Lessons from SE Attacks In the Wild
From the few weeks since the last newsletter we’ve seen a number of different headlines involving social engineering. Why are there more headlines covering our favorite subject lately? Is it because social engineering attacks have really increased? Maybe it’s because awareness for social engineering has risen. Perhaps it’s a combination of both. Where there are new technologies, systems, processes, and gadgets to help make our lives easier, there are always new avenues for exploitation. We’re always certain to take note of social engineering attacks, as they occur to learn from them so we can better defend against them. Today I want to explore a few recent social engineering instances that made headlines and how they worked.
By now most of you have probably heard about the XcodeGhost Apple App Store Malware, which may have caused hundreds of millions of people to download malicious applications onto their Apple “malware proof” devices. For those who are unfamiliar with Xcode, it’s an integrated development environment (IDE), which contains a suite of software development tools developed by Apple for creating software for OS X and iOS. How did this happen? Well, it seems that in China, downloading Xcode from Apple’s servers takes a very long time. Because of this, it’s an inconvenience for developers who want instant gratification so they can start building. As a result, it’s quite common just to download Xcode from third-party sources.
So, as the story goes, a not-so-innocent copy of Xcode was uploaded (by an unknown party) to a Chinese file-sharing site called Baidu. The “slightly adjusted” version was then downloaded by Chinese developers and used to create an unknown number of apps. Current estimates have surpassed 39 different applications including versions of some pretty popular apps like WeChat and Didi Games.
Lions and tigers and bears, oh my!
Now every app created with this infected IDE was also infected with the very same malicious code. So every user who downloads those applications are also infected. Once on the device,the malicious code uploads device and application information to its command and control (C2) server. According to the Palo Alto Networks research center, it also has the ability to prompt a fake alert dialog to phish user credentials and also read and write data in the user’s clipboard. This functionality could be used to read the user’s password if that password is copied from a password management tool. The malware can also open arbitrary URLs, which can be a vector to exploiting other apps on the device or the iOS system itself.And finally, by changing a few simple lines of code in XcodeGhost, it can be used to directly phish iCloud passwords.
XcodeGhost is significant because it’s the first widespread malware to be publicly found in apps available through the App Store, and it uses Apple’s own architecture against Apple. Those birds now have one more reason to be angry. So how was this a social engineering attack? To start with the obvious, attackers were able to use developers as unsuspecting mechanisms for spreading the malware. And spread they did: the malicious code impacted hundreds of thousands of people who unknowingly downloaded the infected applications from Apple’s ultra safe App Store.
In addition to this obvious attack vector, there is another massive social engineering side to this story, and that is what Apple has done to convince customers and Apple fans how safe they are. There are certain factors that can increase a person’s tendency to obey an authority. In this instance the authority was Apple and the customers trusted the legitimacy of their authority. Remember the days when users were scared to use Android because, you know, malware? Apple used their authority to create a false sense of security for customers. Most people don’t even think twice before downloading that cool new app onto their device. And that’s because to this point, it was widely assumed that unless your iPhone is jail-broken, you couldn’t get malware on your iPhone. Although we, as security researchers, know this is not exactly true; a majority of the general public does not. Why? Because Apple was really effective at garnering the public’s faith and good will.
It wasn’t that long ago that you could install almost anything for OS X from almost any website, and you didn’t really have to worry about what you clicked on. That’s just not true anymore, and while things are better than they are on Windows, this attack has shed light on the false layer of trust users place in the devices they use and the brands that own them. Am I blaming Apple? Absolutely not. I’ll be the first to admit that I am a fan of Apple. On one hand Apple is definitely guilty for how they’ve crafted their brand. On the other, Apple is not any more guilty than other brands consumers use on a daily basis. The fact is, somehow Apple missed the malicious code in the upload/ review process and the impact was pretty severe. Errors happen, and as we all know, humans are particularly prone to error. It’s just important to remember: not every password prompt is legitimate and certainly not every download guaranteed to be malware free.
