Social Engineering TricksSpotlight Forum June 2015Michael HendrickxSenior Security Analyst

SOCIAL ENGINEERING

• You bought a firewall, great.• Humans are helpful, by nature.• Manipulate people to get things done• A fancier way of “lying”• We’ve all done it.

Find people Find info Fake Emails

SOCIAL ENGINEERING

• 2 ways of finding people:• Casting a net (phishing)• Quantity > Quality• Whoever sticks is a victim• Very noisy

• Targeting (spear phishing)• Quality > Quantity• Takes more time, more research, more effort.

PHISHING

• Humans haven’t change in the past few decades:

Recent “Rombertik” malware:- State of the art malware (quite nasty though)- Quite “lame” distribution

SPEAR PHISHING

• Email from somebody who “knows you”• You probably know them as well, else it’s

just embarrassing.

• Somebody who took time to research about you

• Interested in you• Rather, what you know• Who you know• What you have access to.

1. FINDING PEOPLE

• Target a domain, find its users:• Maltego: visualizing OSINT • Metasploit: finding email addresses

Emails are probably: firstname.lastname@helpag.com

1. FIND PEOPLE (2)

• Emails are firstname.lastname@helpag.com• Let’s look for more names

stephan.berner@helpag.com?angelika.plate@helpag.com?alexandra.pisetskaya@helpag.com?nadia.zamouri@helpag.com?ahmad.khaled.hawasli@helpag.com?aashish.sharma@helpag.com?prashant.jani@helpag.com?…

Let’s dig just a bit further….

https://ae.linkedin.com/in/nsolling

STUDY TARGET

• Examine digital footprint• Style of writing, topics, interests

STUDY TARGET

• Examine digital footprint further• Interests:• Porsche• PADI diver• Line6 (guitar) pod• Merc GL550• Trivial Pursuit ;)

TARGET SELECTION

• What can we do so far?• Target Nicolai Solling• Hey, we met at (Porsche club / ManAge

spa / PADI course / Rugkobbelskolen … ) • “Your Gargash Enterprises service…”• Exploit Nicolai’s trust

• Target Nicolai’s contacts• We know who he knows (social network)• We know their email addresses (firstname.lastname@helpag.com)• We know Nicolai’s writing style• Exploit their trust

EXTRA, TECHNICAL TRICKS

• Need to trick a user to “believe us”• Let technology help us• Abuse 33 year old protocol: SMTP• Fake email thread• Fake CC

FAKE EMAIL THREAD

• SMTP just sends text to a program. • “Email threads” have no connection.• Unless we have the entire thread,

digitally signed, we can’t trust it at all• Modern equivalent of saying:

“Can I go dad? Mom said I could go”

FAKE CC

• CC doesn’t really exist• It’s a MIME header we said we did

HELO blahMAIL FROM: admin@flurk.orgRCPT TO: michael.hendrickx@helpag.comDATA

From: Michael Hendrickx <michael@flurk.org>Content-Type: text/plain;Subject: Very important emailCc: khaled hawasli <khaled.hawasli@helpag.com>, barack.obama@whitehouse.govTo: michael.hendrickx@helpag.com

Hey guys,

As per our conversation, please install the security update located at http://evil.com/patch.exe

Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out!

Thank you,Security Admin

PUTTING IT ALL TOGETHER

• A person who knows a lot about you can do a lot of damage• It’s from Nicolai• Sounds like him• To people that he knows• The “right” people are in CC• Shared responsibility• Based on previous email

thread• Which we can’t check.

PUTTING IT ALL TOGETHER

• Creative spear phishingTo: Khaled Hawasli, Khalilovcc: Michael HendrickxHi Everyone,I am very thrilled with the new VPN software! It’s much faster. Have you tried it?

Nicolai

To: Nicolai, Khaled Hawasli cc: Michael HendrickxHey man, That’s awesome> Hi Everyone,> I am very thrilled with the new VPN> …

To: Michael, cc: Nicolai, KhalilovMichael, you should try it!> Hey man, > That’s awesome>> Hi Everyone,>> I am very thrilled with the new VPN>> …

In fact, all this is actually:To: Khaled Hawasli, Khalilovcc: Michael HendrickxHi Everyone,I am very thrilled with the new VPN software! It’s much faster. Have you tried it?

Nicolai

To: Nicolai, Khaled Hawasli cc: Michael HendrickxHey man, That’s awesome> Hi Everyone,> I am very thrilled with the new VPN> …

To: Michael, cc: Nicolai, KhalilovMichael, you should try it!> Hey man, > That’s awesome>> Hi Everyone,>> I am very thrilled with the new VPN>> …

Nobody was ever CC’d

CONCLUSION

• The more people know about you, the more they can target you.• Minimize digital footprint• Verify email contents• Be cautious

• Use digital signatures• Don’t trust anything sent to you• Mommy said I could go.

CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM DUBAI, UAEARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741T +971 4 440 5666F +971 4 363 6742

ABU DHABI, UAESALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195T +971 2 644 3398F +971 2 639 1155

DOHA, QATARAL DAFNA – PALM TOWEROFFICE 4803, WEST BAY, P.O. BOX 31316T +974 4432 8067 F +974 4432 8069