Successfully reported this slideshow.
Your SlideShare is downloading. ×

Social Engineering Trickx - Owasp Doha 2015

Loading in …3
×

Check these out next

1 of 36 Ad
1 of 36 Ad

Social Engineering Trickx - Owasp Doha 2015

Download to read offline

The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.

The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.

Advertisement
Advertisement

More Related Content

Advertisement

Social Engineering Trickx - Owasp Doha 2015

  1. 1. Social Engineering Trickx Michael Hendrickx Doha, Qatar. 23 Nov 2015
  2. 2. $ whoami • Michael Hendrickx – Security Analyst in HelpAG – Working in infosec for past decade – mhendrickx@owasp.org – Belgian
  3. 3. Social Engineering • You have a firewall, good for you. – Let’s target the users, not systems • Human beings are helpful by nature • Defined as: “Any act that influences a person to take an action that may or may not be in their best interest” Find people Find Info Get access
  4. 4. Finding people • 2 Ways of finding people: – Phishing (casting a net) • Quantity over quality • Very noisy – Spear phishing (targeted) • Quality over quantity • Takes more time, more effort
  5. 5. Finding people: phishing • People haven’t changed much
  6. 6. Finding people: phishing • People haven’t changed much
  7. 7. Finding people: phishing • People haven’t changed much
  8. 8. Finding people: phishing • People haven’t changed much
  9. 9. Finding people: phishing • People haven’t changed much
  10. 10. Finding people: phishing • People haven’t changed much
  11. 11. Finding people: phishing • People haven’t changed much Recent “Rombertik” malware: - State of the art malware (evil though) - 97% of code never called - sandbox confusion - browser snooping - MBR destruction upon debug-detection - Lame Ineffective distribution
  12. 12. Finding people: phishing • Phishing not always best option – Very noisy – ISP / Hosting company may block you – Too many recipients • Somebody is bound to report it Spear phishing is a better option
  13. 13. Finding people: spear phishing • Email from somebody who “knows you” – You probably know them too • Somebody who took time to research you • Interested in you – Rather, what you know – Who you know – What you have access to.
  14. 14. Finding people • Target a domain, find its users: – Maltego, theHarvester, metasploit, recon-ng Emails are probably: firstname.lastname@helpag.com
  15. 15. Finding people • Emails are firstname.lastname@helpag.com Let’s look for more names: stephan.berner@helpag.com? angelika.plate@helpag.com? alexandra.pisetskaya@helpag.com? nadia.zamouri@helpag.com? aashish.sharma@helpag.com? prashant.jani@helpag.com? … https://ae.linkedin.com/in/nsolling
  16. 16. Finding people • Emails are firstname.lastname@helpag.com Let’s look for more names: stephan.berner@helpag.com? angelika.plate@helpag.com? alexandra.pisetskaya@helpag.com? nadia.zamouri@helpag.com? aashish.sharma@helpag.com? prashant.jani@helpag.com? … Let’s dig just a bit further…. https://ae.linkedin.com/in/nsolling
  17. 17. Study the target: Nicolai Solling
  18. 18. Study the target: Nicolai Solling We know Nicolai’s writing style
  19. 19. More target studying • Examine digital footprint
  20. 20. More target studying • Examine digital footprint Nicolai’s Digital footprint: • Full name • Address • Interests: • Porsche 911 • PADI Diver • Line6 Guitar pod • Merc GL550 • Trivial Pursuit
  21. 21. More target studying • Examine digital footprint Nicolai’s Digital footprint: • Full name • Address • Porsche 911 • PADI Diver • Line6 Guitar pod • Merc GL55 • Trivial Pursuit
  22. 22. So far, what do we know? • Nicolai’s contact details – Email address • Who he knows / might know – His social network – School, hobby groups, … • What he likes – His interests • How he writes
  23. 23. And what can we do? • Target Nicolai: – “Hi, we met at Porsche club, ManAge spa…” – “Your 2013 Mercedes GL550 service is due, …” • Or, pretend to be Nicolai – Target his contacts / colleagues (firstname.lastname@helpag.com) – We know his writing style – Exploit their trust
  24. 24. How can we do it? • Need to trick target to “believe us” • Let technology help us • Abuse 33 year old protocol – Domain squatting – Fake email threads – Fake CC
  25. 25. Domain Squatting • Using “similar” domain for bad purposes – Homoglyphs, repetition, transposition… – Use DNSTwist Original* helpag.com ... Homoglyph heipag.com Homoglyph he1pag.com Homoglyph helpaq.com ... Transposition heplag.com ...
  26. 26. Increase credibility • Make your email as legit as possible • Email footer? – Annoy somebody till they email you back 
  27. 27. Fake Email Threads • SMTP just sends text to a program. – “Email threads” have no connection. – Unless we have the entire thread, digitally signed, we can’t trust it at all – Modern equivalent of saying: “Can I go dad? Mom said I could go”
  28. 28. Fake CC • CC doesn’t really exist • It’s just a MIME header HELO blah MAIL FROM: admin@flurk.org RCPT TO: michael.hendrickx@helpag.com DATA From: Michael Hendrickx <michael@flurk.org> Content-Type: text/plain; Subject: Very important email Cc: khaled hawasli <khaled.hawasli@helpag.com>, barack.obama@whitehouse.gov To: michael.hendrickx@helpag.com Hey guys, As per our conversation, please install the security update located at http://evil.com/patch.exe Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out! Thank you, Security Admin This is for the SMTP server This is for the email client
  29. 29. Fake CC • CC doesn’t really exist • It’s just a MIME header HELO blah MAIL FROM: admin@flurk.org RCPT TO: michael.hendrickx@helpag.com DATA From: Michael Hendrickx <michael@flurk.org> Content-Type: text/plain; Subject: Very important email Cc: khaled hawasli <khaled.hawasli@helpag.com>, barack.obama@whitehouse.gov To: michael.hendrickx@helpag.com Hey guys, As per our conversation, please install the security update located at http://evil.com/patch.exe Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out! Thank you, Security Admin This is for the SMTP server This is for the email client
  30. 30. Fake CC • To, CC and BCC does the same thing (SMTP wise) • SMTP sends the message to every recipient
  31. 31. Putting it all together Fake email thread Fake CC Domain spoofing Same writing style
  32. 32. Get access • Invite user to visit URL – New intranet portal, survey, … – Capture domain credentials • Through basic auth popup (many think it’s the proxy) • Through a webpage – Make site seem as real as possible (logo, …) – Show the domain name filled in
  33. 33. Get access: phishing site
  34. 34. Or, deliver malware • Choose distribution method: – Exe, pif, cmd, scr: probably blocked – PDF, Office macro, .. : probably allowed
  35. 35. Lessons learned • Awareness is key • Minimize digital footprint – The more people know about you, the more they can trick you. • Use digital signatures • Don’t trust anything sent to you.
  36. 36. Questions? Thank you! @ndrix mhendrickx@owasp.org

×