socengFriday217
?
Social EngineeringSocial Engineering
or Deception
With credit to Sharon Conheady’s DeepSec Talk
Scamming is an OLD trick
• Goal – what is he/she trying to achieve?
• Receiver – who is he/she going to target?
• Message – How will he/she convince the
person to do what they want
• Channel – What channel will he/she use?
Four things the Social Engineer
Focuses On
Tricking people in the past…
• Victor Lustig is best known as �the man who
sold the Eiffel Tower twice
Victor Lustig
• Used current events – France bankrupt after
the war
• Impersonated someone in authority
• Victims were too embarrassed to go to the
police
Anthony Lee (2010)
• he was able to extract a £1m deposit from
the buyers he had lined up for the London
landmark.
• Lee claimed he was a “close friend and
associate” of the reclusive billionaire
brothers, Sir Frederick and Sir David Barclay,
the owners
• The lorry driver told Ms Maguire he would
split the £50m profit with her if she found a
buyer.
Famous Social Engineer
1940s
• Frank Abagnale – forgery and
masquerading and security consultant
• Did his research
• Conveyed authority
• Acted and looked the part
• Drop box out of service
What did he do
• Wore the right uniform
• Had a forged ID card
• Fake name and facebook id
• Andrea Sirlo:
– “Sirlo” is the name of a flight corridor over Turin
• Picked up when someone said he looked too
young to be a captain
eBay makes it easy
June 23, 1908
A messenger delivered a bottle of ale to the
door of Philadelphia doctor William Wilson
�We are taking the liberty of sending a few
physician�s samples of our new product,� read
an accompanying letter, which bore the name
of a well-known Philadelphia brewing
company. �As the beneficial qualities of our ale
is to be our strong talking point, we have
decided to cooperate with physicians as far as
possible in the introduction of our goods.�
It asked him to sample the product and to
respond if he felt he could recommend it to his
patients.
Three days later
Wilson sampled the bottle. Within 30 minutes
he was dead of cyanide poisoning.
June 29….
Dear Mr. Coroner:
I want to write you regarding the death of Dr. W.H. Wilson.
In some way he induced my wife to become a patient of his. As a result of
poisonous injections he used, she died a few weeks ago. In order to protect
her name, I did not give the last attending physician all the facts, and she
was buried with another cause assigned.
To rid the community of this wholesale killer, I have removed him like a
weed from a garden. …
Now that this service to the community is rendered and the death of my
dear wife avenged, I am going to quit this part of the world. I don�t think
you will ever find me but I don�t care much what happens anyhow.
My only regret is the grief caused his wife and child but I believe they are
better off without him. I say let those who live by poison die by poison.
�By the time you get this on Monday morning, I will be far from here,�
It was signed �An outraged husband and father.�
http://www.snopes.com/business
/bank/guard.asp
Trust in Authorities
My Goodness!
Social Engineering
You could spend a fortune
purchasing technology and
services…and your network
infrastructure could still remain
vulnerable to old-fashioned
manipulation.”
Kevin Mitnick
Kevin Mitnick – Social Engineer
Social Engineering
• Monday morning, 6am; the electric rooster is telling
you it’s time to start a new work week. A shower,
some coffee, and you’re in the car and off. On the
way to work you’re thinking of all you need to
accomplished this week.
• Then, on top of that there’s the recent merger
between your company and a competitor. One of
your associates told you, you better be on your toes
because rumours of layoff’s are floating around.
Social Engineering
And so…..
The Game Is In Play: People Are The
Easiest Target
Let’s Take A Step Back In Time
The disk you found in the restroom, was not
left there by accident. It was strategically
placed there by one of Security Consulting
employees.
A firm has been hired to perform a Network
Security Assessment on your company.
In reality, they have been contracted to hack
into your company from the Internet and
have been authorized to utilize social
engineering techniques.
• Goal – get person to plug USB stick in
• Receiver – employees in the building. Use the
rumour about layoffs (FEAR)
• Message – Add label to USB stick called
“LAYOFFS”
• Channel – Leave USB in bathroom
USB Example
It really happened!
