Successfully reported this slideshow.
Why bother breaking down the door if you can                                    simply ask the person inside to let you in...
Just like “con artists” have done for centuries.Copyright 2010-2011 Lenny Zeltser                                         ...
As the result, outsider == insider, since someone is                                    bound to let an outsider in.Copyri...
This may help with educating users, customers and                                    security staff.                      ...
Copyright 2010-2011 Lenny Zeltser   5
Copyright 2010-2011 Lenny Zeltser   6
http://isc.sans.org/diary.html?storyid=5797Copyright 2010-2011 Lenny Zeltser                                              ...
http://blogs.paretologic.com/malwarediaries/inde                                    x.php/2011/09/30/trademark-rogue-busin...
http://evilcodecave.blogspot.com/2009/08/malwa                                    re-26xpl-ssh-propagating-exploit.html   ...
http://www.bankinfosecurity.com/articles.php?art                                    _id=1858Copyright 2010-2011 Lenny Zelt...
… with an element of social engineering.Copyright 2010-2011 Lenny Zeltser                                              11
Conficker set up the autorun.inf file on infected                                    USB keys so that the worm would run w...
Gawker sites include Gimodo, Lifehacker and                                    TechCrunch.                                ...
http://www.businessinsider.com/henry-blodget-                                    gawker-scammed-by-malware-pretending-to-b...
http://www.mediaite.com/online/gawker-duped-                                    into-running-fake-ads-with-virus/Copyright...
Impersonated a legitimate advertising companyCopyright 2010-2011 Lenny Zeltser                                            ...
Copyright 2010-2011 Lenny Zeltser   17
http://uk.answers.yahoo.com/question/index?qid=                                    20100614105319AAznWTWCopyright 2010-201...
http://www.symantec.com/connect/blogs/technic                                    al-support-phone-scamsCopyright 2010-2011...
Copyright 2010-2011 Lenny Zeltser   20
http://www.securelist.com/en/blog/208193029/Ze                                    uS_in_the_Mobile_for_AndroidCopyright 20...
Copyright 2010-2011 Lenny Zeltser   22
Consider a variant of the Waledac worm. The                                    worm directed its potential victims to a we...
http://blog.zeltser.com/post/2685898823/social-                                    engineering-in-online-scamsCopyright 20...
Copyright 2010-2011 Lenny Zeltser   25
http://blog.webroot.com/2010/04/08/this-pc-will-                                    self-destruct-in-ten-seconds/Copyright...
Copyright 2010-2011 Lenny Zeltser   27
Copyright 2010-2011 Lenny Zeltser   28
http://krebsonsecurity.com/2010/11/spear-                                    phishing-attacks-snag-e-mail-marketersCopyrig...
http://www.symantec.com/connect/blogs/fake-av-                                    talking-enemyCopyright 2010-2011 Lenny Z...
Attackers have been conducting the “stuck in                               London” scam for several years. Early campaigns...
Consider a scam that promises Facebook users to                               find out who has been viewing their Facebook...
Copyright 2010-2011 Lenny Zeltser   33
After infecting the computer, one malware                                    specimen edited the victim’s “hosts” file to ...
Copyright 2010-2011 Lenny Zeltser   35
Copyright 2010-2011 Lenny Zeltser   36
Koobface spread by including links to malicious                                    websites in Twitter and Facebook profil...
The malicious website embedded, though a series                                                                   of steps...
http://thompson.blog.avg.com/2010/07/remote-                                    control-facebook.htmlCopyright 2010-2011 L...
Copyright 2010-2011 Lenny Zeltser   40
http://staff.washington.edu/dittrich/papers/dittric                                    h-login0809.pdfCopyright 2010-2011 ...
This is a sample screenshot—not representative of                                    the sites manipulated by Nugache.Copy...
Copyright 2010-2011 Lenny Zeltser   43
Copyright 2010-2011 Lenny Zeltser   44
http://blog.zeltser.com/post/2685898823/social-                                    engineering-in-online-scamsCopyright 20...
Copyright 2010-2011 Lenny Zeltser   46
Copyright 2010-2011 Lenny Zeltser   47
Copyright 2010-2011 Lenny Zeltser   48
Copyright 2010-2011 Lenny Zeltser   49
Copyright 2010-2011 Lenny Zeltser   50
Copyright 2010-2011 Lenny Zeltser   51
Copyright 2010-2011 Lenny Zeltser   52
http://sunbeltblog.blogspot.com/2010/08/new-                                    trojan-offers-choice-of-rogue.htmlCopyrigh...
http://blogs.paretologic.com/malwarediaries/inde                                    x.php/2010/04/15/are-spammers-getting-...
Copyright 2010-2011 Lenny Zeltser   55
Copyright 2010-2011 Lenny Zeltser   56
There is no “Google Approved Pharmacy                                    Directory”Copyright 2010-2011 Lenny Zeltser      ...
http://www.f-                                    secure.com/weblog/archives/00002017.html                                 ...
Left side: cert obtained through identity theft:                                    http://www.f-                         ...
Copyright 2010-2011 Lenny Zeltser   60
http://www.f-                                    secure.com/weblog/archives/00002051.htmlCopyright 2010-2011 Lenny Zeltser...
Copyright 2010-2011 Lenny Zeltser   62
Copyright 2010-2011 Lenny Zeltser   63
Need solid research: Will training users or                                    customers in social engineering tactics imp...
Copyright 2010-2011 Lenny Zeltser   65
Copyright 2010-2011 Lenny Zeltser   66
Copyright 2010-2011 Lenny Zeltser   67
If you have any questions for me, please let me                                    know. I’ll do my best to answer them as...
Upcoming SlideShare
Loading in …5
×

