Lenny zeltser social engineering attacks

Why bother breaking down the door if you can simply ask the person inside to let you in? Social engineering works, both during penetration testing and as part of real-world attacks. This briefing explores how attackers are using social engineering to compromise defenses. It presents specific and concrete examples of how social engineering techniques succeeded at bypassing information security defenses. These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape.

Just like “con artists” have done for centuries.

As the result, outsider == insider, since someone is bound to let an outsider in.

This may help with educating users, customers and security staff. This may also help in adjusting the security architecture.

http://isc.sans.org/diary.html?storyid=5797

http://blogs.paretologic.com/malwarediaries/index.php/2011/09/30/trademark-rogue-business/

http://evilcodecave.blogspot.com/2009/08/malware-26xpl-ssh-propagating-exploit.html http://isc.sans.org/diary.html?storyid=4507 Hosted on compromised servers.

http://www.bankinfosecurity.com/articles.php?art_id=1858

… with an element of social engineering.

Conficker set up the autorun.inf file on infected USB keys so that the worm would run when the victim inserted the USB key into a computer, thereby infecting the PC. The autorun.inf file that Conficker created on the USB key was carefully crafted to confuse the user once the key was inserted into the computer. When the victim inserted the USB key, Windows typically brought up the AutoPlay dialog box, asking the person what to do next. Normally, the AutoPlay action box presents the user with options to run the program on the USB key or to browser the USB key’s files. The autorun.inf file that Conficker created manipulated the options presented to the user, so that the option to run the program looked like the option to browse the drive’s contents. The user was likely to click on the first option to browse the files, not realizing the he or she is actually launching a program. As a result, the user inadvertently launched the Conficker worm from the USB key and infected the PC. http://isc.sans.org/diary.html?storyid=5695

Gawker sites include Gimodo, Lifehacker and TechCrunch. http://www.wired.com/threatlevel/2009/09/nyt-revamps-online-ad-sales-after-malware-scam/ “The culprit masqueraded as a national advertiser and provided seemingly legitimate product advertising for a week.” ... “Over the weekend, the ad being served up was switched so that an intrusive message, claiming to be a virus warning from the reader’s computer, appeared.”

http://www.businessinsider.com/henry-blodget-gawker-scammed-by-malware-pretending-to-be-suzuki-2009-10

http://www.mediaite.com/online/gawker-duped-into-running-fake-ads-with-virus/

Impersonated a legitimate advertising company

http://uk.answers.yahoo.com/question/index?qid=20100614105319AAznWTW

http://www.symantec.com/connect/blogs/technical-support-phone-scams

http://www.securelist.com/en/blog/208193029/ZeuS_in_the_Mobile_for_Android

Consider a variant of the Waledac worm. The worm directed its potential victims to a website that showed a news excerpt about a supposed explosion. The message was localized based on where the user was connecting from. For instance, visitors from New York would see a message “Powerful explosion burst in New York this morning.” The person was asked to download a video player for the full story. Personalization of the message increased the likelihood of the person downloading the trojan player in an attempt to see the video. http://securitylabs.websense.com/content/Alerts/3321.aspx

http://blog.zeltser.com/post/2685898823/social-engineering-in-online-scams

http://blog.webroot.com/2010/04/08/this-pc-will-self-destruct-in-ten-seconds/

http://krebsonsecurity.com/2010/11/spear-phishing-attacks-snag-e-mail-marketers

http://www.symantec.com/connect/blogs/fake-av-talking-enemy

Attackers have been conducting the “stuck in London” scam for several years. Early campaigns were relying on compromised webmail accounts to reach potential victims through email. In an example recently documented by Rakesh Agrawal, this classic scam was conducted via Facebook chat. The scammer used a compromised Facebook account in an attempt to solicit emergency funds from the victim’s friend. The screenshot on this slide shows an excerpt from the chat transcript. With low-cost labor available throughout the world, scammers can employ humans for chatting with victims while keeping their costs relatively low. The scammer was using Matt’s Facebook account and, as far as I can tell, was a human being. However, such interactions could have easily been automated using a chat bot. For details regarding this Facebook chat scam see: http://rake.sh/blog/2009/01/20/facebook-fraud-a-transcript

Consider a scam that promises Facebook users to find out who has been viewing their Facebook profile. The implication is that the user can get access to these details (that feed the narcissist in all of us) by installing the Profile Spy application. The scam attempts to trick the victim into revealing personal details, including a mobile phone number. The malicious site shows a fake Facebook page in the background, to make victims think they are within the “walled garden” of Facebook…

