Learn Social Engineering, page 45
Leyla Aliyeva
Leyla Aliyeva is passionate about security, with a broad knowledge of IT infrastructure, cybersecurity, and public management. She is well known for her dedication to work and also as the founder and director of IT Female Club Azerbaijan, being nowadays one of the most respected women in the IT field in her country. Her experience with information security began at the State Oil Company of the Republic of Azerbaijan in the Information Security department. Now she works as the head advisor in the Cyber Security Service under the Ministry of Transport, Communications and High Technologies of the Republic of Azerbaijan. Her duties are related to incident handling and incident response, examination, analysis, processing, and monitoring of threats and attacks, education and awareness of the public sector, and investigation of cybersecurity incidents. She has been involved in the research of more than 500 cybercrime cases and helped law enforcement organizations to detect the sources of all these cases.
Cybercriminal cases like a chain
One day, the majority of users woke up with news about a virus that had infected many computers through Facebook. Everyone thought that this was the same application that sent scam links to users' Facebook friend lists, but no one knew that it was something else and would cause significant problems.
Some time ago, there was a lady who requested that a CERT recover her Facebook page. The problem was that she had access to her Facebook account but not to the page that she was administering. It was extraordinary how someone could get access to the administration section of the page and delete her from the administrator's list, while she herself did not lose access to her account or change her password.
The investigators started to analyze the Facebook logs, and they realized that someone had accessed her Facebook account without changing her email or password. A request had been sent to the Facebook law enforcement team and her Facebook page had been recovered but after a few months she started to get threats from an unknown person. These threats included messages saying that she should stop sharing posts and some screenshots of her personal Facebook messages. This evidence showed that the victim's computer had contained a Trojan for a year, which she never knew about.
Similar cases started to appear over the next few months. Many users began to complain about losing access to their Facebook pages. Finally, one user, who was a bit more aware of information security, came up with a screenshot that showed that an archive file, which contained malware, had been sent to his Facebook messenger.
We started to analyze the downloaded archive file and found out that this malware sent all the data from a victim's computer to the attacker, including screenshots. Thanks to the analysis by investigators, they found the IP address of the attacker. Later, over the next two years, government organizations received more than 50 similar requests.
If we go a bit deeper and analyze these cases we can see the following scenario based on the analysis results:
Attackers create fake accounts to communicate with the administrators of the page.
They start to talk to the administrators through the messages section of Facebook pages and mostly do social engineering. For example, they open a topic based on the Facebook page's interests and encourage the administrators to discuss it.
The attackers send links or archive files to the message section of Facebook pages which only administrators of the page can access.
The administrators download the file from the link, or directly from the Facebook message, and try to open it. This way, they usually, install malicious software on their computers and let the attackers get all the data from their computers, such as text inputs from the keyboard, real-time screenshots, and other files on the computer.
The attackers already know the victim's passwords, and they can access their accounts very easily and delete them from the administrator's list.
The reason why the attackers were interested in these pages and why they wanted to access those people's accounts is another issue, but we are not going to discuss that here.
Phishing for bank customers
One day, a large majority of email addresses in the domain of a country received email messages which said the following:
LOGO of the BANK
Dear customer,
We have received new payment.
Please, enter to your account.
Email addresses received this message even if their users did not have an account with this bank. Imagine that some percentage of the people who received this email were customers at this bank. As a result, the majority of those customers clicked the link and logged in to their internet banking accounts. We received an email from the bank that their customers had lost lots of money.
The investigation results showed that this letter came from an email address which was in the country domain and also the domain name was close to the bank name. But, the link inside the letter redirects users to a different domain name, which is the website for an electronics company in a different country. The investigators contacted the representatives of the company, and they answered that they did not have any information about that fake internet banking page and they did not have access to delete it. Then, the related security organization of that country was asked to close the domain according to the law.
The question is, how did these attackers realize all these steps?
