| |
The Seven Deadly Social Engineering Vices
You may not be aware that there is a scale of seven deadly vices connected to social engineering. The deadliest social engineering attacks are the ones that have the highest success rates, often approaching 100%. What is the secret of these attacks, how come they succeed so well?
Your own observations show you that people are very different. Some are always enthusiastic and willing to learn something new. Others are more conservative but courteous to their co-workers. A bit further down this scale are people that always looks like they are bored with life and then at the bottom are those who just don't care and basically are in apathy about everything.
Successful social engineers first determine where their target is on this scale, and then select an attack that will have the highest degree of success with that person, trying to closely match their target's look on life.
This scale of vices can be approached from either a negative or positive side. You can either call it gullibility or you can call it trust, call it greed or self-interest, but since we're talking vices here we'll stick to the negative labels.
Here are seven social engineering attacks that I hope are a good example of each one of the deadly vices, but note there is always overlap and things are not that clear-cut. We are dealing with humans after all!
Curiosity:
The attacker left a USB stick next to the washing basin in the restroom of the floor that had the executive offices and their administrative assistants. It was clearly marked 'Q1 Salary Updates'. The USB drive had modified malware on it that installed itself and called home from any workstation it was plugged into. This attack was 90% effective.
Courtesy:
The attacker focused in on the CEO of his target company. He did his research, found the CEO had a relative battling cancer and was active in an anti-cancer charity. The attacker spoofed someone from the charity, asked the CEO for his feedback on a fund-raising campaign and attached an infected PDF. Mission achieved, the CEO's PC was owned and the network followed shortly after. And of course holding the door open for a stranger with his hands full of boxes is a classic 'Courtesy' piggybacking example that we all know.
Gullibility:
Attackers identified the proper managers at two separate branches of their targeted bank. They bought a domain name that looked very similar to the bank's domain. They spoofed the bank exec's emails and sent bogus emails to the manager authorizing transaction. They walked in with a counterfeit check and a fake driver's license, and walked out with 25,000 in cash...repeatedly!
Greed:
Did you know that the Nigerian 419 scams these days use the word 'Nigeria' on purpose to qualify their targets up front? It's now utilized as a filter to weed out people and grab the uneducated ones that are greedy enough to take a risk and answer the 26 year old orphan girl that has $12,500,000 in the bank, needs a guardian and some help transferring the funds...
Thoughtlessness:
The combined U.S. and Israeli intelligence arms created the Stuxnet malware which sabotaged Iran's Natanz uranium enrichment centrifuges. It was carried in via a simple USB attack on one of their scientists. The Mossad slipped a USB drive to the scientist who plugged the stick in his laptop at his house, went to work and there connected the laptop to the internal Natanz network. Social Engineering jumped the air-gap due to a scientist who should have known better.
Shyness:
A Brad Pitt look-alike walks up to the internal reception of the Human Resources Department of a French multinational's Boston office. He profusely apologizes for being a few minutes late and shows a piece of paper with coffee stains. He explains he spilled coffee over his resume and if the receptionist "pretty please with sugar" can print a fresh copy for his interview? He hands over the USB drive, the shy receptionist does not confront him with the company policy that no foreign devices are allowed on the network, quickly prints a new copy and hands him the stick back. The young man disappears to the rest rooms and the network is so owned.
Apathy:
Q: Which is the most useful to a social engineer? Ignorance or apathy?
A: I don’t know and I don’t care
The three employees of the shipping department all got the same generic phishing email from UPS popping into their inbox more or less at the same time. None of them took the time to hover their mouse over the link and see that the link really went to a Slovak site with '.cz' at the end. Furthermore, not one of them 'prairie-dogged' up from their cubicle to warn the others. Two of the three clicked on the link and got their workstation infected with nasty malware that required a wipe-and-rebuild of their machines.
As you can see the genie is out of the bottle. Cybercrime has taken the concept of social engineering and it's out in the wild. So, what to do?
- Publish and distribute comprehensive security policy.
- Understand that policy is the start of dealing with the problem.
