Social Engineering in Real-World Computer Attacks

Social Engineering in Real-World Computer Attacks
Why bother breaking down the door if you can simply ask to be let in? Social engineering works, both during penetration testing and as part of real-world attacks. This note explores how attackers are using social engineering to compromise computer defenses. Starting in the Physical World We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet: One example of this was the case of malware that began spreading via parking violation notices, which were placed on windshields of parked cars. The notices attempted to lure victims into visiting a malicious website. Other physical world attacks involve phones, whereby attackers use compromised VoIP accounts to leave voice messages that invite victims to call the "bank" to handle a supposed problem with their banking account. Sometimes such "vishing" correspondence arrives via text/SMS messages. In another physical world example, the Conficker worm manipulated the autorun.inf file on the infected USB key to trick the next victim into launching its malicious software. Other social engineering attacks in the physical world have been effective as part of penetration testing or research: Pen testers left USB keys in public areas, waiting for the employees to pick them up and insert them into their PCs at the office. Pen testers sent CDs to the targeted organization, waiting for employees to insert them into their PCs at the office. Researchers asked people to reveal their passwords in exchange for a pen and chocolates. (I hope many of these passwords were fake.) Malware Installation Tricks Attackers increasingly rely on social engineering tactics to trick victims into installing malicious software. There are numerous variations of the approaches seen in the wild, including the following: After initially infecting a PC with a fake anti-virus tool, attackers may redirect the victim's searches for technology review sites. The idea is that if the victim wants to determine the legitimacy of the downloaded anti-virus tool like AntiVirus2010, he'll be presented a fabricated review that extols the virtues of the fake product. Attackers use search engine optimization (SEO) techniques to direct victims to malicious clones of legitimate sites. One such SEO technique involved entirely mirroring the legitimate sites and DDoS'ing the legitimate sites. Malware authors may upload malicious versions of popular software to shareware sites and use botnets to download their files to inflate the download counter, as was performed by the Nugache worm. This tricks the victims into downloading malicious files, because the shareware site shows them as being most popular. Social networking sites have been a hotbed for distribution of malware, often by sharing links via compromised accounts. For instance, this technique was employed by the Koobface worm to spread via Facebook, MySpace, and other such sites. Spammers often send email messages that look like software upgrade advisories to trick victims into installing malicious programs. One of the recent examples involved a warning to download an upgrade to the Outlook Web Access client. Similar techniques involve the use of fake and real news bulletins, as was the case with malware-infused Michael Jackson spam. Targeted Attack Tricks Attackers may profile victims to include the person or company-specific social engineering elements in the intrusion campaign: The attacker's email, instant, or social networking messages may be automatically customized based on the user's locale to make them seem more relevant, as was the case with the Waledac worm. The attacker's messages may be spoofed to come from a trusted or expected sender, or may include content the victim expects to receive. Attackers may use social networking and resume sites to profile the victim, so their communications are more likely to be read and acted upon. How else are Internet attackers using social engineering? If you have real-world stories to share, please send us a note. Liked this? Post it to Twitter! -- Lenny Lenny Zeltser - Security Consulting Lenny teaches malware analysis at SANS. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.	Lenny 216 Posts ISC Handler
Subscribe	Oct 27th 2009 9 years ago
It is in part because of this that I predict the demise of the Internet in the form that it currently exists. It is a huge time vampire to disinfect a machine, and the average person doesn't have the time nor the knowledge to deal with it. They can take their PC into a shop where they will just reinstall the OS, or buy a new PC, and then they will go back and start doing the same old stupid things they were doing before until they get infected again. It is easy for security experts to point their fingers and say what people should be doing, but the vast majority of people on the Internet are far from experts in anything related to security. In some cases you have children using the Internet as a plaything of some sort, and they are especially susceptible to these sorts of social engineering attacks.	Eric 43 Posts
Quote	Oct 27th 2009 9 years ago
Jack makes good points. Microsoft has been slowly adding in security to the OS. They've got the firewall on by default. They've got Windows Defender which runs by default. Now they are adding the option for anti-virus. By the next revision of Windows, it will probably be on by default. That should help mitigate many of the issues for regular end-users who don't care about security software and expect everything to "just work".	Jasey 93 Posts
Quote	Oct 27th 2009 9 years ago
Despite the topic being social engineering the comments are still focused on this as a technical problem that can be solved via education. Users do not need to be security experts to not get owned. You don't need to be a police officer to not get scammed by a run of the mill con artist. You don't need to be an expert negotiator to not get ripped off by a salesman. The problem isn't education, and it isn't technical, it's purely social. People are far too trusting. They will continue to get burned again and again until they learn a very non-technical lesson about life and human nature. Some people jump online and start installing any random third party software that catches their eye while posting all of their personal details to social networking sites. Other people never associate their online activity with their real name or introduce third party software to their machine. It's a question of character, not education. "There's a sucker born every minute."	Jasey 22 Posts
Quote	Oct 27th 2009 9 years ago
Steve, many people would be scammed by a run of the mill con artist. The problem is that while in the real world most of us aren't put in a situation where a random stranger is trying to convince us to do something, but we are bombarded with it in the digital world. It is something that can be solved by education. If only by way of metaphor, like "consider each pop-up ad on a website to be the digital equivalent of a pan handler: they just want your money for some less than noble purpose and they are willing to tell you whatever you need to hear to get it from you." We already pile metaphor on top of malicious software with viruses, worms, trojans, logic bombs, etc. They create an association between the real world and the digital world. Ask someone is a computer virus is a good thing or a bad thing, and, with no other knowledge, they can say "that is bad, I don't want that." Spam should be called what it is "Junk E-mail". That should get the point across. Nobody but a Monty Python fan would have any idea what "spam" was and even then, it doesn't imply maliciousness. Before I worked in computer security, I was pretty trusting. I am now paranoid and so is my wife. That's something I learned. For example, our DVR missed the first episode of this season's Dancing With the Stars. My wife checked Hulu (not available) and then went to ABC's website. They required you to download and install some custom player to watch full episodes. My wife wouldn't install it. Why? Because she's learned to be more selective about third party software. My employer recently put up signs and has a little flash ad on our Intranet to help people remember to lock their systems "CTRL + ALT + DEL when you leave your seat." It's short and catchy and we see it a couple times a day. It is effective because it buries itself meme-like in the back of your brain and you remember. If security training could be more like that, it would make more of an impact. We have to treat it like teaching kindergartners learning the alphabet. It is a foreign concept to normal users, so it must be broken down into tiny, easy to memorize, chunks. I don't have an answer, I don't have a "hooked on phonics" for security. But someone should.	Jasey 93 Posts
Quote	Oct 27th 2009 9 years ago

