How Attackers Use Social Engineering to Bypass Your Defenses.


Published on

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses.

These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.

To download the PDF version of these slides, please visit

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How Attackers Use Social Engineering to Bypass Your Defenses.

  1. 1. How attackers use social engineering to bypass your defenses. Lenny Zeltser Senior Faculty Member, SANS Institute Product Management Director, NCR Corporation
  2. 2. Social engineers influence victimsto perform actions desired by theattacker.
  3. 3. As the result:Outsider == Insider
  4. 4. What social engineering tacticsare being used?Let’s look at examples, so wecan learn from them.
  5. 5. Alternative Channels
  6. 6. Notices in the “physical” worldinvited victims to visit afraudulent website.
  7. 7.
  8. 8. Source: Jerome Segura
  9. 9. Phishing scam directed the targetto a phone number.
  10. 10. “Your card has been suspendedbecause we believe it was accessedby a third party. Please press 1 nowto be transferred to our securitydepartment.” Customers of Liberty Bank of Boulder Creek, CA Source: BankInfoSecurity
  11. 11. USB keys were used as aninfection vector.
  12. 12. Action=Open folder to view filesIcon=%systemroot%system32shell32.dll,4Shellexecute=.RECYCLERS-5-3-42-28199… (Conficker) Source: Internet Storm Center
  13. 13. “Real world” procedures wereused to place malicious ads onGawker sites.A similar scam targeted the NewYork Times and other media sites. See
  14. 14. The ads served PDF exploitsto visitors. Image Source: Business Insider
  15. 15. “We want to run a performancecampaign for Suzuki across yournetwork. Our budget to start is$25k+. Campaign should be live bythe end of the month.” Source: Mediaite
  16. 16. Scammers called home users tohelp disinfect their PCs.They pretended to find malwareand clean it up; requestedpayment and other details.
  17. 17. “i got a call off a onlinepcdoctors.comand they said my pc was runningslower because of malcious [sic] files. ilet them take remote access of mycomputer…” Source:
  18. 18. Source: Symantec
  19. 19. ZeuS on a Windows PC askedvictims to install a securityprogram on their Android phones.
  20. 20. Source: Kaspersky
  21. 21. Personally-Relevant Messaging
  22. 22. Malware spread by localizing itsmessage (Waledac). See
  23. 23. Geolocation was similarly used in awork-from-home scam. See
  24. 24. Malware spoofed email fromtrusted senders.
  25. 25. “Unfortunately we were not ableto deliver the postal package …Please print out the invoice copyattached and collect the package atour department.United Parcel Service of America.” Source: Webroot
  26. 26. Malicious messages matched thecontent the victim was used toreceiving.The attachments targeted client-side vulnerabilities.
  27. 27. Source: Contagio
  28. 28. Source: Brian Krebs
  29. 29. Attackers provided customerservice to appear legitimate. Image Source: Symantec
  30. 30. Fraudsters used Facebook chat for the “stuck in London” scam.Source: Jason Cupp
  31. 31. Profile Spy claimed to track whoviewed victims’ Facebook profiles.
  32. 32. Social Compliance
  33. 33. Malware spoofed product reviewsites to legitimize a fake anti-virustool.
  34. 34. Source: Bleeping Computer
  35. 35. Social networks have been used tospread malware (Koobface).
  36. 36. Source: Nick FitzGerald
  37. 37. Malware dared victims to click thelink to get them hooked.Then asked to copy and pasteJavaScript to spread on Facebook.
  38. 38. Source: AVG
  39. 39. Malware manipulated downloadcounters to appear popular(Nugache). Source: Dave Dittrich
  40. 40. This is a sample screenshot. It’s notrepresentative of the sites actuallymanipulated by Nugache.
  41. 41. Money-mule recruiting sites lookedlike sites of many other legitimatecompanies.
  42. 42. A scam emphasized the popularity of the “work from home” kit.See
  43. 43. Reliance on Security Mechanisms
  44. 44. Similar to the fake counterfeitmoney-testing pen con.
  45. 45. “Security update” messages inseveral forms convinced users todownload and install software.
  46. 46. Fake anti-virus tools confused theuser about the need for security.
  47. 47. Victims sometimes even got tochoose their preferred rogue anti-virus product.
  48. 48. Source: Sunbelt Software
  49. 49. Malicious files were hosted behind a CAPTCHA screen.See
  50. 50. Scammers associated their“products” with trusted brands.
  51. 51. Attackers signed malware with certificates. Some certs were stolen with malware. Some were obtained through identity theft.See
  52. 52. Source: Websense
  53. 53. Malicious websites presented asecurity warning to the users,asking to download an update.
  54. 54. See
  55. 55. So What?
  56. 56. Social engineering works.It seems to tap into psychologicalfactors that are part of the humannature.
  57. 57. Discuss recent social engineeringapproaches with employees,partners and customers.
  58. 58. Alternative ChannelsPersonally-Relevant MessagingSocial ComplianceReliance on Security Mechanisms
  59. 59. Assume some social engineeringwill work anyway.
  60. 60. Focus on… internal segmentation,least privilege, need-to-know andmonitoring.
  61. 61. Lenny
  62. 62. About The Author:Lenny Zeltser is a seasoned IT professional with a strong background ininformation security and business management. As a director at NCRCorporation, he focuses on safeguarding IT environments of small and midsizebusinesses worldwide. Before NCR, he led an enterprise security consultingteam at a major IT hosting provider. Lennys most recent work has focused onmalware defenses and cloud-based services. He teaches how to analyze andcombat malware at the SANS Institute, where he is a senior faculty member.He also participates as a member of the board of directors at the SANSTechnology Institute and volunteers as an incident handler at the InternetStorm Center.Lenny frequently speaks on security and related business topics atconferences and industry events, writes articles, and has co-authored bookson forensics, network security, and malicious software. He is one of the fewindividuals in the world who have earned the highly-regarded GIAC SecurityExpert (GSE) designation. Lenny has an MBA degree from MIT Sloan and acomputer science degree from the University of Pennsylvania.