Your SlideShare is downloading. ×

How Attackers Use Social Engineering to Bypass Your Defenses.


Published on

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing …

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses.

These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.

To download the PDF version of these slides, please visit

Published in: Education, Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. How attackers use social engineering to bypass your defenses. Lenny Zeltser Senior Faculty Member, SANS Institute Product Management Director, NCR Corporation
  • 2. Social engineers influence victimsto perform actions desired by theattacker.
  • 3. As the result:Outsider == Insider
  • 4. What social engineering tacticsare being used?Let’s look at examples, so wecan learn from them.
  • 5. Alternative Channels
  • 6. Notices in the “physical” worldinvited victims to visit afraudulent website.
  • 7.
  • 8. Source: Jerome Segura
  • 9. Phishing scam directed the targetto a phone number.
  • 10. “Your card has been suspendedbecause we believe it was accessedby a third party. Please press 1 nowto be transferred to our securitydepartment.” Customers of Liberty Bank of Boulder Creek, CA Source: BankInfoSecurity
  • 11. USB keys were used as aninfection vector.
  • 12. Action=Open folder to view filesIcon=%systemroot%system32shell32.dll,4Shellexecute=.RECYCLERS-5-3-42-28199… (Conficker) Source: Internet Storm Center
  • 13. “Real world” procedures wereused to place malicious ads onGawker sites.A similar scam targeted the NewYork Times and other media sites. See
  • 14. The ads served PDF exploitsto visitors. Image Source: Business Insider
  • 15. “We want to run a performancecampaign for Suzuki across yournetwork. Our budget to start is$25k+. Campaign should be live bythe end of the month.” Source: Mediaite
  • 16. Scammers called home users tohelp disinfect their PCs.They pretended to find malwareand clean it up; requestedpayment and other details.
  • 17. “i got a call off a onlinepcdoctors.comand they said my pc was runningslower because of malcious [sic] files. ilet them take remote access of mycomputer…” Source:
  • 18. Source: Symantec
  • 19. ZeuS on a Windows PC askedvictims to install a securityprogram on their Android phones.
  • 20. Source: Kaspersky
  • 21. Personally-Relevant Messaging
  • 22. Malware spread by localizing itsmessage (Waledac). See
  • 23. Geolocation was similarly used in awork-from-home scam. See
  • 24. Malware spoofed email fromtrusted senders.
  • 25. “Unfortunately we were not ableto deliver the postal package …Please print out the invoice copyattached and collect the package atour department.United Parcel Service of America.” Source: Webroot
  • 26. Malicious messages matched thecontent the victim was used toreceiving.The attachments targeted client-side vulnerabilities.
  • 27. Source: Contagio
  • 28. Source: Brian Krebs
  • 29. Attackers provided customerservice to appear legitimate. Image Source: Symantec
  • 30. Fraudsters used Facebook chat for the “stuck in London” scam.Source: Jason Cupp
  • 31. Profile Spy claimed to track whoviewed victims’ Facebook profiles.
  • 32. Social Compliance
  • 33. Malware spoofed product reviewsites to legitimize a fake anti-virustool.
  • 34. Source: Bleeping Computer
  • 35. Social networks have been used tospread malware (Koobface).
  • 36. Source: Nick FitzGerald
  • 37. Malware dared victims to click thelink to get them hooked.Then asked to copy and pasteJavaScript to spread on Facebook.
  • 38. Source: AVG
  • 39. Malware manipulated downloadcounters to appear popular(Nugache). Source: Dave Dittrich
  • 40. This is a sample screenshot. It’s notrepresentative of the sites actuallymanipulated by Nugache.
  • 41. Money-mule recruiting sites lookedlike sites of many other legitimatecompanies.
  • 42. A scam emphasized the popularity of the “work from home” kit.See
  • 43. Reliance on Security Mechanisms
  • 44. Similar to the fake counterfeitmoney-testing pen con.
  • 45. “Security update” messages inseveral forms convinced users todownload and install software.
  • 46. Fake anti-virus tools confused theuser about the need for security.
  • 47. Victims sometimes even got tochoose their preferred rogue anti-virus product.
  • 48. Source: Sunbelt Software
  • 49. Malicious files were hosted behind a CAPTCHA screen.See
  • 50. Scammers associated their“products” with trusted brands.
  • 51. Attackers signed malware with certificates. Some certs were stolen with malware. Some were obtained through identity theft.See
  • 52. Source: Websense
  • 53. Malicious websites presented asecurity warning to the users,asking to download an update.
  • 54. See
  • 55. So What?
  • 56. Social engineering works.It seems to tap into psychologicalfactors that are part of the humannature.
  • 57. Discuss recent social engineeringapproaches with employees,partners and customers.
  • 58. Alternative ChannelsPersonally-Relevant MessagingSocial ComplianceReliance on Security Mechanisms
  • 59. Assume some social engineeringwill work anyway.
  • 60. Focus on… internal segmentation,least privilege, need-to-know andmonitoring.
  • 61. Lenny
  • 62. About The Author:Lenny Zeltser is a seasoned IT professional with a strong background ininformation security and business management. As a director at NCRCorporation, he focuses on safeguarding IT environments of small and midsizebusinesses worldwide. Before NCR, he led an enterprise security consultingteam at a major IT hosting provider. Lennys most recent work has focused onmalware defenses and cloud-based services. He teaches how to analyze andcombat malware at the SANS Institute, where he is a senior faculty member.He also participates as a member of the board of directors at the SANSTechnology Institute and volunteers as an incident handler at the InternetStorm Center.Lenny frequently speaks on security and related business topics atconferences and industry events, writes articles, and has co-authored bookson forensics, network security, and malicious software. He is one of the fewindividuals in the world who have earned the highly-regarded GIAC SecurityExpert (GSE) designation. Lenny has an MBA degree from MIT Sloan and acomputer science degree from the University of Pennsylvania.