Why bother breaking down the door if you can simply ask to be let in? Social engineering works, both during penetration testing and as part of real-world attacks. This note explores how attackers are using social engineering to compromise computer defenses.

Starting in the Physical World

We have spent most of our lives in the physical world, whose norms we know well. As a result, we tend to trust messages that come to us in the physical world more than those in the "virtual" world of the Internet:

One example of this was the case of malware that began spreading via parking violation notices, which were placed on windshields of parked cars. The notices attempted to lure victims into visiting a malicious website.
Other physical world attacks involve phones, whereby attackers use compromised VoIP accounts to leave voice messages that invite victims to call the "bank" to handle a supposed problem with their banking account. Sometimes such "vishing" correspondence arrives via text/SMS messages.
In another physical world example, the Conficker worm manipulated the autorun.inf file on the infected USB key to trick the next victim into launching its malicious software.

Other social engineering attacks in the physical world have been effective as part of penetration testing or research:

Pen testers left USB keys in public areas, waiting for the employees to pick them up and insert them into their PCs at the office.
Pen testers sent CDs to the targeted organization, waiting for employees to insert them into their PCs at the office.
Researchers asked people to reveal their passwords in exchange for a pen and chocolates. (I hope many of these passwords were fake.)

Malware Installation Tricks

Attackers increasingly rely on social engineering tactics to trick victims into installing malicious software. There are numerous variations of the approaches seen in the wild, including the following:

After initially infecting a PC with a fake anti-virus tool, attackers may redirect the victim's searches for technology review sites. The idea is that if the victim wants to determine the legitimacy of the downloaded anti-virus tool like AntiVirus2010, he'll be presented a fabricated review that extols the virtues of the fake product.
Attackers use search engine optimization (SEO) techniques to direct victims to malicious clones of legitimate sites. One such SEO technique involved entirely mirroring the legitimate sites and DDoS'ing the legitimate sites.
Malware authors may upload malicious versions of popular software to shareware sites and use botnets to download their files to inflate the download counter, as was performed by the Nugache worm. This tricks the victims into downloading malicious files, because the shareware site shows them as being most popular.
Social networking sites have been a hotbed for distribution of malware, often by sharing links via compromised accounts. For instance, this technique was employed by the Koobface worm to spread via Facebook, MySpace, and other such sites.
Spammers often send email messages that look like software upgrade advisories to trick victims into installing malicious programs. One of the recent examples involved a warning to download an upgrade to the Outlook Web Access client. Similar techniques involve the use of fake and real news bulletins, as was the case with malware-infused Michael Jackson spam.