Recent Headlines
• August 2012: Matt Honan’s digital life is
erased when hackers social engineer Apple
and Amazon call centres
• Czech thieves steal 10 ton bridge in front of
police with fake paperwork
those whose reasoning is incapacitated by
empathy
Attack Actors
• Example
– Someone called AOL tech support
– Spoke for some time, establishing rapport
– Mentioned his car was for sale
– IT person was interested
– Said he would send a photo
– Sent a back-door exploit that gave the attacker
access to over 200 accounts and personal
information
Santander: Hi-tech bank robbers stopped as
they tried to steal millions using £10 computer
gadget
Scammers – no conscience
• There’s no actual video and when users click
on the post and share it, they only get bogus
surveys, which make money for the
scammers behind the whole thing.
Identity Thieves
• use information such as peoples names, bank
account numbers, addresses, birth dates, and
social security number without the owners
knowledge
• This can range from putting a uniform to
impersonate someone or an elaborate scam
involving DNS poisoning and phishing scams.
http://www.social-engineer.org/framework/Real_World_Social_Engineering_Examples:_Phishing
Tools
• Phishing
• Dumpster Diving
• Skimming
• Pharming
• Tombstone Theft
The purpose….
• Build up a false sense of trust and confidence
and
• Evoke a desirable response
– Give me your PIN
– Allow me into the building
– Get that file off the system for me
– ….
– ATM SCAM
• Fear
• Friendship
• Flattery
• Greed
• Guilt
• Sympathy
• Confusion
• Intimidation
Social Engineering Tricks
Techniques
Phishing
• Thief sends e-mail to customer claiming
to be a legitimate company which has
lost the customer’s personal
information
• Customer reads e-mail and goes to fake
website
• Customer enters credit card or other
personal information on website
• Thief steals personal information
Phishing
76% of the total phishing volume
was directed at nationwide banks
• The con man would
approach a British noble
• A letter smuggled by the
so-called “prisoner” was
shown
• If the noble paid the
ransom he would get
lots and lots of money
and jewels – and marry
her
Spanish Prisoner Scam 16th
Century
Letters from Jerusalem
• Sent letters to wealthy people
claiming to have hidden/lost
money
• If you pay my travel costs I
will come and show you, and
give you some
• For each 100 letters, 20 would
always be answered
• People use social networking to tailor attacks
– Spear Phishing
• Harder to spot
• Now vishing and smishing
• Doesn’t have to be online
• Advanced Persistent Threat
New Trends
• Dressed like a technician, Jayson Street
walked in and said he was there to measure
“power fluctuations on the power circuit.” To
do this, he’d need to plug a small white
device that looked like a power adapter onto
the wall.
• It’s a tiny computer that comes preloaded
with an arsenal of hacking tools.
• SE services offer
– Fluent language speaker (male/female)
– Caller-ID spoofing
– Make calls around the clock
• $7-15 per call
Social Engineering as a Service
• Goal – what do they want to achieve
• Receiver – who are they going to target?
• Message – How will they convince the person
to do what they want
• Channel – What channel will they use?
Four things the Social Engineer
Focuses On
• Four Goals:
– Getting Information
– Gaining Access
– Malware
– Getting someone to Perform an action
• With/Without the Mark being aware of the
deceit
https://www.youtube.com/watch?v=V55NW-
cancE
Toby Foster 4 Models of SE
Information
Gathering
Relationship
Development
Exploitation
Execution to
Achieve
Objective
Information
Gathering
Relationship
DevelopmentExploitation
• What can the attacker glean from this
information to profile your targets?
• How can he/she catalogue this information
for use later?
Before the Attack
• How can you gather information?
• What sources can you use
– Websites
– Whois
– Social media
– Blogs/Forums
– Public reports/Newspapers
– Observation
– Garbage
– Profiling Software (eg. Maltego)
Gathering Info
• To draw the person out (the subtle extraction of
information during an apparently normal and
innocent conversation)
• Why does it work?
– People are usually polite
– People like to appear intelligent
– If you are praised you talk more
– Most people only lie when they have a motivation to lie
– People respond when others appear to care about them
Receiver
• Being Genuine about wanting to know
people
• Taking care with appearance
• Be a good listener
• Keep the conversation off attacker
• Empathy is the key to rapport
• Develop curious side
• Listen!
Building Rapport
• Reciprocation
– Give something away
– Create indebted feelings
– Ask the person to do you a favour
• Obligation
• Concession
– Can you donate £200 – no, ok can you donate
£20?