They found a website with a vulnerability to which they could add pages for phishing
They created a fake page for internet banking, and it was the same as the victim's internet banking web page
They generated all the domain names in the .xx domain and collected the email addresses from their websites
They ordered a good domain name to send their fake emails to the collected email addresses
They sent their short and very attractive email messages to the email addresses, hoping at least one person who received the email might be a customer of the bank
As a result, many customers lost their money and the bank had significant issues after the incident
Crime in the victim's room
Another case concerns a user who was faced with a complicated social engineering issue. The user went to her office in the morning, as usual, and opened her Facebook account. She is an administrator of a teachers group on Facebook, which was very famous among thousands of teachers in the country. But unfortunately, when she entered the social network group she couldn't share or delete any posts because she was not the administrator of the Facebook group any longer. She tried to find the new administrator of the social network group, realized that it was a fake account, and that this Facebook account had been made an administrator by her Facebook account. However, she had never deleted herself from the administration, and never added anyone else. She sent a request to incident responders. As a result of investigations, the following scenario was discovered:
The attacker sent a request to join the group
He/she signed into the victim's Facebook account, accepted the invitation, and added himself/herself as an administrator from the victim's account
Then they logged in to his/her social network account and deleted the victim's Facebook account from the administrator's list
The investigators analyzed the Facebook security logs of the victim's account and discovered that the attacker used the same network and IP address as the victim
I am sure everything has been clear up until this point. Now, the question is, how did the attacker access the victim's account or how did he/she get access to that account? To answer all these questions investigators started to analyze event logs on the victim's computer. They realized the following:
Someone reset the victim's Windows OS password
Someone plugged a USB stick into the victim's computer
Someone installed malware and then unplugged it
Thanks to the event logs, investigators found the malicious software and analyzed it. They found out that it was a keylogger that gathered all the text entered from the keyboard from the victim's account. So that meant someone went to the victim's office.
Later, investigators asked the victim many questions, and she said that on that day she got a phone call from another organization (the person who called her to that agency was part of the incident and he/she already knew about it) and left her office. She locked her office but the attacker was an insider and entered thanks to an additional key, which they got from the security office.
The most exciting parts and details are that the insiders entered the database of the security officers and deleted the records about the victim's entrance to the organization.
The motive and aim of the incident are other issues, and we are not going to talk about them. But the most critical part is social engineering being part of the event in specific ways.
A phone call and the loss of thousands of dollars
A man calls some companies and notifies them about the expiration of their company's website domain name registration and hosting, and asks for a payment to renew registration dates. The company owners ask for the fee and the man sends a person to take money from them at their office. He gets payment and even provides bills for the cash.
After some time, hosting and domain names expire, and company owners start to worry about it. They make phone calls to the companies who are in charge of domain name registration and hosting services. But the companies tell them they have not received any payment in the last year. In the end, both sides start to investigate the issue and find out that the man who called and asked for payment was a social engineer.
As a result, this man earned more than USD 20,000 thanks to his victims.
Why do we become victims?
I think all these previously mentioned cases show that the main threat in these incidents is social engineering. But why social engineering? What is the reason for being a victim of social engineers? Why could people not prevent themselves from potential attacks?
From my point of view, as it is always observed, the main reason is not being aware and educated enough about cybersecurity. But why? Do you think national organizations do not give enough information on cyber threats and prevention methods? No. From my experience, I am sure all national organizations do their best to educate people. But sometimes the problem is just people. They do not want to receive the information, or they do not care about protecting their data or learning more about the digital world they live in. In the end, they wake up when they become a victim of simple social engineering attacks, or they regret not being careful.
For instance, the first case we talked about in this section shows that people open any link or file sent by strangers. In the second case, people did not pay attention to the domain name of the internet banking page, they did not see that the email came from the domain name rather than the official bank domain name, or they never questioned why the bank would send an email about payment, which had never happened before. The third incident shows that the victim used her computer even when she noticed that her OS password had been reset instead of giving information to the responsible organization. And finally, the last case, which is a very simple social engineering incident, allows us to learn that people still believe straightforward phone callers and they lose lots of money.
Finally, at the end of this section, I would like to give some recommendations for all users:
Social engineering attacks (letters, messages, calls, and so on) always contain words or other content that sounds urgent, to make you act before thinking.
The attackers usually approach you from your point of view or interests to encourage you to click, download something, or give confidential data, such as your password, bank account information, or just money.
One different letter or symbol in a domain name and you are on a fake website and become a victim of phishing. Always try to check the website name or find the web address from the search engine to avoid phishing.
Try to learn more about social engineering before you become a victim and lose your data or money.
Posting your personal information on the web as a public post gives others more opportunities to make you a victim.
