SANS ISC

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • IT Audit
  • Computer Forensics
  • Software Security
  • Government OnSite Training

InfoSec Handlers Diary Blog

Why bother breaking down the door if you can simply ask to be let in? Social engineering works, both during penetration testing and as part of real-world attacks. This note explores how attackers are using social engineering to compromise computer defenses.

Starting in the Physical World

We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet:

• One example of this was the case of malware that began spreading via parking violation notices, which  were placed on windshields of parked cars. The notices attempted to lure victims into visiting a malicious website.
• Other physical world attacks involve phones, whereby attackers use compromised VoIP accounts to leave voice messages that invite victims to call the "bank" to handle a supposed problem with their banking account. Sometimes such "vishing" correspondence arrives via text/SMS messages.
• In another physical world example, the Conficker worm manipulated the autorun.inf file on the infected USB key to trick the next victim into launching its malicious software.

 Other social engineering attacks in the physical world have been effective as part of penetration testing or research:

• Pen testers left USB keys in public areas, waiting for the employees to pick them up and insert them into their PCs at the office.
• Pen testers sent CDs to the targeted organization, waiting for employees to insert them into their PCs at the office.
• Researchers asked people to reveal their passwords in exchange for a pen and chocolates. (I hope many of these passwords were fake.)

Malware Installation Tricks

Attackers increasingly rely on social engineering tactics to trick victims into installing malicious software. There are numerous variations of the approaches seen in the wild, including the following:

• After initially infecting a PC with a fake anti-virus tool, attackers may redirect the victim's searches for technology review sites. The idea is that if the victim wants to determine the legitimacy of the downloaded anti-virus tool like AntiVirus2010, he'll be presented a fabricated review that extols the virtues of the fake product.
• Attackers use search engine optimization (SEO) techniques to direct victims to malicious clones of legitimate sites. One such SEO technique involved entirely mirroring the legitimate sites and DDoS'ing the legitimate sites.
• Malware authors may upload malicious versions of popular software to shareware sites and use botnets to download their files to inflate the download counter, as was performed by the Nugache worm. This tricks the victims into downloading malicious files, because the shareware site shows them as being most popular.
• Social networking sites have been a hotbed for distribution of malware, often by sharing links via compromised accounts. For instance, this technique was employed by the Koobface worm to spread via Facebook, MySpace, and other such sites.
• Spammers often send email messages that look like software upgrade advisories to trick victims into installing malicious programs. One of the recent examples involved a warning to download an upgrade to the Outlook Web Access client. Similar techniques involve the use of fake and real news bulletins, as was the case with malware-infused Michael Jackson spam.

Targeted Attack Tricks

Attackers may profile victims to include the person or company-specific social engineering elements in the intrusion campaign:

• The attacker's email, instant, or social networking messages may be automatically customized based on the user's locale to make them seem more relevant, as was the case with the Waledac worm.
• The attacker's messages may be spoofed to come from a trusted or expected sender, or may include content the victim expects to receive. (Here's another set of examples associated with GhostNet.)
• Attackers may use social networking and resume sites to profile the victim, so their communications are more likely to be read and acted upon.

How else are Internet attackers using social engineering? If you have real-world stories to share, please send us a note.

Liked this? Post it to Twitter!

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.