Message
• Scarcity
– Limited offer
– You might miss out
– Creates a feeling of urgency
• Authority
– Legal authority – Gas man
– Organisational authority
– Social authority
• Cued by titles, clothes, car…
Influence Tactics
• Commitment/Consistency
– If people make a small concession they are more
likely to make a bigger one later
• Liking
– People want to be liked, and will act in that
interest
• Consensus
– Everyone else is doing it
Influence Tactics
• Financial
– Coupons, discount
• Ideological
– I am a good person,
so I donate blood
• Social
– Peer pressure
• Fear
Incentives
• Goal – get person to plug USB stick in
• Receiver – employees in the building. Use the
rumour about layoffs (FEAR)
• Message – Add label to USB stick called
“LAYOFFS”
• Channel – Leave USB in bathroom
USB Example
• Develop a phishing email targeted at 25-50
employees and attempt to have them go
during work hours to a non-business website
that has malicious code embedded in it
• Info gathering tells you
– employees are predominantly male
– They go to an online lottery site daily (found this
out from posts on forums)
Scenario 1
Hello
We have some exciting news. The first 100
people to respond to this message can have a
free set of lottery numbers.
Click on this link to go to the special page.
Login to have the special credit added to your
account
Hope you win!
UK Lottery Team
Phishing Email
• Make an onsite visit to portray a potential
interviewee who has ruined his resume by
spilling coffee over it. You want the
receptionist to put your USB stick into the
computer to print your resume for you
• Information Gathering
– Job advert names Debbie Green as the contact
person, and says when the deadline is
Scenario 2
• Goal – to get receptionist to insert USB stick so that
you can run malware on the system and gather
passwords etc
• Receiver – hard to know how well trained. You have
to establish rapport with your target. Be friendly
and polite but not overly so
• Message – elicit sympathy. I spilt coffee on my
resume, I HAVE to hand it in today. Help me!
• Channel – verbal, facial, body language (and coffee
stained resume). Plausible story – my child knocked
my coffee over this; I was trying to help someone at
the station….
USB Key
Prevention & Mitigation
• Learn to detect social
engineering attacks
• Create a personal security
awareness programme
• Create awareness of what is
being sought by social engineers
• Develop Scripts
– Always ask for and check id
• Learn from audits
• Education
– Kinds of attacks
– Confirm identity of requestor
• Increasing awareness of information being
released
• Identify valuable assets
– Not just from the business perspective
– From the hacker perspective
– All information potentially valuable
Resisting Attacks
• Policy & Awareness
– Audits
– Role playing
• Keep software up to date
– They won’t be able to exploit unpatched
software
• Make all employees equal partners
• Implement need-to-know information
dissemination
Resisting Attacks
• Be suspicious – check for unusual questions
• Stick to your guns
– Make sure employees know they will not get into
trouble for not giving out information
Resisting Attacks
Audits
• Phishing emails
• In-Person attacks
• Baiting – leaving USBs lying around
• Piggybacking into building
• Physical Security
Penetration Testers
• A penetration tester is a person who tests for
vulnerabilities or unauthorized access to
systems.
• Systems range from computer networks to
physical access to locations.
• They can utilize phishing, or other techniques
such as elicitation, to gain information from
unsuspecting employees to get passwords,
entry into buildings, or other access into
systems.
•Getting Information –
AUTHENTICATE
•Gaining Access – ACCESS CONTROL,
DESIGN
•Malware – Restrict Removable
Media, Scan Traffic, Antivirus,
Standardise Software
• Perform an action – AUTHENTICATE
The Blue Peter Principle
• Who are you?
• Are you authorised to do this?
Perform an Action
Discussion Activity
• You will be given two scenarios
• Consider how you would use social engineering to
�breach� each of these systems. No hacking via the
Internet allowed, no violence
1. State your assumptions clearly
2. Draw a threat tree for each scenario
Get Hold of
Licence Software
Technique 1
Technique 2
Technique 3
Technique 4
Tree
Goal!Technique 5
Worked?
Scenario 1
• A company sells a very expensive piece of
software
• Licence keys are issued by one computer,
which connects to the Internet at 1pm every
day to do emailing
• If they discover that you have a copy of the
software, they will be able to reconfigure it
• You have located their offices, and you intend
using Social Engineering techniques to gain
access to the machine (and you know which
office it is in)
Scenario 1
Where the Office Is…
Architecture Diagram
Employees
• Information Gathering
– Dan Brown – loves Dominos Mighty Meaty pizza
and Starbucks coffee
– Jane Smith – owns a Harley Davidson
– Chandler Bing – just got turned down for
promotion and has posted his CV online looking
for jobs
Mitigation….
