Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social Engineering Trickx - Owasp Doha 2015

473 views

Published on

The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Social Engineering Trickx - Owasp Doha 2015

  1. 1. Social Engineering Trickx Michael Hendrickx Doha, Qatar. 23 Nov 2015
  2. 2. $ whoami • Michael Hendrickx – Security Analyst in HelpAG – Working in infosec for past decade – mhendrickx@owasp.org – Belgian
  3. 3. Social Engineering • You have a firewall, good for you. – Let’s target the users, not systems • Human beings are helpful by nature • Defined as: “Any act that influences a person to take an action that may or may not be in their best interest” Find people Find Info Get access
  4. 4. Finding people • 2 Ways of finding people: – Phishing (casting a net) • Quantity over quality • Very noisy – Spear phishing (targeted) • Quality over quantity • Takes more time, more effort
  5. 5. Finding people: phishing • People haven’t changed much
  6. 6. Finding people: phishing • People haven’t changed much
  7. 7. Finding people: phishing • People haven’t changed much
  8. 8. Finding people: phishing • People haven’t changed much
  9. 9. Finding people: phishing • People haven’t changed much
  10. 10. Finding people: phishing • People haven’t changed much
  11. 11. Finding people: phishing • People haven’t changed much Recent “Rombertik” malware: - State of the art malware (evil though) - 97% of code never called - sandbox confusion - browser snooping - MBR destruction upon debug-detection - Lame Ineffective distribution
  12. 12. Finding people: phishing • Phishing not always best option – Very noisy – ISP / Hosting company may block you – Too many recipients • Somebody is bound to report it Spear phishing is a better option
  13. 13. Finding people: spear phishing • Email from somebody who “knows you” – You probably know them too • Somebody who took time to research you • Interested in you – Rather, what you know – Who you know – What you have access to.
  14. 14. Finding people • Target a domain, find its users: – Maltego, theHarvester, metasploit, recon-ng Emails are probably: firstname.lastname@helpag.com
  15. 15. Finding people • Emails are firstname.lastname@helpag.com Let’s look for more names: stephan.berner@helpag.com? angelika.plate@helpag.com? alexandra.pisetskaya@helpag.com? nadia.zamouri@helpag.com? aashish.sharma@helpag.com? prashant.jani@helpag.com? … https://ae.linkedin.com/in/nsolling
  16. 16. Finding people • Emails are firstname.lastname@helpag.com Let’s look for more names: stephan.berner@helpag.com? angelika.plate@helpag.com? alexandra.pisetskaya@helpag.com? nadia.zamouri@helpag.com? aashish.sharma@helpag.com? prashant.jani@helpag.com? … Let’s dig just a bit further…. https://ae.linkedin.com/in/nsolling
  17. 17. Study the target: Nicolai Solling
  18. 18. Study the target: Nicolai Solling We know Nicolai’s writing style
  19. 19. More target studying • Examine digital footprint
  20. 20. More target studying • Examine digital footprint Nicolai’s Digital footprint: • Full name • Address • Interests: • Porsche 911 • PADI Diver • Line6 Guitar pod • Merc GL550 • Trivial Pursuit
  21. 21. More target studying • Examine digital footprint Nicolai’s Digital footprint: • Full name • Address • Porsche 911 • PADI Diver • Line6 Guitar pod • Merc GL55 • Trivial Pursuit
  22. 22. So far, what do we know? • Nicolai’s contact details – Email address • Who he knows / might know – His social network – School, hobby groups, … • What he likes – His interests • How he writes
  23. 23. And what can we do? • Target Nicolai: – “Hi, we met at Porsche club, ManAge spa…” – “Your 2013 Mercedes GL550 service is due, …” • Or, pretend to be Nicolai – Target his contacts / colleagues (firstname.lastname@helpag.com) – We know his writing style – Exploit their trust
  24. 24. How can we do it? • Need to trick target to “believe us” • Let technology help us • Abuse 33 year old protocol – Domain squatting – Fake email threads – Fake CC
  25. 25. Domain Squatting • Using “similar” domain for bad purposes – Homoglyphs, repetition, transposition… – Use DNSTwist Original* helpag.com ... Homoglyph heipag.com Homoglyph he1pag.com Homoglyph helpaq.com ... Transposition heplag.com ...
  26. 26. Increase credibility • Make your email as legit as possible • Email footer? – Annoy somebody till they email you back 
  27. 27. Fake Email Threads • SMTP just sends text to a program. – “Email threads” have no connection. – Unless we have the entire thread, digitally signed, we can’t trust it at all – Modern equivalent of saying: “Can I go dad? Mom said I could go”
  28. 28. Fake CC • CC doesn’t really exist • It’s just a MIME header HELO blah MAIL FROM: admin@flurk.org RCPT TO: michael.hendrickx@helpag.com DATA From: Michael Hendrickx <michael@flurk.org> Content-Type: text/plain; Subject: Very important email Cc: khaled hawasli <khaled.hawasli@helpag.com>, barack.obama@whitehouse.gov To: michael.hendrickx@helpag.com Hey guys, As per our conversation, please install the security update located at http://evil.com/patch.exe Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out! Thank you, Security Admin This is for the SMTP server This is for the email client
  29. 29. Fake CC • CC doesn’t really exist • It’s just a MIME header HELO blah MAIL FROM: admin@flurk.org RCPT TO: michael.hendrickx@helpag.com DATA From: Michael Hendrickx <michael@flurk.org> Content-Type: text/plain; Subject: Very important email Cc: khaled hawasli <khaled.hawasli@helpag.com>, barack.obama@whitehouse.gov To: michael.hendrickx@helpag.com Hey guys, As per our conversation, please install the security update located at http://evil.com/patch.exe Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out! Thank you, Security Admin This is for the SMTP server This is for the email client
  30. 30. Fake CC • To, CC and BCC does the same thing (SMTP wise) • SMTP sends the message to every recipient
  31. 31. Putting it all together Fake email thread Fake CC Domain spoofing Same writing style
  32. 32. Get access • Invite user to visit URL – New intranet portal, survey, … – Capture domain credentials • Through basic auth popup (many think it’s the proxy) • Through a webpage – Make site seem as real as possible (logo, …) – Show the domain name filled in
  33. 33. Get access: phishing site
  34. 34. Or, deliver malware • Choose distribution method: – Exe, pif, cmd, scr: probably blocked – PDF, Office macro, .. : probably allowed
  35. 35. Lessons learned • Awareness is key • Minimize digital footprint – The more people know about you, the more they can trick you. • Use digital signatures • Don’t trust anything sent to you.
  36. 36. Questions? Thank you! @ndrix mhendrickx@owasp.org

×