Newsletter    

Volume 03 Issue 32    

In this issue

  • Social-Engineering in the News
  • The Monthly News
  • What's coming...

Social-Engineer News

Do you want to be a star?  Then join the Social-Engineer.Org "We're Too Cheap to Hire a Designer" T-Shirt Contest.  Time is running out.


Social-Engineer.Com has launched their Social Engineer Penetration Testers course. It is literally the first of it's kind. As a subscriber to the newsletter you are getting first dibs on knowing where and what is happening.

REGISTER NOW!

July 2012 Las Vegas NV for Black Hat

Nov 2012 Bristol UK

We are limiting the number of attendees in each class to 25 and under, so first come first serve.

  • 5 days of ground breaking training
  • The Social Engineering Penetration Testing Course guide
  • Special tools to enhance your SE practice
  • A Chance to take the first ever Social Engineering Pentesting Certification
  • Lots more

If you want to ensure your spot on the list register now - Classes are filling up fast and early!


Do you like FREE Stuff?

How about the first chapter of Chris Hadnagy's Best Selling Book:  Social Engineering: The Art of Human Hacking?

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!
 


If you haven't had a chance yet to vote, head over to the Social-Engineering Poll and give us your opinion.
 


UNSUBSCRIBE by sending an email to newsletter@social-engineer.org




Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...


To contribute your ideas or writing send an email to contribute@social-engineer.org





What's coming up..

If you want to listen to our past podcasts hit up our Podcasts Page and download the past episodes.

Want to say thank you to our sponsors this month

- Spy Associates for continually giving us some awesome products to test out.


- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.



A special thanks to our Editor:

Dan 'Ming' Sharp
John 'J' Trinckes, Jr

Check out Robin Dreeke's amazing book called "Its Not All About Me" packed with the top 10 techniques to building rapport fast. It is an awesome book!

 

 


 

Social-Engineering In The News


It is not everyday that social engineering stories make the news.  When we see some that stand out, we want to write about them.  We recently saw three stories that stood out as pure social engineering in action.  Let’s take a few moments to analyze each.

Flashback Trojan

By now, most of you have probably heard about the Flashback trojan that quickly spread and infected over 600,000 Mac computers running OSX. The original Flashback trojan, released in September 2011, masqueraded as a Flash installer served up by malicious websites. Safari users who had their browser settings set to auto-open “safe” files were shown a desktop installer just like they would if they were installing a legitimate copy of Flash. The newest infections, caused by Flashback, are served up via drive-by downloading. A drive-by download is a nefarious bit of code that is unknowingly sent to a user when they visit a website, open an email, or click on a pop-up. The malicious code is sent to the user’s computer completely invisible to the user by exploiting ActiveX or, in this case, Java.

After installation, the trojan goes to work disabling firewalls and anti-virus software and reports back to home base as “ready to go”. The software, now installed, allows attackers to remotely control your computer turning your computer into a member of their botnet; ready to attack internet resources, spam email, or attack other machines.

Drive-by downloads are becoming increasingly more prevalent and a perfect way for an attacker to compromise your systems. Phishing emails are sent out every day by hackers looking to snag something on their lure. We recently received word from a professional penetration tester that during his most recent phishing attempt, he received a 100% click rate! A good social engineer can tailor things in a way that they are very difficult to spot and thus, hard to defend against.

In addition to this obvious attack vector, there is another massive social engineering side to this story.  That is what Apple has done to convince its loyal fans and customers about how safe they are.


Notice the message on the Apple website... “It doesn’t get PC viruses.”  The language that is used by Apple implies that Macs are more secure, impervious to the plague that is Windows based viruses.

Apple customers believe this to the extent that they felt safer clicking links and allow programs to run, to the tune of over 600,000 being exploited.