Lenny zeltser social engineering attacks

782 views

Published on

  • Be the first to comment

Lenny zeltser social engineering attacks

  1. 1. Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses. These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.Copyright 2010-2011 Lenny Zeltser 1
  2. 2. Just like “con artists” have done for centuries.Copyright 2010-2011 Lenny Zeltser 2
  3. 3. As the result, outsider == insider, since someone is bound to let an outsider in.Copyright 2010-2011 Lenny Zeltser 3
  4. 4. This may help with educating users, customers and security staff. This may also help in adjusting the security architecture.Copyright 2010-2011 Lenny Zeltser 4
  5. 5. Copyright 2010-2011 Lenny Zeltser 5
  6. 6. Copyright 2010-2011 Lenny Zeltser 6
  7. 7. http://isc.sans.org/diary.html?storyid=5797Copyright 2010-2011 Lenny Zeltser 7
  8. 8. http://blogs.paretologic.com/malwarediaries/inde x.php/2011/09/30/trademark-rogue-business/Copyright 2010-2011 Lenny Zeltser 8
  9. 9. http://evilcodecave.blogspot.com/2009/08/malwa re-26xpl-ssh-propagating-exploit.html http://isc.sans.org/diary.html?storyid=4507 Hosted on compromised servers.Copyright 2010-2011 Lenny Zeltser 9
  10. 10. http://www.bankinfosecurity.com/articles.php?art _id=1858Copyright 2010-2011 Lenny Zeltser 10
  11. 11. … with an element of social engineering.Copyright 2010-2011 Lenny Zeltser 11
  12. 12. Conficker set up the autorun.inf file on infected USB keys so that the worm would run when the victim inserted the USB key into a computer, thereby infecting the PC. The autorun.inf file that Conficker created on the USB key was carefully crafted to confuse the user once the key was inserted into the computer. When the victim inserted the USB key, Windows typically brought up the AutoPlay dialog box, asking the person what to do next. Normally, the AutoPlay action box presents the user with options to run the program on the USB key or to browser the USB key’s files. The autorun.inf file that Conficker created manipulated the options presented to the user, so that the option to run the program looked like the option to browse the drive’s contents. The user was likely to click on the first option to browse the files, not realizing the he or she is actually launching a program. As a result, the user inadvertently launched the Conficker worm from the USB key and infected the PC. http://isc.sans.org/diary.html?storyid=5695Copyright 2010-2011 Lenny Zeltser 12
  13. 13. Gawker sites include Gimodo, Lifehacker and TechCrunch. http://www.wired.com/threatlevel/2009/09/nyt- revamps-online-ad-sales-after-malware-scam/ “The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week.” ... “Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”Copyright 2010-2011 Lenny Zeltser 13
  14. 14. http://www.businessinsider.com/henry-blodget- gawker-scammed-by-malware-pretending-to-be- suzuki-2009-10Copyright 2010-2011 Lenny Zeltser 14
  15. 15. http://www.mediaite.com/online/gawker-duped- into-running-fake-ads-with-virus/Copyright 2010-2011 Lenny Zeltser 15
  16. 16. Impersonated a legitimate advertising companyCopyright 2010-2011 Lenny Zeltser 16
  17. 17. Copyright 2010-2011 Lenny Zeltser 17
  18. 18. http://uk.answers.yahoo.com/question/index?qid= 20100614105319AAznWTWCopyright 2010-2011 Lenny Zeltser 18
  19. 19. http://www.symantec.com/connect/blogs/technic al-support-phone-scamsCopyright 2010-2011 Lenny Zeltser 19
  20. 20. Copyright 2010-2011 Lenny Zeltser 20
  21. 21. http://www.securelist.com/en/blog/208193029/Ze uS_in_the_Mobile_for_AndroidCopyright 2010-2011 Lenny Zeltser 21
  22. 22. Copyright 2010-2011 Lenny Zeltser 22
