The presentation I gave in Help AG's spotlight event on June 1,2 and 4. This talk is about social engineering and illustrates the things we find with customers in the region.

1. Social Engineering Tricks
Spotlight Forum June 2015
Michael Hendrickx
Senior Security Analyst

2. SOCIAL ENGINEERING
• You bought a firewall, great.
• Humans are helpful, by nature.
• Manipulate people to get things done
• A fancier way of “lying”
• We’ve all done it.
Find people Find info
Fake
Emails

3. SOCIAL ENGINEERING
• 2 ways of finding people:
• Casting a net (phishing)
• Quantity > Quality
• Whoever sticks is a victim
• Very noisy
• Targeting (spear phishing)
• Quality > Quantity
• Takes more time, more research, more effort.

4. PHISHING
• Humans haven’t change in the past few decades:
Recent “Rombertik” malware:
- State of the art malware (quite nasty though)
- Quite “lame” distribution

5. SPEAR PHISHING
• Email from somebody who
“knows you”
• You probably know them as well, else it’s
just embarrassing.
• Somebody who took time to
research about you
• Interested in you
• Rather, what you know
• Who you know
• What you have access to.

6. 1. FINDING PEOPLE
• Target a domain, find its users:
• Maltego: visualizing OSINT
• Metasploit: finding email addresses
Emails are probably:
firstname.lastname@helpag.com

7. 1. FIND PEOPLE (2)
• Emails are firstname.lastname@helpag.com
• Let’s look for more names
stephan.berner@helpag.com?
angelika.plate@helpag.com?
alexandra.pisetskaya@helpag.com?
nadia.zamouri@helpag.com?
ahmad.khaled.hawasli@helpag.com?
aashish.sharma@helpag.com?
prashant.jani@helpag.com?
…
Let’s dig just a bit further….
https://ae.linkedin.com/in/nsolling

8. STUDY TARGET
• Examine digital footprint
• Style of writing, topics, interests

9. STUDY TARGET
• Examine digital footprint further
• Interests:
• Porsche
• PADI diver
• Line6 (guitar) pod
• Merc GL550
• Trivial Pursuit ;)

10. TARGET SELECTION
• What can we do so far?
• Target Nicolai Solling
• Hey, we met at (Porsche club / ManAge
spa / PADI course / Rugkobbelskolen … )
• “Your Gargash Enterprises service…”
• Exploit Nicolai’s trust
• Target Nicolai’s contacts
• We know who he knows (social network)
• We know their email addresses (firstname.lastname@helpag.com)
• We know Nicolai’s writing style
• Exploit their trust

11. EXTRA, TECHNICAL TRICKS
• Need to trick a user to “believe us”
• Let technology help us
• Abuse 33 year old protocol: SMTP
• Fake email thread
• Fake CC

12. FAKE EMAIL THREAD
• SMTP just sends text to a
program.
• “Email threads” have no connection.
• Unless we have the entire thread,
digitally signed, we can’t trust it at all
• Modern equivalent of saying:
“Can I go dad? Mom said I could go”

13. FAKE CC
• CC doesn’t really exist
• It’s a MIME header we said we did
HELO blah
MAIL FROM: admin@flurk.org
RCPT TO: michael.hendrickx@helpag.com
DATA
From: Michael Hendrickx <michael@flurk.org>
Content-Type: text/plain;
Subject: Very important email
Cc: khaled hawasli <khaled.hawasli@helpag.com>,
barack.obama@whitehouse.gov
To: michael.hendrickx@helpag.com
Hey guys,
As per our conversation, please install the security update
located at http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and Obama will
never get - but you can never find that out!
Thank you,
Security Admin

14. PUTTING IT ALL TOGETHER
• A person who knows a lot about you can do a lot of
damage
• It’s from Nicolai
• Sounds like him
• To people that he knows
• The “right” people are in CC
• Shared responsibility
• Based on previous email
thread
• Which we can’t check.

15. PUTTING IT ALL TOGETHER
• Creative spear phishing
To: Khaled Hawasli, Khalilov
cc: Michael Hendrickx
Hi Everyone,
I am very thrilled with the new VPN
software! It’s much faster. Have you
tried it?
Nicolai
To: Nicolai, Khaled Hawasli
cc: Michael Hendrickx
Hey man,
That’s awesome
> Hi Everyone,
> I am very thrilled with the new VPN
> …
To: Michael,
cc: Nicolai, Khalilov
Michael, you should try it!
> Hey man,
> That’s awesome
>> Hi Everyone,
>> I am very thrilled with the new VPN
>> …
In fact, all this is actually:
To: Khaled Hawasli, Khalilov
cc: Michael Hendrickx
Hi Everyone,
I am very thrilled with the new
VPN software! It’s much
faster. Have you tried it?
Nicolai
To: Nicolai, Khaled Hawasli
cc: Michael Hendrickx
Hey man,
That’s awesome
> Hi Everyone,
> I am very thrilled with the
new VPN
> …
To: Michael,
cc: Nicolai, Khalilov
Michael, you should try it!
> Hey man,
> That’s awesome
>> Hi Everyone,
>> I am very thrilled with the
new VPN
>> …
Nobody was ever CC’d

16. CONCLUSION
• The more people know about you, the more they
can target you.
• Minimize digital footprint
• Verify email contents
• Be cautious
• Use digital signatures
• Don’t trust anything sent to you
• Mommy said I could go.

17. CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM
DUBAI, UAE
ARJAAN OFFICE TOWER,
OFFICE 1201 / 1208, PO BOX 500741
T +971 4 440 5666
F +971 4 363 6742
ABU DHABI, UAE
SALAM HQ BLDG,
BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195
T +971 2 644 3398
F +971 2 639 1155
DOHA, QATAR
AL DAFNA – PALM TOWER
OFFICE 4803, WEST BAY, P.O. BOX 31316
T +974 4432 8067
F +974 4432 8069