In this issue
Propagation via Social Engineering
- The Monthly
has launched their Social Engineer Penetration Testers course. It is
literally the first of it's kind. As a subscriber to the newsletter you are
getting first dibs on knowing where and what is happening.
NOW REGISTERING SEATS AND TAKING PAYMENTS!
We have chosen to hold the class March 5-9 2012 in the Seattle Area. As
well as a class in April 9th in the UK. We are limiting each class to 25 or
under people and it is first come first serve.
- 5 days of
ground breaking training
- The Social
Engineering Penetration Testing Course guide
tools to enhance your SE practice
- A Chance to
take the first ever Social Engineering Pentesting Certification
- Lots more
want to ensure your spot on the list send register now to save your spot.
The first 10 people to fully register for both
the UK and US Class will get a free pass to attend any Black Hat Briefings
in 2012 -2013 - over a $2500 value
Engineering: The Art of Human Hacking is still selling great.
haven't had a chance to yet vote, head over to this months Social-Engineering
Poll and give us your opinion.
UNSUBSCRIBE by sending an email to [email protected]
Check out the awesome music of Dual
Core - IT geek, Rapper and all around awesome guy...
To contribute your ideas or writing send an email to [email protected]
What's coming up..
If you want to listen to our past podcasts hit up our Podcasts Page and
download the past episodes.
Want to say thank you to our sponsors this month
- Spy Associates for continually
giving us some awesome products to test out.
- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web
dev at Tick Tock Computers.
A special thanks to our Editor:
John 'J' Trinckes, Jr
Check out Robin Dreeke's new amazing book called "Its not
all About me" packed with the top 10 techniques to building
rapport fast. It is an awesome book!
Virus Propagation via Social Engineering
Malware will always be a security issue despite how much security engineers
are looking into providing a better protection model. There will always
exist security vulnerabilities to exploit as codes are written by humans.
But above all, it's because a human uses them that opens them up for the
biggest flaws. Not only do people find it hard to follow security practices
in patching their operating system and anti-malware to the latest version
but they are very vulnerable to human exploits, many that lead to
Malware propagators have found an ultimate tool to spread their malicious
code by hacking the human operating system. Social engineering techniques
are used to deceive people to download a piece of malware by influencing
their cognitive behavior.
In this article, I will be discussing three social engineering techniques
used by malware propagators which I've observed for the past two years -
deceit by curiosity, deceit by fear and deceit by trust.
Deceit by Curiosity
Malware propagators use topical issues that the general population around
the world are interested in (e.g. World Cup, death of Michael Jackson,
secrets of MJ's Neverland, death of Steve Job, etc) to lure them into
downloading a piece of malware onto their computer. Using SEO (Search
Engine Optimization) techniques, they push up their rogue web sites to the
top searches, seducing users into visiting. These sites are
usually hosting drive-by downloaded malware that gets downloaded to
visitors' computers by simply visiting the site.
A very effective medium used by virus propagators to infect the unwary is
emails. Emails that promise latest news of these events but embedded in the
hyperlinks or file attachments downloads is the malware that exploits the
Deceit by Fear
Similar to deceit by the emotion of curiosity, deceit by fear leverages on
a more specific type of events. Specifically on events that trigger the
emotion of fear, such as the end of world in the year 2012, a huge asteroid
that is on its way to destroy Earth, or the memorable Y2K worm that could
possibly throw mankind back to the Stone Age. Even if you are tech savvy,
you will be curious and fearful of the outbreak of the Conficker worm,
Stuxnet - probably the first politically driven malware, and the current
Duqu. In addition to its entertainment value, the emotion of fear provides
incentive for users to learn more about the event. That fear can
cause someone to take an action that can lead to their exploitation and infection.
Deceit by Trust
In addition from either emotion discussed, which the virus propagator is
manipulating, users will be more vulnerable if it is sourced from someone
he / she trusts (e.g. family and friends). Going back to the decade-old
ILOVEYOU email worm that sends a love letter containing a computer worm to
all friends of the victimized user, the recipient, curious about what their
friends (a trusted person) have sent them, has a higher likelihood to fall
into the trap set by the malware propagator.
This malware usually contains a payload that continues the cycle by
performing the same action to its victim's web-of-trust.
This technique has passed the test of time. Hyperlinks to rogue web sites
and file attachments that contain malware are still seen to spread not only
via emails and instant messaging, but also in the social network sites
(e.g. Facebook, Twitter, MySpace, etc).
If malware propagators combine the use of deceiving users from their
web-of-trust with any other of the two techniques discussed above, it will
increase the likelihood of success.
Aside from infecting visitors' computers with malware, it is a perfect
platform for the malicious actors to phish credit card information from
their victims. What better time to get emotional users to buy a limited
edition Michael Jackson music CD or Apple product from a non-official web
Playing on these emotions, infecting their computer then following up with
an "offer" that furthers the attack makes these especially
malicious forms of social engineering.
Conclusion / Prevention
Again these techniques appear to be very successful even over a long period
time. It is difficult to find a patch for this vulnerability since it
involves so much of the human OS. Malware propagators simply have to tweak
their methods a little, shifting their medium (e.g. from email to social
network), or simply find a whole new event of interest and people are
vulnerable all over again.
Still the general rules of prevention are...
- Only get your source
from trusted web sites - even then it is important to verify your
sources as even major news and media sites have been compromised in
the last year.
investigate where you are hyperlinking to - Normally hovering over a
hyperlink will tell you where you will be going if you click.
- Doubt whatever is on the
by: Emil Tan, Team Lead, Edgis
Looking for Professional Social
is branching out with our new website www.Social-Engineer.Com
We are providing some of the following services:
- Social Engineering Pentests
- Social Engineering Risk Assessments
- Social Engineering Training for Pentesters
- Professional Information Gathering Services
For more information on any of the
above or how we might be able to help you protect your company from
malicious social engineers contact us at: [email protected]