open a file called flash_player.exe...
  31. 31. #3.3 Reconnaissance
  32. 32. Reconnaissance • Personal information (phone numbers, dates of birth, home addresses, work details, etc) – often publicly available (directly or indirectly) – your friends post a message wishing you a happy 40th birthday • Answers to secret questions • Company profiles, org charts • Understand your target’s trust network – Who do they work with? Name of boss? – Who’s in their family? – Who are their friends? • Find information to hone phishing attacks (spear phishing)
  33. 33. Bob’s Profile <screenshot removed>
  34. 34. How to social engineer Bob 1. You know what company and city Bob works in. Establish which office he is located in. • More online research • Call up each office and ask to speak to him until you get the right one 2. Get a Domino’s delivery shirt ($10 for 4 on eBay, share them with your friends) 3. Order a Domino’s Meat Feast Pizza for collection. 4. Collect the pizza. 5. Put the Domino’s t-shirt on. 6. Deliver the pizza to Bob’s desk. 7. If Bob says he didn’t order it, tell him Paul (who we know is his friend on myspace) ordered it for him. 8. For an extra special touch, deliver it on his birthday as a birthday surprise. 9. Don’t forget to leave a key logger or access point in the office, or at least grab some important looking documents while you are in there!
  35. 35. Jo’s profile <screenshot removed>
  36. 36. Some more SE scenarios… 1. Jo has 45 friends on his MySpace page. Send Jo a birthday card on behalf of one of his friends with a USB key as a present. Put malicious software on the USB key. 2. Send Jo a “stop smoking” CD with malware on it. 3. Threaten him with creepy crawlies until he gives you the information you want!
  37. 37. Some interesting social networking sites for reconnaissance
  38. 38. www.blippy.com Hi, I’m emailing/calling from Netflix to see how you enjoyed watching Spartacus recently... <screenshot removed>
  39. 39. Screenshot from Mashable.com Search Term: site:blippy.com +”from card”
  40. 40. www.foursquare.com
  41. 41. www.pleaserobme.com
  42. 42. Go to Corcoran’s on 23 Boulevard Poissonniere, Paris. You know what your target looks like. Buy them a drink. Steal their bag. <screenshot removed>
  43. 43. #4 Some ideas on how to avoid social engineering attacks over social networking
  44. 44. Tips on how not to be a victim • User awareness • Acceptable use policy • Use privacy settings • Be careful what you post online • Avoid “promiscuous friending” • Don’t click on links in emails received unexpectedly, even if they appear to be from a friend • Don’t send money without speaking directly to your friends☺ • But most of all… • Think about the information that is available about you online and consider how it could be used against you by a malicious social engineer
  45. 45. Final Thought Most of the time people spend on social networking is during work hours and on work computers How does this affect you?
  46. 46. Social Engineering & Social Networks Sharon Conheady sconheady@FirstDefenceIS.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×