  23. 23. Consider a variant of the Waledac worm. The worm directed its potential victims to a website that showed a news excerpt about a supposed explosion. The message was localized based on where the user was connecting from. For instance, visitors from New York would see a message “Powerful explosion burst in New York this morning.” The person was asked to download a video player for the full story. Personalization of the message increased the likelihood of the person downloading the trojan player in an attempt to see the video. http://securitylabs.websense.com/content/Alerts/ 3321.aspxCopyright 2010-2011 Lenny Zeltser 23
  24. 24. http://blog.zeltser.com/post/2685898823/social- engineering-in-online-scamsCopyright 2010-2011 Lenny Zeltser 24
  25. 25. Copyright 2010-2011 Lenny Zeltser 25
  26. 26. http://blog.webroot.com/2010/04/08/this-pc-will- self-destruct-in-ten-seconds/Copyright 2010-2011 Lenny Zeltser 26
  27. 27. Copyright 2010-2011 Lenny Zeltser 27
  28. 28. Copyright 2010-2011 Lenny Zeltser 28
  29. 29. http://krebsonsecurity.com/2010/11/spear- phishing-attacks-snag-e-mail-marketersCopyright 2010-2011 Lenny Zeltser 29
  30. 30. http://www.symantec.com/connect/blogs/fake-av- talking-enemyCopyright 2010-2011 Lenny Zeltser 30
  31. 31. Attackers have been conducting the “stuck in London” scam for several years. Early campaigns were relying on compromised webmail accounts to reach potential victims through email. In an example recently documented by Rakesh Agrawal, this classic scam was conducted via Facebook chat. The scammer used a compromised Facebook account in an attempt to solicit emergency funds from the victim’s friend. The screenshot on this slide shows an excerpt from the chat transcript. With low-cost labor available throughout the world, scammers can employ humans for chatting with victims while keeping their costs relatively low. The scammer was using Matt’s Facebook account and, as far as I can tell, was a human being. However, such interactions could have easily been automated using a chat bot. For details regarding this Facebook chat scam see: http://rake.sh/blog/2009/01/20/facebook-fraud-a- transcriptCopyright 2011 Lenny Zeltser 31
  32. 32. Consider a scam that promises Facebook users to find out who has been viewing their Facebook profile. The implication is that the user can get access to these details (that feed the narcissist in all of us) by installing the Profile Spy application. The scam attempts to trick the victim into revealing personal details, including a mobile phone number. The malicious site shows a fake Facebook page in the background, to make victims think they are within the “walled garden” of Facebook…Copyright 2011 Lenny Zeltser 32
  33. 33. Copyright 2010-2011 Lenny Zeltser 33
  34. 34. After infecting the computer, one malware specimen edited the victim’s “hosts” file to redirect attempts to connect to technology product review sites, including CNet, PCMag, and ZDNet. The goal seemed to provide the victim with a spoofed review of a fake anti-virus tool “Anti-Virus-1” to trick the person into purchasing this software. Fake anti-virus is not unlike the fake pen for detecting counterfeit money. For additional details about this incident, see: http://www.bleepingcomputer.com/forums/topic2 04619.htmlCopyright 2010-2011 Lenny Zeltser 34
  35. 35. Copyright 2010-2011 Lenny Zeltser 35
  36. 36. Copyright 2010-2011 Lenny Zeltser 36
  37. 37. Koobface spread by including links to malicious websites in Twitter and Facebook profiles. Once the potential victim clicked on the link, he or she was typically directed to a website that attempted to trick the person into installing malware. A common tactic involved presenting the user with a message that to view the video, a Flash Player upgrade was required. Of course, the executable the person was presented was not Flash Player, but was malware.Copyright 2010-2011 Lenny Zeltser 37
