Learn Social Engineering, page 33
By tricking a user into installing an application, an attacker can add anything he/she wants to a user's device. This attack type has been a mature business for the last few years.
One of the greatest examples of such a campaign was the TDL4 (Trojan Downloader) bootkit. It was released in 2011 as the successor of TDL3. By the end of 2011, this bootkit had infected 4.5 million machines globally. The malvertising network GangstaBucks was paying $20 to $200 for every 1,000 installations of this malware. This bootkit was used by cyber criminals for pushing adware to victim's PCs, manipulating search engine results, and providing anonymous internet access to their paid customers. An interesting fact about this malware is that it even had its own antivirus for cleaning other malware families from the infected machine. This was because the owners of this botnet tried to minimize cyber crime competition, which proves that this is taken seriously as a business by cyber criminals:
An example pay-per-install network
Another one is the GG Tracker malware family, which targets Android users. As in all malvertising campaigns, this one tricked the users by redirecting them to a legitimate-looking Android Market clone website. As soon as users clicked on the Install button, it downloaded an adult app and a fake battery optimizer. Once users installed these applications they were subscribed to premium services owned by cyber criminals.
Prevention
Malvertising can be prevented simply by paying attention to the following rules:
Do not download software from unknown sources
Make sure you are downloading an application from the original producer/developer themselves
Rogue/fake applications
Fake applications can be thought of as carbon copies of legitimate software. Cyber criminals are investing quite a large amount of time and resources into copying popular software applications and uploading them to download sites or mobile markets with a FREE tag attached.
One example of this type of attack is what is called Fake AV, which had a lot of variants that targeted Windows users. Combined with scareware tactics, this type of malicious software is used by cyber criminals for persuading the user to upgrade the software by paying money. They are also used to further infect the machine with other types of malware. As you can see in the following screenshot, it looks like real antivirus software, which is how they persuaded a lot of users to pay for cleaning a non-existent infection from their PC. Some of them even downloaded ransomware into infected machines forcing the user to pay a ransom in order to restore encrypted files:
An example fake antivirus product
Another one that is still popular still today is the Fake Flash Updater, which works by tricking the user into clicking an Install button while browsing the web. Cyber criminals mostly use online video sites, and they direct users to a page displaying a specially crafted fake Flash update popup inside the browser before allowing the user to play the video content. Innocent users, trying to play a video generally click the button and install the malicious application onto their PC, which is usually a CryptoLocker variant which encrypts files and asks for a ransom:
An example website with a fake Adobe Flash update warning
Prevention
Just like any other attack type, paying attention to what you download and install onto your PC/mobile device can save you
For Windows PCs with User Account Control enabled, always check the digital certificate name of the product you are about to execute
For mobile devices, make sure you only allow installations from trusted sources
Documents with malicious payloads
Malicious documents are another widely used attack type and are mostly initiated by social engineering techniques. This attack type has gained in popularity over the last few years, after operating systems and popular software solutions were hardened against exploits. To tell the truth, running a macro through an Office document, or JavaScript using a PDF is easier than trying to exploit software on a victim's PC. That's because this capability is embedded directly into the document-viewing suites for increasing productivity, such as giving users a chance to create formulas or increase the interactivity of the document. As in all other attack types, this capability is abused by cyber criminals for running a malicious payload on a victim's system and gaining access to sensitive information.
As an example, malicious documents are still the number one infection vector for CryptoLocker attacks. Combined with social-engineering tricks, this attack type can be a powerful weapon for dropping whatever the attacker wants into the victim's PC. Even though macro execution is disabled by default in recent versions of document viewers, by using social engineering, cyber criminals still succeed in tricking users into enabling macro execution as you can see in the following screenshot:
An example malicious document tricking the user into enabling macros
Alongside macro execution, we have recently started seeing a different method, which has allowed attackers to run malicious code on victims PCs. This attack uses Microsoft's Dynamic Data Exchange feature in the Office Suite. Even though it was first discovered in the 1990s, this technique has gained popularity after security vendors and operating systems started disabling macro execution on user's machines. Even though this attack type requires multiple user interactions to execute malicious payloads, most users do not even read what the operating system asks for and just click the Yes button, which lets the attacker download whatever he wants to the user's machine.