Targeted Attack Tricks

Attackers may profile victims to include the person or company-specific social engineering elements in the intrusion campaign:

The attacker's email, instant, or social networking messages may be automatically customized based on the user's locale to make them seem more relevant, as was the case with the Waledac worm.
The attacker's messages may be spoofed to come from a trusted or expected sender, or may include content the victim expects to receive.
Attackers may use social networking and resume sites to profile the victim, so their communications are more likely to be read and acted upon.

How else are Internet attackers using social engineering? If you have real-world stories to share, please send us a note.

Liked this? Post it to Twitter!

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS. You're welcome to follow him on Twitter. You can also track new Internet Storm Center diaries by following ISC on Twitter.

Lenny

216 Posts
ISC Handler

It is in part because of this that I predict the demise of the Internet in the form that it currently exists. It is a huge time vampire to disinfect a machine, and the average person doesn't have the time nor the knowledge to deal with it. They can take their PC into a shop where they will just reinstall the OS, or buy a new PC, and then they will go back and start doing the same old stupid things they were doing before until they get infected again.

It is easy for security experts to point their fingers and say what people should be doing, but the vast majority of people on the Internet are far from experts in anything related to security. In some cases you have children using the Internet as a plaything of some sort, and they are especially susceptible to these sorts of social engineering attacks.

Eric

43 Posts

Jack makes good points.

Microsoft has been slowly adding in security to the OS. They've got the firewall on by default. They've got Windows Defender which runs by default.

Now they are adding the option for anti-virus. By the next revision of Windows, it will probably be on by default.

That should help mitigate many of the issues for regular end-users who don't care about security software and expect everything to "just work".

Jasey

93 Posts

Despite the topic being social engineering the comments are still focused on this as a technical problem that can be solved via education. Users do not need to be security experts to not get owned. You don't need to be a police officer to not get scammed by a run of the mill con artist. You don't need to be an expert negotiator to not get ripped off by a salesman.

The problem isn't education, and it isn't technical, it's purely social. People are far too trusting. They will continue to get burned again and again until they learn a very non-technical lesson about life and human nature.

Some people jump online and start installing any random third party software that catches their eye while posting all of their personal details to social networking sites. Other people never associate their online activity with their real name or introduce third party software to their machine. It's a question of character, not education. "There's a sucker born every minute."

Jasey
22 Posts

Steve, many people *would* be scammed by a run of the mill con artist. The problem is that while in the real world most of us aren't put in a situation where a random stranger is trying to convince us to do something, but we are bombarded with it in the digital world.

It *is* something that can be solved by education. If only by way of metaphor, like "consider each pop-up ad on a website to be the digital equivalent of a pan handler: they just want your money for some less than noble purpose and they are willing to tell you whatever you need to hear to get it from you."

We already pile metaphor on top of malicious software with viruses, worms, trojans, logic bombs, etc. They create an association between the real world and the digital world. Ask someone is a computer virus is a good thing or a bad thing, and, with no other knowledge, they can say "that is bad, I don't want that."

Spam should be called what it is "Junk E-mail". That should get the point across. Nobody but a Monty Python fan would have any idea what "spam" was and even then, it doesn't imply maliciousness.

Before I worked in computer security, I was pretty trusting. I am now paranoid and so is my wife. That's something I learned.

For example, our DVR missed the first episode of this season's Dancing With the Stars. My wife checked Hulu (not available) and then went to ABC's website. They required you to download and install some custom player to watch full episodes.
My wife wouldn't install it. Why?
Because she's *learned* to be more selective about third party software.

My employer recently put up signs and has a little flash ad on our Intranet to help people remember to lock their systems "CTRL + ALT + DEL when you leave your seat."
It's short and catchy and we see it a couple times a day.
It is effective because it buries itself meme-like in the back of your brain and you remember.

If security training could be more like that, it would make more of an impact.

We have to treat it like teaching kindergartners learning the alphabet. It is a foreign concept to normal users, so it must be broken down into tiny, easy to memorize, chunks.

I don't have an answer, I don't have a "hooked on phonics" for security. But someone should.

Jasey

93 Posts