- Acknowledge that there is no effective implementation of policy which doesn’t include a degree of education.
- Be realistic. Education doesn’t mean making end-users security experts. It means teaching them all they need to know to use computers safely.
Hat Tip to David Harley, Kevin Mitnick, Chris Hadnagy, SANS, and many others. For more info and useful links about Social Engineering check out the WikiPedia page:
https://en.wikipedia.org/wiki/Social_engineering_(security)
Quotes of the Week
"Human beings make life so interesting. Do you know, that in a universe so full of wonders, they have managed to invent boredom.." - Terry Pratchett
"The opposite of love is not hate -- it's apathy. It's not giving a damn. If somebody hates me, they must "feel" something ... or they couldn't possibly hate." - Leo F. Buscaglia
|
Your end-users are the weak link in your network security
 Today, your employees are exposed to Advanced Persistent Threats. Trend Micro reported that 91% of successful data breaches started with a spear phishing attack. IT Security specialists call it your 'phishing attack surface'. The more email addresses that are exposed, the bigger your attack footprint is, and the higher the risk.
It's often a surprise how many of your email addresses can be found by the bad guys. Find out now which of your email addresses are exposed. The Email Exposure Check (EEC) is a one-time free service. We often show surprising results. An example would be the credentials of one of your users on a crime site. Fill out the form and we will email you back with the list of exposed addresses and where we found them.
Sign Up For Your Free Email Exposure Check Now:
https://info.knowbe4.com/email-exposure-check
0-Day Threats and Security Awareness
OK, we all know that there is a lively trade in 0-day threats. Often this is an unknown vulnerability in a popular browser that is not fixed yet. Microsoft recently announced they fixed one in Internet Explorer. If you read Microsoft's description about the 0-day and what can be done about it, there is an inescapable conclusion that you have to make. Here is what Redmond said in their TechNet Security Advisory 2847140.
It states: "In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website."
And that means that all the software layers of your defense-in-depth are for naught if the user gets social engineered and clicks on the link. The conclusion: End-user Security Awareness Training may very well keep your company safe and secure. Note that I do not claim that Security Awareness Training is the end-all solution. However, it is definitely a layer that you need for your overall defensive stance.
Your last layer of defense is that end user looking at a phishing email in their inbox, with their mouse hovering over the link. When you have a well-managed security awareness program that constantly sends simulated phishing attacks to all employees, you will have end users on their toes that do not click on that 0-day and save the day.
Until a patch is released and deployed, end-users may well be your last line of defense. It pays off to train them!
https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
NSS Labs: "IE Blocks Most Malware"
The leading browsers show a significant variance in their ability to block malware. Internet Explorer 10 had the highest malware block rate at 99.96%, followed by Chrome 25/26 at 83.16%. Safari 5 and Firefox 19 were a distant third and fourth, with 10.15% and 9.92% respectively. Opera offered virtually no malicious download protection, with a 1.87% score. I wonder if the report was paid for by Microsoft?
You can download the report here, it was published May 13, 2013 and you do not have to register. Interesting information:
https://www.nsslabs.com/reports/2013-browser-security-comparative-analysis-socially-engineered-malware?
Webroot Spots NATO Job Apps Lead To Malware
This one qualifies as a Scam Of The Week and it's a good one to forward to your employees.
An interesting and very comprehensive phishing and malware-delivery campaign has been spotted by Webroot researchers. The attackers are posing as the chief of NATO's Human Resources Division, sending out an email that tells about a number of supposed job openings (with huge salaries) at the international organization, and urges recipients to apply.
Unfortunately, in order to do so they are instructed to fill out a fake NATO Employment Application Form and a fake Interview Form, which asks them to share extremely personal and very sensitive information such as name, address, telephone and cell phone number, email address, marital status, date of birth, information on their children (if they have any), education, other skills, employment history, and much, much more. Details and sample screen shot at the Webroot Threat Blog:
https://blog.webroot.com/2013/05/21/cvs-and-sensitive-info-soliciting-email-campaign-impersonates-nato/
|
|