Aryeh Goretsky
Social engineering – from typewriter to PC
There is a common belief that all sorts of problems can be solved by technology if only something or other. Unfortunately, whatever something or other is, it almost inevitably tends to be something that computers cannot solve. Social engineering, defined as psychological manipulation to produce a desired effect on people's behavior, is one of those problems because it is fundamentally not a technological problem but a psychological one.
It's also important to keep in mind that the tricksters, con artists, and other scammers who use social engineering have access to the same technologies as those who defend against them and are subject to the same types of evolutionary pressures we see in other cyber domains. In other words, if the defenders get better at protecting, the attackers respond by getting better at assault.
This does not mean that it is pointless to try to stop social engineering, but that it is going to require more than technology to defend against it, and there's never going to be such a thing as a 100% defense.
That was then – social engineering with postal mail
I was working at McAfee Associates in 1990 when I had my first encounter with a so-called Nigerian 419 (aka advance-fee fraud) scammer. It was not delivered through email but came to the office as a hand-typed letter from Nigeria in the postal mail. In those days, we received letters every day via postal mail or fax asking for support, to request a quote, and all the other things email is used for today. Letters from Africa were a rarity though, and it was with great interest that the half-dozen or so employees gathered around the front of the office to read it.
While I don't remember the exact wording, I do remember the rough, thin paper it was typed on, and all in uppercase. The ribbon must have been so worn the letters appeared more purple than black. In this fragile letter, we were told how the writer, a confidant of someone in the oil ministry, wished for us to open bank accounts for the purpose of transferring funds from the Ministry, for which we would receive a commission.
As we passed the letter around, reading sections of it aloud, it seemed that none of us had ever heard of such a thing. By the time it had made it back into John McAfee's hands, he declared he knew it was fraud of some kind but was not sure exactly which kind. He stared at the letter for about 30 seconds, and finally, announced that he had figured out the scam—once we provided the con man with our banking information, they would then forge a request to wire the money out of the account, transferring it into another account, from which it would be withdrawn and disappear. In short, it was likely a classic advance-fee scam, where we would provide a small amount of money up front in exchange for being paid a fee to help launder a larger sum.
Federal Bureau of Investigation. Advance Fee Schemes. Retrieved February 28, 2018. U.S. Department of Justice available at https://www.fbi.gov/scams-and-safety/common-fraud-schemes/advance-fee-schemes/.
Wikipedia. Advance-fee scam. Retrieved February 28, 2018. Wikimedia Foundation available at https://en.wikipedia.org/wiki/Advance-fee_scam.
While it may not have been completely accurate, it was not a bad guess at all, especially considering none of us had ever heard of this scam before. We never responded. After all, why would we? We were a computer security company, and this threat was clearly not a computer virus. In the end, the letter was pinned to a cork board above the coffee machine at the back of the office.
A few months later, during a routine conversation with the FBI, I mentioned the letter. The agent was very familiar with these scams. Apparently, they were more common than any of us at McAfee Associates then knew, and many people had lost thousands of dollars by wiring money to Nigeria. As the internet wouldn't become ubiquitous for another half-decade or so, there was little awareness of these types of social engineering scams, which at that point had already been occurring for seventy years from Nigeria. As for the letter, since we moved offices nearly every 12 months while I was there, it got lost in the shuffle pretty quickly.
Ellis, Stephen. The Origins of Nigeria's Notorious 419 Scams. Published May 9, 2016. Newsweek, LLC available at http://www.newsweek.com/origins-nigerias-notorious-419-scams-456701.
So, what does this anecdote tell us? Well, for one thing it shows us the unintended consequences of technologies once they become commonplace. It may seem downright bizarre to the reader that a security software company wouldn't have had any interest in social engineering scams, other than mere curiosity, let alone scramble to provide some level of protection; three decades ago, such social engineering scams did not have the advantage of spreading over the internet, just by mail and possibly fax.
30 years of criminal evolution
Just to show how far things have come, today it seems almost inconceivable that such a social engineering scam campaign would be run via postal mail when email is cheaper, faster, and more convenient. What is now a century-old scam technique is perhaps even more effective, more capable, and more pernicious today than it was a century or even three decades ago because of networked computers, which we can attribute in a perverse way to Metcalfe's Law—the growth of the internet into a ubiquitous tool for communications has made networked computers the new platform, replacing the typed letter and postal service.