Czech Social Engineers Steal a Bridge

In the town of  Slavkov, Czechoslovakia, a gang of social engineers arrived at the train station one morning posing as construction workers. The gang approached the depot personnel with work orders to demolish the steel footbridge that went over the tracks as well as a portion of railway track supposedly to make room for a cycle path. Apparently, the documents and the story were official enough that depot personnel approved the work order and the gang began work dismantling the bridge.


One Russian newspaper stated that a group of police stopped the thieves and when the men presented their forged paperwork, the police left them alone.  The paperwork looked legit and seemed to be in order.

Only after the bridge and tracks had been fully dismantled and hauled away did anyone from the rail station bother to verify the authenticity of the documentation along with the story told. Imagine their surprise when they learned there was no such work order to demolish the bridge and that thieves just stole a bridge right under their noses! It is estimated to cost millions of dollars in steel to rebuild the bridge.

Forged documentation is one of the social engineer’s favorite tools and depending on the quality of the forgery, can yield devastating results. With a simple badge printing tool, found easily on the Internet, combined with the plethora of employee badges that can be found scattered about Facebook, Flickr, and Twitter, forged documents can go a long way. At last year’s Social Engineering Capture the Flag event, at least two contestants discovered badges that clearly identified every piece of information an attacker would need to duplicate the badge.


Social Engineer Obtains Paul Allen’s Debit Card

In other SE news, an Army deserter, Brandon Price of Pittsburg, PA successfully convinced Citibank that he was Paul Allen (YES, *the* Paul Allen) and had Citibank change Allen’s address to Price’s, then UPS overnight Brandon Price a new card. Let’s say that again... an Army deserter used social engineering to take over the debit card of one of the richest men on the planet. Paul Allen is worth over 14 billion dollars, owns the Seahawks and the Trailblazers, and an average citizen was able to have his debit card over nighted to him.

How? One report states:  "An individual identifying himself as Paul Allen called the customer service department of Citibank. The caller stated that he had misplaced his debit card at his residence, but did not want to report it stolen. The individual then successfully ordered a new debit card on the account of Paul Allen and had it sent via UPS," FBI agent Joseph J Ondercin explained in a criminal complaint.

Read that again.  Basically, he just called in, identified himself as one of the richest people on earth, and ordered a new debit card to HIS address.

This brings up some serious privacy concerns. If the debit card of an individual, such as Paul Allen, can be commandeered, imagine what can happen to Joe the Plumber’s accounts. This also illustrates how effective and potentially devastating the social engineering attack can be. As the “cost of doing business” goes up for criminals, the use of social engineering increases because of its low barrier for entry. With the advent of VOIP, phone calls today are virtually free. A good social engineer can take over a billionaire’s account for free. Without spending any money on equipment, travel, training, etc., the social engi neer can strike with catastrophic results.

Mitigation
Here we were going to list some ways to mitigate these threats, but we decided to post a link to Chris’s RSA speech entitled, 6 Ways To Mitigate SE that will show you everything you need to know. Chris' RSA Speech

In addition, you can join Chris and crew in the next two installments of an in depth webinar on that topic with Core Security.

Thanks to worldwide exposure given to the danger of social engineering by events like the Social Engineering Capture the Flag contest held at Defcon 18, Defcon 19, and again this year at Defcon 20, companies are beginning to see how vulnerable they really are to social engineering attacks. Only through live, personalized, real-world social engineering training, audits, and penetration testing can companies hope to combat this ever growing threat. Until companies start taking social engineering seriously, we will continue to see headline making reports such as these coming through.   

written by:  Eric "Urbal" Maxwell


 

Looking for Professional Social Engineering Services?

Social-Engineer.Org is branching out with our new website www.Social-Engineer.Com


We are providing some of the following services:
 

  • Social Engineering Pentests
  • Social Engineering Risk Assessments
  • Social Engineering Training for Pentesters
  • Professional Information Gathering Services

 For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at: services@social-engineer.com


 

Gold Sponsor for The Social Engineer CTF at Defcon 20:

Also check out our website sponsor: