Newsletter    

Volume 02 Issue 27     

 

In this issue

  • Virus Propagation via Social Engineering
  • The Monthly News
  • What's coming...

Social-Engineer News

Social-Engineer.Com has launched their Social Engineer Penetration Testers course. It is literally the first of it's kind. As a subscriber to the newsletter you are getting first dibs on knowing where and what is happening.

WE ARE NOW REGISTERING SEATS AND TAKING PAYMENTS!

We have chosen to hold the class March 5-9 2012 in the Seattle Area. As well as a class in April 9th in the UK. We are limiting each class to 25 or under people and it is first come first serve.

  • 5 days of ground breaking training
  • The Social Engineering Penetration Testing Course guide
  • Special tools to enhance your SE practice
  • A Chance to take the first ever Social Engineering Pentesting Certification
  • Lots more

If you want to ensure your spot on the list send register now to save your spot.

EXCITING UPDATE:  The first 10 people to fully register for both the UK and US Class will get a free pass to attend any Black Hat Briefings in 2012 -2013 - over a $2500 value
 



The Social Engineering: The Art of Human Hacking is still selling great.


If you haven't had a chance to yet vote, head over to this months Social-Engineering Poll and give us your opinion.
 


UNSUBSCRIBE by sending an email to [email protected]




Check out the awesome music of Dual Core - IT geek, Rapper and all around awesome guy...


To contribute your ideas or writing send an email to [email protected]




What's coming up..

If you want to listen to our past podcasts hit up our Podcasts Page and download the past episodes.

Want to say thank you to our sponsors this month

- Spy Associates for continually giving us some awesome products to test out.
- The EFF for supporting freedom of Speech
- Want a very cool website? Check out Social-Engineer.Org's graphic and web dev at Tick Tock Computers.



A special thanks to our Editor:
John 'J' Trinckes, Jr

Check out Robin Dreeke's new amazing book called "Its not all About me" packed with the top 10 techniques to building rapport fast. It is an awesome book!

 

Virus Propagation via Social Engineering


Malware will always be a security issue despite how much security engineers are looking into providing a better protection model. There will always exist security vulnerabilities to exploit as codes are written by humans. But above all, it's because a human uses them that opens them up for the biggest flaws. Not only do people find it hard to follow security practices in patching their operating system and anti-malware to the latest version but they are very vulnerable to human exploits, many that lead to exploitation.
 
Malware propagators have found an ultimate tool to spread their malicious code by hacking the human operating system. Social engineering techniques are used to deceive people to download a piece of malware by influencing their cognitive behavior.
 
In this article, I will be discussing three social engineering techniques used by malware propagators which I've observed for the past two years - deceit by curiosity, deceit by fear and deceit by trust.

Deceit by Curiosity
Malware propagators use topical issues that the general population around the world are interested in (e.g. World Cup, death of Michael Jackson, secrets of MJ's  Neverland, death of Steve Job, etc) to lure them into downloading a piece of malware onto their computer. Using SEO (Search Engine Optimization) techniques, they push up their rogue web sites to the top searches, seducing users  into visiting.  These sites are usually hosting drive-by downloaded malware that gets downloaded to visitors' computers by simply visiting the site.

A very effective medium used by virus propagators to infect the unwary is emails. Emails that promise latest news of these events but embedded in the hyperlinks or file attachments downloads is the malware that exploits the victims computer.

Deceit by Fear
Similar to deceit by the emotion of curiosity, deceit by fear leverages on a more specific type of events. Specifically on events that trigger the emotion of fear, such as the end of world in the year 2012, a huge asteroid that is on its way to destroy Earth, or the memorable Y2K worm that could possibly throw mankind back to the Stone Age. Even if you are tech savvy, you will be curious and fearful of the outbreak of the Conficker worm, Stuxnet - probably the first politically driven malware, and the current Duqu. In addition to its entertainment value, the emotion of fear provides incentive for users to learn more about the event.  That fear can cause someone to take an action that can lead to their exploitation and infection.

Deceit by Trust
In addition from either emotion discussed, which the virus propagator is manipulating, users will be more vulnerable if it is sourced from someone he / she trusts (e.g. family and friends). Going back to the decade-old ILOVEYOU email worm that sends a love letter containing a computer worm to all friends of the victimized user, the recipient, curious about what their friends (a trusted person) have sent them, has a higher likelihood to fall into the trap set by the malware propagator.

This malware usually contains a payload that continues the cycle by performing the same action to its victim's web-of-trust.

This technique has passed the test of time. Hyperlinks to rogue web sites and file attachments that contain malware are still seen to spread not only via emails and instant messaging, but also in the social network sites (e.g. Facebook, Twitter, MySpace, etc).

If malware propagators combine the use of deceiving users from their web-of-trust with any other of the two techniques discussed above, it will increase the likelihood of success.

Aside from infecting visitors' computers with malware, it is a perfect platform for the malicious actors to phish credit card information from their victims. What better time to get emotional users to buy a limited edition Michael Jackson music CD or Apple product from a non-official web site?

Playing on these emotions, infecting their computer then following up with an "offer" that furthers the attack makes these especially malicious forms of social engineering.

Conclusion / Prevention
Again these techniques appear to be very successful even over a long period time. It is difficult to find a patch for this vulnerability since it involves so much of the human OS. Malware propagators simply have to tweak their methods a little, shifting their medium (e.g. from email to social network), or simply find a whole new event of interest and people are vulnerable all over again.

Still the general rules of prevention are...

  • Only get your source from trusted web sites - even then it is important to verify your sources as even major news and media sites have been compromised in the last year.
  • Always investigate where you are hyperlinking to - Normally hovering over a hyperlink will tell you where you will be going if you click. 
  • Doubt whatever is on the Internet

written by:  Emil Tan, Team Lead, Edgis

 


 

Looking for Professional Social Engineering Services?

Social-Engineer.Org is branching out with our new website www.Social-Engineer.Com


We are providing some of the following services:
 

  • Social Engineering Pentests
  • Social Engineering Risk Assessments
  • Social Engineering Training for Pentesters
  • Professional Information Gathering Services

 For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at: [email protected]