Prevention
Do not open unknown/surprising documents without making sure of the source
Do not enable macro execution, even if the document contains instructions for enabling macro execution
Read the pop-up dialogs carefully before accepting them and clicking Yes
Public Wi-Fi hotspots
Most of us don't even hesitate to connect to a free Wi-Fi hotspot when we need internet access. Connecting to a Wi-Fi network in a coffee shop, hotel, or an airport is like leaving your computer/mobile device open and unlocked in a public place. It is quite easy to trick Wi-Fi users into connecting to a rogue hotspot by using a similar SSID. Even if it is the legitimate Wi-Fi you originally requested, you don't know who else is connected to that network. We have seen advanced attacks that clone the MAC address of the legitimate hotspot. Rogue hotspots enable cyber criminals to eavesdrop on the network traffic, which mostly includes sensitive information such as account credentials. They can even redirect your web browser to a malicious one that downloads malware to your device.
Prevention
In order to stay safe against these types of attack, here are a few basic tips:
Avoid connecting to public Wi-Fi hotspots
In case you have to use one, always use HTTPS websites to guard your private information against network eavesdropping
Use a Virtual Private Network (VPN) to securie your connection
Phishing/spear phishing
Phishing is an attempt to obtain sensitive information, such as usernames, passwords, and credit card details, often for malicious reasons, by disguising oneself as a trustworthy entity in an electronic communication. Even though most people are aware of this type of attack and they already know that they should not be opening emails or clicking links coming from untrusted sources, the fact is that, in most attacks, cyber criminals pretend to be someone you already know/trust. This is because, previous to the phishing attack, they gather intelligence about the target such as what he/she likes, with whom he/she communicates by email the most, and so on.
The following is one of my tests, in which I created a phishing email that was specially crafted to look as if it is was shared being by me (a trusted person in the company). I chose the title Organization Scheme since it would persuade every single person in the company to read it:
An example phishing email for stealing Dropbox user credentials
Believe it or not, even the most experienced people in the company clicked the link and provided their Dropbox credentials, which were directly emailed to me (the attacker in this case). Only one person out of 20 contacted me, but unfortunately, it was to ask what was wrong with the document since he was not able to view it!
This was actually the point when I realized how effective phishing attacks could be. If I was able to trick my own employees with a single interesting email created in 30 minutes, what could a seasoned attacker do?
The reason this test was so successful was not because the people clicked the link in the email I sent, but it was about the website address they were directed to after clicking the link. The address I used was http://www.dropbox.ssl.login.authentication.identify_ctx_recover_lwv110123_securefreemium.ebilgilendirme.net, which was more than enough to persuade them it was the legitimate Dropbox website since they only paid attention to the first part of it, rather than looking at the full address. The following is a screenshot of what you would see in your address bar and taskbar if an attacker uses this kind of address:
Taskbar and address bar examples in a phishing attack
So, anyone looking at the address bar or taskbar would immediately think that this is the legitimate Dropbox website, but, for an experienced user, this is just a subdomain of a random website that can be created in minutes.
To sum this up, online safety is all about educating users regarding the types of tricks and attacks used by cyber criminals. Educating users is much more important than investing in software or hardware solutions.
As a final note, here is my quick list for staying safe online:
Always use a modern OS and software. Out-of-date systems will be vulnerable to exploitation.
Use up-to-date security software, including antivirus, anti-exploit, anti-phishing, and content-control features for preventing known, bad content. This will guard you against most of the attacks, but do not forget, security software is just a layer not the solution.
Do not open suspicious-looking emails.
Always check the target address of clickable content in emails and make sure the target website is known to you.
Always check for the SSL indicator on websites before providing your personal information.
Use a VPN to prevent cyber criminals eavesdropping on your network traffic.
Disable macro execution in your environment and do not click the Enable Macros button, even if the document you are viewing say to do so.
Read pop-up dialogs or warnings carefully before accepting them.
Milad Aslaner
Milad Aslaner is a mission-focused security professional with more than 11 years of international experience in product engineering, product management, and business evangelism for cybersecurity, data privacy, and enterprise mobility. He is an award-winning speaker and technical expert at worldwide conferences such as Microsoft Ignite, Microsoft Tech Summit, and Microsoft Build. With his background, Milad Aslaner regularly advises Fortune 500 companies, government agencies, journalists, and analysts on the latest cybersecurity trends, and helps prepare them for cyber-crime incidents and cyber terrorism, and allows them to prepare for a secure digital transformation.
As a security professional, I regularly advise customers before, during, and after cyberattacks. For me, the number one priority is earning the trust of my customers. Therefore, while I will share real-world examples of cyber-attack techniques, I will change all indicators that could be leveraged to identify the target customer. I share these real-world scenarios not to scare but rather to drive the sense of urgency on cybersecurity by focusing on the rising risk of social engineering.
