Your SlideShare is downloading. ×

How Attackers Use Social Engineering to Bypass Your Defenses.

1,239
views

Published on

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing …

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses.


These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.

To download the PDF version of these slides, please visit http://zeltser.com/presentations

Published in: Education, Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,239
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. How attackers use social engineering to bypass your defenses. Lenny Zeltser Senior Faculty Member, SANS Institute Product Management Director, NCR Corporation
  • 2. Social engineers influence victimsto perform actions desired by theattacker.
  • 3. As the result:Outsider == Insider
  • 4. What social engineering tacticsare being used?Let’s look at examples, so wecan learn from them.
  • 5. Alternative Channels
  • 6. Notices in the “physical” worldinvited victims to visit afraudulent website.
  • 7. http://j.mp/oRn3
  • 8. Source: Jerome Segura http://j.mp/IQjPhM
  • 9. Phishing scam directed the targetto a phone number.
  • 10. “Your card has been suspendedbecause we believe it was accessedby a third party. Please press 1 nowto be transferred to our securitydepartment.” Customers of Liberty Bank of Boulder Creek, CA Source: BankInfoSecurity http://j.mp/3Gj0AA
  • 11. USB keys were used as aninfection vector.
  • 12. Action=Open folder to view filesIcon=%systemroot%system32shell32.dll,4Shellexecute=.RECYCLERS-5-3-42-28199… (Conficker) Source: Internet Storm Center http://j.mp/HGTgRX
  • 13. “Real world” procedures wereused to place malicious ads onGawker sites.A similar scam targeted the NewYork Times and other media sites. See http://j.mp/IjqYWJ
  • 14. The ads served PDF exploitsto visitors. Image Source: Business Insider http://j.mp/IwnntL
  • 15. “We want to run a performancecampaign for Suzuki across yournetwork. Our budget to start is$25k+. Campaign should be live bythe end of the month.” Source: Mediaite http://j.mp/HJO77c
  • 16. Scammers called home users tohelp disinfect their PCs.They pretended to find malwareand clean it up; requestedpayment and other details.
  • 17. “i got a call off a onlinepcdoctors.comand they said my pc was runningslower because of malcious [sic] files. ilet them take remote access of mycomputer…” Source: http://j.mp/HEWIeY
  • 18. Source: Symantechttp://j.mp/jSjWBD
  • 19. ZeuS on a Windows PC askedvictims to install a securityprogram on their Android phones.
  • 20. Source: Kaspersky http://j.mp/pN6p60
  • 21. Personally-Relevant Messaging
  • 22. Malware spread by localizing itsmessage (Waledac). See http://j.mp/IG10kH
  • 23. Geolocation was similarly used in awork-from-home scam. See http://j.mp/HGVHU9
  • 24. Malware spoofed email fromtrusted senders.
  • 25. “Unfortunately we were not ableto deliver the postal package …Please print out the invoice copyattached and collect the package atour department.United Parcel Service of America.” Source: Webroot http://j.mp/HHuYVB
  • 26. Malicious messages matched thecontent the victim was used toreceiving.The attachments targeted client-side vulnerabilities.
  • 27. Source: Contagio
  • 28. Source: Brian Krebs http://j.mp/Iagn3r
  • 29. Attackers provided customerservice to appear legitimate. Image Source: Symantec http://j.mp/HJOwGU
  • 30. Fraudsters used Facebook chat for the “stuck in London” scam.Source: Jason Cupphttp://j.mp/k9JFf9
  • 31. Profile Spy claimed to track whoviewed victims’ Facebook profiles.
  • 32. Social Compliance
  • 33. Malware spoofed product reviewsites to legitimize a fake anti-virustool.
  • 34. Source: Bleeping Computer
  • 35. Social networks have been used tospread malware (Koobface).
  • 36. Source: Nick FitzGerald http://j.mp/HEsg4l
  • 37. Malware dared victims to click thelink to get them hooked.Then asked to copy and pasteJavaScript to spread on Facebook.
  • 38. Source: AVG http://j.mp/pQDv9G
  • 39. Malware manipulated downloadcounters to appear popular(Nugache). Source: Dave Dittrich http://j.mp/ITKJs7
  • 40. This is a sample screenshot. It’s notrepresentative of the sites actuallymanipulated by Nugache.
  • 41. Money-mule recruiting sites lookedlike sites of many other legitimatecompanies.
  • 42. A scam emphasized the popularity of the “work from home” kit.See http://j.mp/HGVHU9
  • 43. Reliance on Security Mechanisms
  • 44. Similar to the fake counterfeitmoney-testing pen con.
  • 45. “Security update” messages inseveral forms convinced users todownload and install software.
  • 46. Fake anti-virus tools confused theuser about the need for security.
  • 47. Victims sometimes even got tochoose their preferred rogue anti-virus product.
  • 48. Source: Sunbelt Software http://j.mp/IG29Jh
  • 49. Malicious files were hosted behind a CAPTCHA screen.See http://j.mp/HGWfJF
  • 50. Scammers associated their“products” with trusted brands.
  • 51. Attackers signed malware with certificates. Some certs were stolen with malware. Some were obtained through identity theft.See http://j.mp/9HbPLC
  • 52. Source: Websense http://j.mp/ICjrsS
  • 53. Malicious websites presented asecurity warning to the users,asking to download an update.
  • 54. See http://j.mp/ITLj9g
  • 55. So What?
  • 56. Social engineering works.It seems to tap into psychologicalfactors that are part of the humannature.
  • 57. Discuss recent social engineeringapproaches with employees,partners and customers.
  • 58. Alternative ChannelsPersonally-Relevant MessagingSocial ComplianceReliance on Security Mechanisms
  • 59. Assume some social engineeringwill work anyway.
  • 60. Focus on… internal segmentation,least privilege, need-to-know andmonitoring.
  • 61. Lenny Zeltserblog.zeltser.comtwitter.com/lennyzeltser
  • 62. About The Author:Lenny Zeltser is a seasoned IT professional with a strong background ininformation security and business management. As a director at NCRCorporation, he focuses on safeguarding IT environments of small and midsizebusinesses worldwide. Before NCR, he led an enterprise security consultingteam at a major IT hosting provider. Lennys most recent work has focused onmalware defenses and cloud-based services. He teaches how to analyze andcombat malware at the SANS Institute, where he is a senior faculty member.He also participates as a member of the board of directors at the SANSTechnology Institute and volunteers as an incident handler at the InternetStorm Center.Lenny frequently speaks on security and related business topics atconferences and industry events, writes articles, and has co-authored bookson forensics, network security, and malicious software. He is one of the fewindividuals in the world who have earned the highly-regarded GIAC SecurityExpert (GSE) designation. Lenny has an MBA degree from MIT Sloan and acomputer science degree from the University of Pennsylvania.