• Now address each of the possibilities you
identified with a “solution” you could adopt
to defend against it
Scenario 2
• You are a journalist
• There is a rumour that the company is going
to lay off staff
• Come up with a plan for finding out whether
this is true or not
• State your assumptions clearly
• Use Social Engineering Techniques
• Do not contemplate using electronic
mechanisms such as blue tooth sniffing, or
hacking into their systems
ATM THEFTS
In our first slide you see an individual who apparently is
making a bank transaction at the ATM.
What he really is doing is placing a trap in the ATM machine to
�capture� the next user card.
Placing the trap
Lookout Warning
Altering the ATMs is a risky business, these individuals work
in teams. The lookout warns of any possible eye witnesses /
or of the next potential victim.
Here we see the next client using the ATM, after the trap
has been set. He inserts his card and begins his transaction.
The Victim
Springing the TRAP
The ATM card is confiscated, and the customer is confused,
asking himself, Why has my card been confiscated?
However, here we see the cavalry coming to help, (HELP!!!).
Honest,Samaritan Offering HELP
Here we see the thief pretending to help. What he is really
doing is trying to gain the �customer’s� PIN, now that he has
captured his card.
Gaining access to the PIN
The good Samaritan convinces the �Customer� He can
recover the card, if he presses his PIN at the same
time the Samaritan presses �cancel� and �enter�.
Situation Hopeless, �They Leave�
After several attempts the �customer� is convinced his card has
been confiscated. The �customer� and the Samaritan leave the
ATM.
Recovering the CARD
Satisfied the area is clear, the thief
returns to recover the confiscated card from his trap. He not only has
the card, he also has the PIN the �customer� provided unknowingly.
The Escape
In possession of the card and the PIN he leaves the
ATM with money from the �Customers� account.
THE TRAP
The trap is made up of XRAY film, which is the preferred material
by thieves; Simply because of the black color which is similar in
appearance to the slot on the card reader.
Placing the TRAP
The trap is then inserted into the ATM slot. Care is taken not to
insert the entire film into the slot, the ends are folded and contain
glue strips for better adhesion to the inner and outer surface of the
slots.
INVISIBLE
Once the ends are firmly glued and fixed to the slot, it is almost
impossible to detect by unsuspecting clients.
How is your card confiscated?
Slits are cut into both sides of the trap, This prevents your
card being returned prior to completing your transaction.
Retrieval of Confiscated card.
As soon as the �Customer� has gone, and they have your PIN , The thief
can remove the glued trap, by grasping the folded tips, he simply pulls
the trap out that has retained your card..
RECOMMENDATIONS
1.-Once your card has been confiscated, observe the ATM slot and the
card reader for any signs of tampering. Should you see the film tips
glued to the slot, unglue, pull the trap out and recover your card.
2.- Report IMMEDIATELY to the Bank.
LITTLE PHISHING QUIZ
Genuine?
2
Genuine?
1
Genuine?
3
Genuine?
4
Genuine?
5
6
7
8
9
10
11
12
13
14
15
• End of Quiz – now lets look at why….
How to Spot Phisher Sites
TIP-OFFSTRICKS
• Claims of “lost”
information
• Unfamiliar URL
• Asks for credit
card or other
personal info
• Urgency
• Most companies
will not do this,
those that do –
deserve to be
ignored
• E-mail looks legit
(at first)
• Prompts you to
act quickly to
keep service
• Website, html or
fax form looks
legit
• Veiled Threat
A D VA N C E D P E R S I S T E N T
T H R E AT
Actors are the threat
not technology
Why do you want to learn this?
Actors are the threat
not technology
2011 Recruitment Plan
Operation Aurora
C H A R A C T E R I S T I C S
Organised
Efficient
Tenacious
D E T E C T I O N
Segmentation
Logs
Communications
Modelling and Simulation
Rare
S O L U T I O N S
E N T E R P R I S E ?
C R E D I T C A R D S S T O L E N
40,000,000
C U S T O M E R R E C O R D S S T O L E N
70,000,000
A M E R I C A N S
1 / 3
E X P E N S E S
$61,000,000
D R O P I N T R A N S A C T I O N S D U R I N G C H R I S T M A S
47%
Actors tested technology on a few
service points during busy periods.
Why give the company such access?
How did the actors behind the APT
determine the connection between the
two companies?