Social engineering is the art of manipulating a person to do what the threat actors want, while the person thinks they are doing it in their best interest. Therefore, threat-actor groups that leverage social engineering are the modern conman. Keith A. Rhodes, chief technologist at the U.S. General Accounting Office says, "There's always the technical way to break into a network but sometimes it's easier to go through the people in the company. You just fool them into giving up their own security". The recent cyber-attacks on Uber, Yahoo, or Imgur prove how sophisticated these kinds of cyber-attacks have become.
Verizon continues to provide interesting insights on the threat of social engineering as part of their annual data-breach report:
In 2015, they identified that when a threat actor sends a sophisticated phishing email to 100 employees inside an organization, 23 will open that email, 11 of them will also open the email attachment, and six more will do the same within the first hour:
Verizon Data Breach Report 2015
In 2016, they identified that 30% of phishing emails were opened. It takes a recipient an average of only 40 seconds to open the email and an additional 45 seconds to also open the malicious attachment. Around 89% of all phishing emails are sent by organized-crime syndicates and 9% by state-sponsored threat actors:
Verizon Data Breach Report 2016
In 2017, they identified that 43% of all documented cyber-attacks involved social engineering attacks.
Information is everywhere
In 2012, on a CNBC Squawk Box segment called The Pulse of Silicon Valley the host Joe Kernan asked Ann Wimbled, an investor and senior partner at Hummer-Winbad, "What is the next real big thing?" Her response was, "Data is the new oil". While Ann Wimbled made this statement because of the breakthroughs in big data and artificial intelligence, it is also true in the information security space. Data is everywhere, and the majority of people post, comment, and share personal information everyday without knowing who might be watching. It doesn't matter if it's a picture of a meal, information on their favorite soccer team, their relationship status, or how they feel at that very moment. It's all shared on social and professional networks. Many of the active social network users are still not aware of the privacy settings that are available to them for restricting who has access to their personal data. It's an interesting paradigm because, looking back in history, in the times before cyber space you wanted to build trust with another person before you started sharing much of the information that we, today, just post on a social network. All these different user activities in those networks help threat actors to perform in-depth reconnaissance.
User activities
Profile: Users do their best to have as complete a profile as possible. This includes date of birth, phone number, email address, profile picture, cover picture, employer name, address, relationship status, and more.
Post: According to Facebook, on average, a user makes X posts a day. These posts include pictures of their favorite dishes, information about upcoming vacation plans, or to celebrate the victory of their favorite soccer team.
Comment: When posting on social networks, many users hope to start an active conversation with people who follow them or who they are friends with. During those conversations, handled through the comment function, they share their own perspective on certain situations.
Pictures and videos: Besides the favorite-dish pictures the user posts on their timeline they also create and maintain albums of pictures and videos from special moments. Again, the user tries to enter as much information as possible, including location data, who else is in the picture, and even how they feel about it.
Support: Many companies offer support over social networks. While most of them inform and remind their customers to not publicly share personal data, including customer identification numbers, the average users still do unintentionally.
Online games: While playing games hosted on social networks users share information.
This is not a complete list of all activities a user undertakes daily on social and professional networks, but is intended to provide a simple understanding about the amount of data. With the breakthrough in digitalization and the ease of use of social networks, it is unlikely that we would find an organization that has zero employees using a social network. In fact, even if an organization has a policy against the private usage of social networks it's likely that employees will still use them, but create and maintain a social network profile under a pseudonym.
Understanding reconnaissance
In the previous chapters, Erdal Ozkaya has described the cyber kill chain; that is, a process diagram developed by Lockheed Martin to better understand how threat actors prepare and execute cyber-attacks. The key is to understand how threat actors operate to better build an effective defense strategy. The first phase for many cyber-attacks is the reconnaissance or short recon phase. The term reconnaissance comes originally from the military, and means to identify useful intelligence about the enemy's location, intention, combat plan, and anything else that could be relevant to infiltration, gaining a technical advantage, or preparing for combat against them.
In cyberspace, the recon phase follows the same principles, but it is focused on identifying patterns in user behavior to find the right set of loopholes. In this phase, the threat actor seeks to gain in-depth knowledge of the target. This typically not only includes basic information, such as the location of their headquarters, but far more personal information such as hierarchy diagrams, pictures of employee badges, document templates, building blueprints, financial information, and insights into individual employees. The threat actor then takes the gathered intelligence and builds a graph view of it. This allows the threat actor to identify the weakest link, and allows them to prepare a sophisticated and targeted cyberattack.
