How attackers use social engineering to bypass your defenses
Transcript of How attackers use social engineering to bypass your defenses
![Page 1: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/1.jpg)
How attackers use social engineering to bypass your defenses.
Lenny Zeltser Senior Faculty Member, SANS Institute
Product Management Director, NCR Corporation
![Page 2: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/2.jpg)
Social engineers influence victims to perform actions desired by the attacker.
![Page 3: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/3.jpg)
As the result:
Outsider == Insider
![Page 4: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/4.jpg)
What social engineering tactics are being used? Let’s look at examples, so we can learn from them.
![Page 5: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/5.jpg)
Alternative Channels
![Page 6: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/6.jpg)
Notices in the “physical” world invited victims to visit a fraudulent website.
![Page 7: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/7.jpg)
http://j.mp/oRn3
![Page 8: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/8.jpg)
Source: Jerome Segura http://j.mp/IQjPhM
![Page 9: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/9.jpg)
Phishing scam directed the target to a phone number.
![Page 10: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/10.jpg)
“Your card has been suspended because we believe it was accessed by a third party. Please press 1 now to be transferred to our security department.”
Customers of Liberty Bank of Boulder Creek, CA
Source: BankInfoSecurity http://j.mp/3Gj0AA
![Page 11: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/11.jpg)
USB keys were used as an infection vector.
![Page 12: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/12.jpg)
Action=Open folder to view files Icon=%systemroot%\system32\shell32.dll,4 Shellexecute=.\RECYCLER\S-5-3-42-28199…
(Conficker)
Source: Internet Storm Center http://j.mp/HGTgRX
![Page 13: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/13.jpg)
“Real world” procedures were used to place malicious ads on Gawker sites. A similar scam targeted the New York Times and other media sites.
See http://j.mp/IjqYWJ
![Page 14: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/14.jpg)
The ads served PDF exploits to visitors.
Image Source: Business Insider http://j.mp/IwnntL
![Page 15: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/15.jpg)
“We want to run a performance campaign for Suzuki across your network. Our budget to start is $25k+. Campaign should be live by the end of the month.”
Source: Mediaite http://j.mp/HJO77c
![Page 16: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/16.jpg)
Scammers called home users to help disinfect their PCs. They pretended to find malware and clean it up; requested payment and other details.
![Page 17: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/17.jpg)
“i got a call off a onlinepcdoctors.com and they said my pc was running slower because of malcious [sic] files. i let them take remote access of my computer…”
Source: http://j.mp/HEWIeY
![Page 18: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/18.jpg)
Source: Symantec http://j.mp/jSjWBD
![Page 19: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/19.jpg)
ZeuS on a Windows PC asked victims to install a security program on their Android phones.
![Page 20: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/20.jpg)
Source: Kaspersky http://j.mp/pN6p60
![Page 21: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/21.jpg)
Personally-Relevant Messaging
![Page 22: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/22.jpg)
Malware spread by localizing its message (Waledac).
See http://j.mp/IG10kH
![Page 23: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/23.jpg)
Geolocation was similarly used in a work-from-home scam.
See http://j.mp/HGVHU9
![Page 24: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/24.jpg)
Malware spoofed email from trusted senders.
![Page 25: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/25.jpg)
“Unfortunately we were not able to deliver the postal package … Please print out the invoice copy attached and collect the package at our department. United Parcel Service of America.”
Source: Webroot http://j.mp/HHuYVB
![Page 26: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/26.jpg)
Malicious messages matched the content the victim was used to receiving. The attachments targeted client-side vulnerabilities.
![Page 27: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/27.jpg)
Source: Contagio
![Page 28: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/28.jpg)
Source: Brian Krebs http://j.mp/Iagn3r
![Page 29: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/29.jpg)
Attackers provided customer service to appear legitimate.
Image Source: Symantec http://j.mp/HJOwGU
![Page 30: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/30.jpg)
Fraudsters used Facebook chat for the “stuck in London” scam.
Source: Jason Cupp http://j.mp/k9JFf9
![Page 31: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/31.jpg)
Profile Spy claimed to track who viewed victims’ Facebook profiles.
![Page 32: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/32.jpg)
Social Compliance
![Page 33: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/33.jpg)
Malware spoofed product review sites to legitimize a fake anti-virus tool.
