How Attackers Use Social Engineering to Bypass Your Defenses.

1,620 views
1,544 views

Published on

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses.


These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.

To download the PDF version of these slides, please visit http://zeltser.com/presentations

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,620
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

How Attackers Use Social Engineering to Bypass Your Defenses.

  1. 1. How attackers use social engineering to bypass your defenses. Lenny Zeltser Senior Faculty Member, SANS Institute Product Management Director, NCR Corporation
  2. 2. Social engineers influence victimsto perform actions desired by theattacker.
  3. 3. As the result:Outsider == Insider
  4. 4. What social engineering tacticsare being used?Let’s look at examples, so wecan learn from them.
  5. 5. Alternative Channels
  6. 6. Notices in the “physical” worldinvited victims to visit afraudulent website.
  7. 7. http://j.mp/oRn3
  8. 8. Source: Jerome Segura http://j.mp/IQjPhM
  9. 9. Phishing scam directed the targetto a phone number.
  10. 10. “Your card has been suspendedbecause we believe it was accessedby a third party. Please press 1 nowto be transferred to our securitydepartment.” Customers of Liberty Bank of Boulder Creek, CA Source: BankInfoSecurity http://j.mp/3Gj0AA
  11. 11. USB keys were used as aninfection vector.
  12. 12. Action=Open folder to view filesIcon=%systemroot%system32shell32.dll,4Shellexecute=.RECYCLERS-5-3-42-28199… (Conficker) Source: Internet Storm Center http://j.mp/HGTgRX
  13. 13. “Real world” procedures wereused to place malicious ads onGawker sites.A similar scam targeted the NewYork Times and other media sites. See http://j.mp/IjqYWJ
  14. 14. The ads served PDF exploitsto visitors. Image Source: Business Insider http://j.mp/IwnntL
  15. 15. “We want to run a performancecampaign for Suzuki across yournetwork. Our budget to start is$25k+. Campaign should be live bythe end of the month.” Source: Mediaite http://j.mp/HJO77c
  16. 16. Scammers called home users tohelp disinfect their PCs.They pretended to find malwareand clean it up; requestedpayment and other details.
  17. 17. “i got a call off a onlinepcdoctors.comand they said my pc was runningslower because of malcious [sic] files. ilet them take remote access of mycomputer…” Source: http://j.mp/HEWIeY
  18. 18. Source: Symantechttp://j.mp/jSjWBD
  19. 19. ZeuS on a Windows PC askedvictims to install a securityprogram on their Android phones.
  20. 20. Source: Kaspersky http://j.mp/pN6p60
  21. 21. Personally-Relevant Messaging
  22. 22. Malware spread by localizing itsmessage (Waledac). See http://j.mp/IG10kH
  23. 23. Geolocation was similarly used in awork-from-home scam. See http://j.mp/HGVHU9
  24. 24. Malware spoofed email fromtrusted senders.
  25. 25. “Unfortunately we were not ableto deliver the postal package …Please print out the invoice copyattached and collect the package atour department.United Parcel Service of America.” Source: Webroot http://j.mp/HHuYVB
  26. 26. Malicious messages matched thecontent the victim was used toreceiving.The attachments targeted client-side vulnerabilities.
  27. 27. Source: Contagio
  28. 28. Source: Brian Krebs http://j.mp/Iagn3r
  29. 29. Attackers provided customerservice to appear legitimate. Image Source: Symantec http://j.mp/HJOwGU
  30. 30. Fraudsters used Facebook chat for the “stuck in London” scam.Source: Jason Cupphttp://j.mp/k9JFf9
  31. 31. Profile Spy claimed to track whoviewed victims’ Facebook profiles.
  32. 32. Social Compliance
  33. 33. Malware spoofed product reviewsites to legitimize a fake anti-virustool.
  34. 34. Source: Bleeping Computer
  35. 35. Social networks have been used tospread malware (Koobface).
  36. 36. Source: Nick FitzGerald http://j.mp/HEsg4l
  37. 37. Malware dared victims to click thelink to get them hooked.Then asked to copy and pasteJavaScript to spread on Facebook.
  38. 38. Source: AVG http://j.mp/pQDv9G
  39. 39. Malware manipulated downloadcounters to appear popular(Nugache). Source: Dave Dittrich http://j.mp/ITKJs7
  40. 40. This is a sample screenshot. It’s notrepresentative of the sites actuallymanipulated by Nugache.
  41. 41. Money-mule recruiting sites lookedlike sites of many other legitimatecompanies.
  42. 42. A scam emphasized the popularity of the “work from home” kit.See http://j.mp/HGVHU9
  43. 43. Reliance on Security Mechanisms
  44. 44. Similar to the fake counterfeitmoney-testing pen con.
  45. 45. “Security update” messages inseveral forms convinced users todownload and install software.
  46. 46. Fake anti-virus tools confused theuser about the need for security.
  47. 47. Victims sometimes even got tochoose their preferred rogue anti-virus product.
  48. 48. Source: Sunbelt Software http://j.mp/IG29Jh
  49. 49. Malicious files were hosted behind a CAPTCHA screen.See http://j.mp/HGWfJF
  50. 50. Scammers associated their“products” with trusted brands.
  51. 51. Attackers signed malware with certificates. Some certs were stolen with malware. Some were obtained through identity theft.See http://j.mp/9HbPLC
  52. 52. Source: Websense http://j.mp/ICjrsS
  53. 53. Malicious websites presented asecurity warning to the users,asking to download an update.
  54. 54. See http://j.mp/ITLj9g
  55. 55. So What?
  56. 56. Social engineering works.It seems to tap into psychologicalfactors that are part of the humannature.
  57. 57. Discuss recent social engineeringapproaches with employees,partners and customers.
  58. 58. Alternative ChannelsPersonally-Relevant MessagingSocial ComplianceReliance on Security Mechanisms
  59. 59. Assume some social engineeringwill work anyway.
  60. 60. Focus on… internal segmentation,least privilege, need-to-know andmonitoring.
  61. 61. Lenny Zeltserblog.zeltser.comtwitter.com/lennyzeltser
  62. 62. About The Author:Lenny Zeltser is a seasoned IT professional with a strong background ininformation security and business management. As a director at NCRCorporation, he focuses on safeguarding IT environments of small and midsizebusinesses worldwide. Before NCR, he led an enterprise security consultingteam at a major IT hosting provider. Lennys most recent work has focused onmalware defenses and cloud-based services. He teaches how to analyze andcombat malware at the SANS Institute, where he is a senior faculty member.He also participates as a member of the board of directors at the SANSTechnology Institute and volunteers as an incident handler at the InternetStorm Center.Lenny frequently speaks on security and related business topics atconferences and industry events, writes articles, and has co-authored bookson forensics, network security, and malicious software. He is one of the fewindividuals in the world who have earned the highly-regarded GIAC SecurityExpert (GSE) designation. Lenny has an MBA degree from MIT Sloan and acomputer science degree from the University of Pennsylvania.

×