The diesel dupe
This incident is the most wide-scale and costly act of social engineering I’ve seen in quite a while. VW, maker of the iconic hippie van, was engaged in a major push to sell diesel cars in the US. This push was supported by a tremendous “clean diesel” marketing campaign (which has since been pulled) promoting VW’s environmentally friendly, low emission vehicles. However, VW’s environmentally friendly image came to a screeching halt when a scandal unfolded. The company admitted at first that it had used software in the US to switch the engines into a cleaner mode during emissions tests. The software then switches off again, enabling cars to drive more powerfully on the road while emitting as much as 40 times the legal pollution limit.
As the story grew, it was discovered that the company wasn’t just cheating emissions tests in the US, but in other countries as news broke that 11 million cars worldwide are actually fitted with a “defeat device” to falsely pass emissions tests. VW has been social engineering the world and the consequences will be far and wide.
As a result, CEO Martin Winerkorn resigned. Volkswagen’s stock has been hammered and the company has set aside around $7.3 billion to handle the fallout, not to mention the impact this will have on the German economy and VW’s investors. For a business that relies heavily on it’s reputation for quality and trustworthiness this scandal was truly damaging.
The main reason why any social engineering attack or scam occurs is because people are trusting. We trusted that VW cars were not harming the environment. Who would’ve thought that one of the top brands in the car industry would deceive the world when it came to emissions? Looking back, it’s not that far fetched or unique. In fact, many companies are guilty of deceiving us all the time, but as humans our innate desire is to believe we are hearing the truth.
Vishers after banking credentials
It’s very common for social engineering attacks in the wild to use scare tactics in order to pressure a victim into taking action. Guessing what people worry about, whether it is financial position, status or job situation is not a difficult thing to do. Just a few weeks ago, it was reported that customers of People’s Security Bank, a small Philadelphia-based bank, along with several other local banks in Philadelphia were the targets of vishing attacks. The attacks started when the victim would receive a call from an automated voice messaging system. The message informed the customer that their debit card was locked due to security requirements and then prompted the target to “press 1” for action. Reports vary on what customers experienced after pressing 1. Some were directed to an automated recording which simply requested the input of the debit card number and PIN. Others were directed to a friendly, English speaking female representative, who politely requested their debit card number and PIN to remove the bankcard lock.
Think for a minute. Which option would seem more trustworthy to you… a real live person or a recording? For me, it would be the real person. Usually when my phone rings, and I answer, I expect to hear another human being on the line. The sudden shock of a recorded message can be off-putting to people. It’s also interesting to note that in this instance the scammer trying to help “remove the block” on the card was a female. Perhaps the attacker was playing into the traditional gender stereotype that a female voice is less threatening. Stereotypes when it comes to gender and voices are real. Have you ever noticed how most GPS devices including Siri feature a female voice? Telephone operators have traditionally been female, making people accustomed to getting assistance from a disembodied woman’s voice. Attackers will frequently play on perceived stereotypes because it simply works.
Just last week, I received an email from one of my friends asking for tech support. I was busy at the time, so I shot off a quick email response saying that we’d need to touch base as I would need access to the system remotely. In doing so, I forgot to mention that by touch base, I meant we needed to have phone conversation later so she could safely give me her credentials. Literally five minutes later, I received a plain-text email with her account credentials for several different applications. Now my friend knows I am a professional social engineer, but she still believes I’m trustworthy. Why? Maybe it’s because I’m a real genteel southern lady… The point of this story, however, is that we live in a world of pervasive electronic communication where we think nothing before downloading that application, dashing off an email to someone with sensitive information or posting private details of our lives on public social media accounts. We assume that we are in control of the communication, so everything is ok, but we don’t necessarily think about controlling the content.
While there has been more media coverage lately about the increasing number of social engineering attacks, many people are still unaware that social engineering exists at all. What’s worse is that individuals do not understand how the information that THEY are putting out there can be used against them. As awareness increases, attackers will adapt and continue to craft even more custom attacks. Whether or not you’re a social engineer, no one is immune. It is our goal to help generate exposure to the dangers of social engineering. Until next time, I’ll leave you with these parting words: “All truths are easy to understand once they are discovered. The point is to discover them.” – Galileo
Written by Jesssssssss Clark