![Page 34: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/34.jpg)
Source: Bleeping Computer
![Page 35: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/35.jpg)
Social networks have been used to spread malware (Koobface).
![Page 36: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/36.jpg)
![Page 37: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/37.jpg)
Source: Nick FitzGerald http://j.mp/HEsg4l
![Page 38: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/38.jpg)
Malware dared victims to click the link to get them hooked. Then asked to copy and paste JavaScript to spread on Facebook.
![Page 39: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/39.jpg)
Source: AVG http://j.mp/pQDv9G
![Page 40: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/40.jpg)
Malware manipulated download counters to appear popular (Nugache).
Source: Dave Dittrich http://j.mp/ITKJs7
![Page 41: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/41.jpg)
This is a sample screenshot. It’s not representative of the sites actually manipulated by Nugache.
![Page 42: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/42.jpg)
Money-mule recruiting sites looked like sites of many other legitimate companies.
![Page 43: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/43.jpg)
![Page 44: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/44.jpg)
A scam emphasized the popularity of the “work from home” kit.
See http://j.mp/HGVHU9
![Page 45: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/45.jpg)
Reliance on Security Mechanisms
![Page 46: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/46.jpg)
Similar to the fake counterfeit money-testing pen con.
![Page 47: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/47.jpg)
“Security update” messages in several forms convinced users to download and install software.
![Page 48: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/48.jpg)
![Page 49: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/49.jpg)
Fake anti-virus tools confused the user about the need for security.
![Page 50: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/50.jpg)
![Page 51: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/51.jpg)
Victims sometimes even got to choose their preferred rogue anti-virus product.
![Page 52: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/52.jpg)
Source: Sunbelt Software http://j.mp/IG29Jh
![Page 53: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/53.jpg)
Malicious files were hosted behind a CAPTCHA screen.
See http://j.mp/HGWfJF
![Page 54: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/54.jpg)
![Page 55: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/55.jpg)
Scammers associated their “products” with trusted brands.
![Page 56: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/56.jpg)
![Page 57: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/57.jpg)
Attackers signed malware with certificates. Some certs were stolen with malware. Some were obtained through identity theft.
See http://j.mp/9HbPLC
![Page 58: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/58.jpg)
Source: Websense http://j.mp/ICjrsS
![Page 59: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/59.jpg)
Malicious websites presented a security warning to the users, asking to download an update.
![Page 60: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/60.jpg)
See http://j.mp/ITLj9g
![Page 61: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/61.jpg)
So What?
![Page 62: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/62.jpg)
Social engineering works. It seems to tap into psychological factors that are part of the human nature.
![Page 63: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/63.jpg)
Discuss recent social engineering approaches with employees, partners and customers.
![Page 64: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/64.jpg)
Alternative Channels Personally-Relevant Messaging Social Compliance Reliance on Security Mechanisms
![Page 65: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/65.jpg)
Assume some social engineering will work anyway.
![Page 66: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/66.jpg)
Focus on… internal segmentation, least privilege, need-to-know and monitoring.
![Page 67: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/67.jpg)
Lenny Zeltser blog.zeltser.com twitter.com/lennyzeltser
![Page 68: How attackers use social engineering to bypass your defenses](https://reader036.fdocuments.in/reader036/viewer/2022071523/613d0e05736caf36b758c6aa/html5/thumbnails/68.jpg)
About The Author: Lenny Zeltser is a seasoned IT professional with a strong background in information security and business management. As a director at NCR Corporation, he focuses on safeguarding IT environments of small and midsize businesses worldwide. Before NCR, he led an enterprise security consulting team at a major IT hosting provider. Lenny's most recent work has focused on malware defenses and cloud-based services. He teaches how to analyze and combat malware at the SANS Institute, where he is a senior faculty member. He also participates as a member of the board of directors at the SANS Technology Institute and volunteers as an incident handler at the Internet Storm Center. Lenny frequently speaks on security and related business topics at conferences and industry events, writes articles, and has co-authored books on forensics, network security, and malicious software. He is one of the few individuals in the world who have earned the highly-regarded GIAC Security Expert (GSE) designation. Lenny has an MBA degree from MIT Sloan and a computer science degree from the University of Pennsylvania.