Top Banner
Social Engineering Tricks Spotlight Forum June 2015 Michael Hendrickx Senior Security Analyst
17
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Social Engineering - Help AG spotlight 15Q2

Social Engineering TricksSpotlight Forum June 2015Michael HendrickxSenior Security Analyst

Page 2: Social Engineering - Help AG spotlight 15Q2

SOCIAL ENGINEERING

• You bought a firewall, great.• Humans are helpful, by nature.• Manipulate people to get things done• A fancier way of “lying”• We’ve all done it.

Find people Find info Fake Emails

Page 3: Social Engineering - Help AG spotlight 15Q2

SOCIAL ENGINEERING

• 2 ways of finding people:• Casting a net (phishing)• Quantity > Quality• Whoever sticks is a victim• Very noisy

• Targeting (spear phishing)• Quality > Quantity• Takes more time, more research, more effort.

Page 4: Social Engineering - Help AG spotlight 15Q2

PHISHING

• Humans haven’t change in the past few decades:

Recent “Rombertik” malware:- State of the art malware (quite nasty though)- Quite “lame” distribution

Page 5: Social Engineering - Help AG spotlight 15Q2

SPEAR PHISHING

• Email from somebody who “knows you”• You probably know them as well, else it’s

just embarrassing.

• Somebody who took time to research about you

• Interested in you• Rather, what you know• Who you know• What you have access to.

Page 6: Social Engineering - Help AG spotlight 15Q2

1. FINDING PEOPLE

• Target a domain, find its users:• Maltego: visualizing OSINT • Metasploit: finding email addresses

Emails are probably: [email protected]

Page 7: Social Engineering - Help AG spotlight 15Q2

1. FIND PEOPLE (2)

• Emails are [email protected]• Let’s look for more names

[email protected][email protected][email protected][email protected][email protected][email protected][email protected]?…

Let’s dig just a bit further….

https://ae.linkedin.com/in/nsolling

Page 8: Social Engineering - Help AG spotlight 15Q2

STUDY TARGET

• Examine digital footprint• Style of writing, topics, interests

Page 9: Social Engineering - Help AG spotlight 15Q2

STUDY TARGET

• Examine digital footprint further• Interests:• Porsche• PADI diver• Line6 (guitar) pod• Merc GL550• Trivial Pursuit ;)

Page 10: Social Engineering - Help AG spotlight 15Q2

TARGET SELECTION

• What can we do so far?• Target Nicolai Solling• Hey, we met at (Porsche club / ManAge

spa / PADI course / Rugkobbelskolen … ) • “Your Gargash Enterprises service…”• Exploit Nicolai’s trust

• Target Nicolai’s contacts• We know who he knows (social network)• We know their email addresses ([email protected])• We know Nicolai’s writing style• Exploit their trust

Page 11: Social Engineering - Help AG spotlight 15Q2

EXTRA, TECHNICAL TRICKS

• Need to trick a user to “believe us”• Let technology help us• Abuse 33 year old protocol: SMTP• Fake email thread• Fake CC

Page 12: Social Engineering - Help AG spotlight 15Q2

FAKE EMAIL THREAD

• SMTP just sends text to a program. • “Email threads” have no connection.• Unless we have the entire thread,

digitally signed, we can’t trust it at all• Modern equivalent of saying:

“Can I go dad? Mom said I could go”

Page 13: Social Engineering - Help AG spotlight 15Q2

FAKE CC

• CC doesn’t really exist• It’s a MIME header we said we did

HELO blahMAIL FROM: [email protected] TO: [email protected]

From: Michael Hendrickx <[email protected]>Content-Type: text/plain;Subject: Very important emailCc: khaled hawasli <[email protected]>, [email protected]: [email protected]

Hey guys,

As per our conversation, please install the security update located at http://evil.com/patch.exe

Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out!

Thank you,Security Admin

Page 14: Social Engineering - Help AG spotlight 15Q2

PUTTING IT ALL TOGETHER

• A person who knows a lot about you can do a lot of damage• It’s from Nicolai• Sounds like him• To people that he knows• The “right” people are in CC• Shared responsibility• Based on previous email

thread• Which we can’t check.

Page 15: Social Engineering - Help AG spotlight 15Q2

PUTTING IT ALL TOGETHER

• Creative spear phishingTo: Khaled Hawasli, Khalilovcc: Michael HendrickxHi Everyone,I am very thrilled with the new VPN software! It’s much faster. Have you tried it?

Nicolai

To: Nicolai, Khaled Hawasli cc: Michael HendrickxHey man, That’s awesome> Hi Everyone,> I am very thrilled with the new VPN> …

To: Michael, cc: Nicolai, KhalilovMichael, you should try it!> Hey man, > That’s awesome>> Hi Everyone,>> I am very thrilled with the new VPN>> …

In fact, all this is actually:To: Khaled Hawasli, Khalilovcc: Michael HendrickxHi Everyone,I am very thrilled with the new VPN software! It’s much faster. Have you tried it?

Nicolai

To: Nicolai, Khaled Hawasli cc: Michael HendrickxHey man, That’s awesome> Hi Everyone,> I am very thrilled with the new VPN> …

To: Michael, cc: Nicolai, KhalilovMichael, you should try it!> Hey man, > That’s awesome>> Hi Everyone,>> I am very thrilled with the new VPN>> …

Nobody was ever CC’d

Page 16: Social Engineering - Help AG spotlight 15Q2

CONCLUSION

• The more people know about you, the more they can target you.• Minimize digital footprint• Verify email contents• Be cautious

• Use digital signatures• Don’t trust anything sent to you• Mommy said I could go.

Page 17: Social Engineering - Help AG spotlight 15Q2

CONTACT US | WWW.HELPAG.COM | [email protected] DUBAI, UAEARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741T +971 4 440 5666F +971 4 363 6742

ABU DHABI, UAESALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195T +971 2 644 3398F +971 2 639 1155

DOHA, QATARAL DAFNA – PALM TOWEROFFICE 4803, WEST BAY, P.O. BOX 31316T +974 4432 8067 F +974 4432 8069