After infecting the computer, one malware specimen edited the victim’s “hosts” file to redirect attempts to connect to technology product review sites, including CNet, PCMag, and ZDNet. The goal seemed to provide the victim with a spoofed review of a fake anti-virus tool “Anti-Virus-1” to trick the person into purchasing this software. Fake anti-virus is not unlike the fake pen for detecting counterfeit money. For additional details about this incident, see: http://www.bleepingcomputer.com/forums/topic204619.html

Koobface spread by including links to malicious websites in Twitter and Facebook profiles. Once the potential victim clicked on the link, he or she was typically directed to a website that attempted to trick the person into installing malware. A common tactic involved presenting the user with a message that to view the video, a Flash Player upgrade was required. Of course, the executable the person was presented was not Flash Player, but was malware.

The malicious website embedded, though a series of steps, a Facebook page in an invisible iframe that floated above the button that the user click on. The victims didn’t realize that they were actually clicking on the Facebook “Share” button, which shared the malicious website with the victim’s Facebook friends. http://fitzgerald.blog.avg.com/2009/11/new-facebook-worm-dont-click-da-button-baby.html

HTML Source: theinvisibleguy

http://thompson.blog.avg.com/2010/07/remote-control-facebook.html

http://staff.washington.edu/dittrich/papers/dittrich-login0809.pdf

This is a sample screenshot—not representative of the sites manipulated by Nugache.

http://blog.zeltser.com/post/2685898823/social-engineering-in-online-scams

http://sunbeltblog.blogspot.com/2010/08/new-trojan-offers-choice-of-rogue.html

http://blogs.paretologic.com/malwarediaries/index.php/2010/04/15/are-spammers-getting-lazy/

There is no “Google Approved Pharmacy Directory”

http://www.f-secure.com/weblog/archives/00002017.html “I contacted the company and asked them whether they were aware that their code signing certificate had been stolen. The case became more interesting to me when they responded that they do not have any code signing certificates. In fact, they don't produce software — so they don't have anything to sign. Clearly someone else had obtained the certificate in their name; they had been victim of identity theft.”

Left side: cert obtained through identity theft: http://www.f-secure.com/weblog/archives/00002017.html Right side: stolen cert used to sign Stuxnet: http://www.f-secure.com/weblog/archives/00001993.html

http://www.f-secure.com/weblog/archives/00002051.html

Need solid research: Will training users or customers in social engineering tactics improve their resistance to scams?

If you have any questions for me, please let me know. I’ll do my best to answer them as accurately as I can. I’d also love to hear from you if you have any comments regarding this briefing, either what you liked about it, or your suggestions for improving it. If you want to keep an eye on my research and related activities, take a look at blog.zeltser.com. You can also find me on Twitter at twitter.com/lennyzeltser.

Lenny zeltser social engineering attacks

Technology

Transcript of Lenny zeltser social engineering attacks

A Perspective on Malware in 2008 - Lenny Zeltser · 0030:4fe38028 3b 00 00 00 32 31 39 33 2e 30 2e 37 35 2e 31 7c ;...2193.0.75.1| 0030:4FE38038 72 65 61 6C 7C 4A 6F 68 6E 20 53 6D

Web Browser Attacks - Summer 2006 Threat Landscape · 1 Web Browser Attacks: Summer 2006 Threat Landscape Lenny Zeltser July 25, 2006

Lenny Kravitz "Greatest Hits"

Lenny Hoch Pd5

lenny (1).pdf

Emerging Internet Security Threats in 2009cdn.ttgtmedia.com/searchFinancialSecurity/... · Emerging Internet Security Threats in 2009 Lenny Zeltser Senior Faculty Member, SANS Institute

Debian Edu Lenny Manual

Hurricane Lenny

20 years Lenny - 'the making-of' of a catwalk - Lenny 20 Anos

Tutorial Debian Lenny

Security Incident Log Review Checklist by Anton Chuvakin and Lenny Zeltser

Cybersecurity: Why Asset Management Matters · CISO, Axonius Lenny Zeltser is Chief Information Security Officer and was previously VP of Product at Axonius. Prior to Axonius, Zeltser

Lenny website scans

Konfigurasi Server Debian Lenny

Lenny Thomas

Lenny Ug Multi

Lenny Kravitz - data.bnf.fr

Instalasi Server Debian Lenny

Copyright (c) Lenny Zeltser. 2000.1 The Evolution of Malicious Agents Lenny Zeltser () SANS Institute Presented July 2000.

Networking With Debian Lenny