social engineering - help ag spotlight 15q2
TRANSCRIPT
SOCIAL ENGINEERING
• You bought a firewall, great.• Humans are helpful, by nature.• Manipulate people to get things done• A fancier way of “lying”• We’ve all done it.
Find people Find info Fake Emails
SOCIAL ENGINEERING
• 2 ways of finding people:• Casting a net (phishing)• Quantity > Quality• Whoever sticks is a victim• Very noisy
• Targeting (spear phishing)• Quality > Quantity• Takes more time, more research, more effort.
PHISHING
• Humans haven’t change in the past few decades:
Recent “Rombertik” malware:- State of the art malware (quite nasty though)- Quite “lame” distribution
SPEAR PHISHING
• Email from somebody who “knows you”• You probably know them as well, else it’s
just embarrassing.
• Somebody who took time to research about you
• Interested in you• Rather, what you know• Who you know• What you have access to.
1. FINDING PEOPLE
• Target a domain, find its users:• Maltego: visualizing OSINT • Metasploit: finding email addresses
Emails are probably: [email protected]
1. FIND PEOPLE (2)
• Emails are [email protected]• Let’s look for more names
[email protected][email protected][email protected][email protected][email protected][email protected][email protected]?…
Let’s dig just a bit further….
https://ae.linkedin.com/in/nsolling
STUDY TARGET
• Examine digital footprint further• Interests:• Porsche• PADI diver• Line6 (guitar) pod• Merc GL550• Trivial Pursuit ;)
TARGET SELECTION
• What can we do so far?• Target Nicolai Solling• Hey, we met at (Porsche club / ManAge
spa / PADI course / Rugkobbelskolen … ) • “Your Gargash Enterprises service…”• Exploit Nicolai’s trust
• Target Nicolai’s contacts• We know who he knows (social network)• We know their email addresses ([email protected])• We know Nicolai’s writing style• Exploit their trust
EXTRA, TECHNICAL TRICKS
• Need to trick a user to “believe us”• Let technology help us• Abuse 33 year old protocol: SMTP• Fake email thread• Fake CC
FAKE EMAIL THREAD
• SMTP just sends text to a program. • “Email threads” have no connection.• Unless we have the entire thread,
digitally signed, we can’t trust it at all• Modern equivalent of saying:
“Can I go dad? Mom said I could go”
FAKE CC
• CC doesn’t really exist• It’s a MIME header we said we did
HELO blahMAIL FROM: [email protected] TO: [email protected]
From: Michael Hendrickx <[email protected]>Content-Type: text/plain;Subject: Very important emailCc: khaled hawasli <[email protected]>, [email protected]: [email protected]
Hey guys,
As per our conversation, please install the security update located at http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out!
Thank you,Security Admin
PUTTING IT ALL TOGETHER
• A person who knows a lot about you can do a lot of damage• It’s from Nicolai• Sounds like him• To people that he knows• The “right” people are in CC• Shared responsibility• Based on previous email
thread• Which we can’t check.
PUTTING IT ALL TOGETHER
• Creative spear phishingTo: Khaled Hawasli, Khalilovcc: Michael HendrickxHi Everyone,I am very thrilled with the new VPN software! It’s much faster. Have you tried it?
Nicolai
To: Nicolai, Khaled Hawasli cc: Michael HendrickxHey man, That’s awesome> Hi Everyone,> I am very thrilled with the new VPN> …
To: Michael, cc: Nicolai, KhalilovMichael, you should try it!> Hey man, > That’s awesome>> Hi Everyone,>> I am very thrilled with the new VPN>> …
In fact, all this is actually:To: Khaled Hawasli, Khalilovcc: Michael HendrickxHi Everyone,I am very thrilled with the new VPN software! It’s much faster. Have you tried it?
Nicolai
To: Nicolai, Khaled Hawasli cc: Michael HendrickxHey man, That’s awesome> Hi Everyone,> I am very thrilled with the new VPN> …
To: Michael, cc: Nicolai, KhalilovMichael, you should try it!> Hey man, > That’s awesome>> Hi Everyone,>> I am very thrilled with the new VPN>> …
Nobody was ever CC’d
CONCLUSION
• The more people know about you, the more they can target you.• Minimize digital footprint• Verify email contents• Be cautious
• Use digital signatures• Don’t trust anything sent to you• Mommy said I could go.
CONTACT US | WWW.HELPAG.COM | [email protected] DUBAI, UAEARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741T +971 4 440 5666F +971 4 363 6742
ABU DHABI, UAESALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195T +971 2 644 3398F +971 2 639 1155
DOHA, QATARAL DAFNA – PALM TOWEROFFICE 4803, WEST BAY, P.O. BOX 31316T +974 4432 8067 F +974 4432 8069