  38. 38. The malicious website embedded, though a series of steps, a Facebook page in an invisible iframe that floated above the button that the user click on. The victims didn’t realize that they were actually clicking on the Facebook “Share” button, which shared the malicious website with the victim’s Facebook friends. http://fitzgerald.blog.avg.com/2009/11/new- facebook-worm-dont-click-da-button-baby.html<html><head></head><body><div style=”overflow: hidden;width: 56px; height: 24px; position: relative;” id=”div”><iframe name=”iframe”src=”http://EVILURI/index.php?n=632″ style=”border: 0ptnone ; left: -985px; top: -393px; position: absolute;width: 1618px; height: 978px;”scrolling=”no”></iframe></div></body></html> HTML Source: theinvisibleguyCopyright 2010-2011 Lenny Zeltser 38
  39. 39. http://thompson.blog.avg.com/2010/07/remote- control-facebook.htmlCopyright 2010-2011 Lenny Zeltser 39
  40. 40. Copyright 2010-2011 Lenny Zeltser 40
  41. 41. http://staff.washington.edu/dittrich/papers/dittric h-login0809.pdfCopyright 2010-2011 Lenny Zeltser 41
  42. 42. This is a sample screenshot—not representative of the sites manipulated by Nugache.Copyright 2010-2011 Lenny Zeltser 42
  43. 43. Copyright 2010-2011 Lenny Zeltser 43
  44. 44. Copyright 2010-2011 Lenny Zeltser 44
  45. 45. http://blog.zeltser.com/post/2685898823/social- engineering-in-online-scamsCopyright 2010-2011 Lenny Zeltser 45
  46. 46. Copyright 2010-2011 Lenny Zeltser 46
  47. 47. Copyright 2010-2011 Lenny Zeltser 47
  48. 48. Copyright 2010-2011 Lenny Zeltser 48
  49. 49. Copyright 2010-2011 Lenny Zeltser 49
  50. 50. Copyright 2010-2011 Lenny Zeltser 50
  51. 51. Copyright 2010-2011 Lenny Zeltser 51
  52. 52. Copyright 2010-2011 Lenny Zeltser 52
  53. 53. http://sunbeltblog.blogspot.com/2010/08/new- trojan-offers-choice-of-rogue.htmlCopyright 2010-2011 Lenny Zeltser 53
  54. 54. http://blogs.paretologic.com/malwarediaries/inde x.php/2010/04/15/are-spammers-getting-lazy/Copyright 2010-2011 Lenny Zeltser 54
  55. 55. Copyright 2010-2011 Lenny Zeltser 55
  56. 56. Copyright 2010-2011 Lenny Zeltser 56
  57. 57. There is no “Google Approved Pharmacy Directory”Copyright 2010-2011 Lenny Zeltser 57
  58. 58. http://www.f- secure.com/weblog/archives/00002017.html “I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they dont produce software — so they dont have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.”Copyright 2010-2011 Lenny Zeltser 58
  59. 59. Left side: cert obtained through identity theft: http://www.f- secure.com/weblog/archives/00002017.html Right side: stolen cert used to sign Stuxnet: http://www.f- secure.com/weblog/archives/00001993.htmlCopyright 2010-2011 Lenny Zeltser 59
  60. 60. Copyright 2010-2011 Lenny Zeltser 60
  61. 61. http://www.f- secure.com/weblog/archives/00002051.htmlCopyright 2010-2011 Lenny Zeltser 61
  62. 62. Copyright 2010-2011 Lenny Zeltser 62
  63. 63. Copyright 2010-2011 Lenny Zeltser 63
  64. 64. Need solid research: Will training users or customers in social engineering tactics improve their resistance to scams?Copyright 2010-2011 Lenny Zeltser 64
  65. 65. Copyright 2010-2011 Lenny Zeltser 65
  66. 66. Copyright 2010-2011 Lenny Zeltser 66
  67. 67. Copyright 2010-2011 Lenny Zeltser 67
  68. 68. If you have any questions for me, please let me know. I’ll do my best to answer them as accurately as I can. I’d also love to hear from you if you have any comments regarding this briefing, either what you liked about it, or your suggestions for improving it. If you want to keep an eye on my research and related activities, take a look at blog.zeltser.com. You can also find me on Twitter at twitter.com/lennyzeltser.Copyright 2010-2011 Lenny Zeltser 68

×