1. Why bother breaking down the door if you can
simply ask the person inside to let you in? Social
engineering works, both during penetration
testing and as part of real-world attacks. This
briefing explores how attackers are using social
engineering to compromise defenses. It presents
specific and concrete examples of how social
engineering techniques succeeded at bypassing
information security defenses.
These materials are designed to help you
improve the relevance of your security
awareness training and to adjust your data
defenses by revisiting your perspective of the
threat landscape.
Copyright 2010-2011 Lenny Zeltser 1
2. Just like “con artists” have done for centuries.
Copyright 2010-2011 Lenny Zeltser 2
3. As the result, outsider == insider, since someone is
bound to let an outsider in.
Copyright 2010-2011 Lenny Zeltser 3
4. This may help with educating users, customers and
security staff.
This may also help in adjusting the security
architecture.
Copyright 2010-2011 Lenny Zeltser 4
11. … with an element of social engineering.
Copyright 2010-2011 Lenny Zeltser 11
12. Conficker set up the autorun.inf file on infected
USB keys so that the worm would run when the
victim inserted the USB key into a computer,
thereby infecting the PC.
The autorun.inf file that Conficker created on the
USB key was carefully crafted to confuse the user
once the key was inserted into the computer.
When the victim inserted the USB key, Windows
typically brought up the AutoPlay dialog box,
asking the person what to do next.
Normally, the AutoPlay action box presents the
user with options to run the program on the USB
key or to browser the USB key’s files. The
autorun.inf file that Conficker created manipulated
the options presented to the user, so that the
option to run the program looked like the option to
browse the drive’s contents. The user was likely to
click on the first option to browse the files, not
realizing the he or she is actually launching a
program. As a result, the user inadvertently
launched the Conficker worm from the USB key
and infected the PC.
http://isc.sans.org/diary.html?storyid=5695
Copyright 2010-2011 Lenny Zeltser 12
13. Gawker sites include Gimodo, Lifehacker and
TechCrunch.
http://www.wired.com/threatlevel/2009/09/nyt-
revamps-online-ad-sales-after-malware-scam/
“The culprit masqueraded as a national advertiser
and provided seemingly legitimate product
advertising for a week.” ... “Over the weekend, the
ad being served up was switched so that an
intrusive message, claiming to be a virus warning
from the reader’s computer, appeared.”
Copyright 2010-2011 Lenny Zeltser 13
23. Consider a variant of the Waledac worm. The
worm directed its potential victims to a website
that showed a news excerpt about a supposed
explosion. The message was localized based on
where the user was connecting from. For instance,
visitors from New York would see a message
“Powerful explosion burst in New York this
morning.” The person was asked to download a
video player for the full story. Personalization of
the message increased the likelihood of the person
downloading the trojan player in an attempt to see
the video.
http://securitylabs.websense.com/content/Alerts/
3321.aspx
Copyright 2010-2011 Lenny Zeltser 23
31. Attackers have been conducting the “stuck in
London” scam for several years. Early campaigns
were relying on compromised webmail accounts to
reach potential victims through email. In an
example recently documented by Rakesh Agrawal,
this classic scam was conducted via Facebook chat.
The scammer used a compromised Facebook
account in an attempt to solicit emergency funds
from the victim’s friend. The screenshot on this
slide shows an excerpt from the chat transcript.
With low-cost labor available throughout the
world, scammers can employ humans for chatting
with victims while keeping their costs relatively
low. The scammer was using Matt’s Facebook
account and, as far as I can tell, was a human
being. However, such interactions could have easily
been automated using a chat bot.
For details regarding this Facebook chat scam see:
http://rake.sh/blog/2009/01/20/facebook-fraud-a-
transcript
Copyright 2011 Lenny Zeltser 31
32. Consider a scam that promises Facebook users to
find out who has been viewing their Facebook
profile. The implication is that the user can get
access to these details (that feed the narcissist in
all of us) by installing the Profile Spy application.
The scam attempts to trick the victim into
revealing personal details, including a mobile
phone number. The malicious site shows a fake
Facebook page in the background, to make victims
think they are within the “walled garden” of
Facebook…
Copyright 2011 Lenny Zeltser 32
34. After infecting the computer, one malware
specimen edited the victim’s “hosts” file to redirect
attempts to connect to technology product review
sites, including CNet, PCMag, and ZDNet. The goal
seemed to provide the victim with a spoofed
review of a fake anti-virus tool “Anti-Virus-1” to
trick the person into purchasing this software.
Fake anti-virus is not unlike the fake pen for
detecting counterfeit money.
For additional details about this incident, see:
http://www.bleepingcomputer.com/forums/topic2
04619.html
Copyright 2010-2011 Lenny Zeltser 34
37. Koobface spread by including links to malicious
websites in Twitter and Facebook profiles. Once
the potential victim clicked on the link, he or she
was typically directed to a website that attempted
to trick the person into installing malware. A
common tactic involved presenting the user with a
message that to view the video, a Flash Player
upgrade was required. Of course, the executable
the person was presented was not Flash Player, but
was malware.
Copyright 2010-2011 Lenny Zeltser 37
38. The malicious website embedded, though a series
of steps, a Facebook page in an invisible iframe
that floated above the button that the user click
on. The victims didn’t realize that they were
actually clicking on the Facebook “Share” button,
which shared the malicious website with the
victim’s Facebook friends.
http://fitzgerald.blog.avg.com/2009/11/new-
facebook-worm-dont-click-da-button-baby.html
<html><head></head><body><div style=”overflow: hidden;
width: 56px; height: 24px; position: relative;” id=”div”>
<iframe name=”iframe”
src=”http://EVILURI/index.php?n=632″ style=”border: 0pt
none ; left: -985px; top: -393px; position: absolute;
width: 1618px; height: 978px;”
scrolling=”no”></iframe></div></body></html>
HTML Source: theinvisibleguy
Copyright 2010-2011 Lenny Zeltser 38
57. There is no “Google Approved Pharmacy
Directory”
Copyright 2010-2011 Lenny Zeltser 57
58. http://www.f-
secure.com/weblog/archives/00002017.html
“I contacted the company and asked them whether
they were aware that their code signing certificate
had been stolen. The case became more
interesting to me when they responded that they
do not have any code signing certificates. In fact,
they don't produce software — so they don't have
anything to sign. Clearly someone else had
obtained the certificate in their name; they had
been victim of identity theft.”
Copyright 2010-2011 Lenny Zeltser 58
59. Left side: cert obtained through identity theft:
http://www.f-
secure.com/weblog/archives/00002017.html
Right side: stolen cert used to sign Stuxnet:
http://www.f-
secure.com/weblog/archives/00001993.html
Copyright 2010-2011 Lenny Zeltser 59
64. Need solid research: Will training users or
customers in social engineering tactics improve
their resistance to scams?
Copyright 2010-2011 Lenny Zeltser 64
68. If you have any questions for me, please let me
know. I’ll do my best to answer them as accurately
as I can. I’d also love to hear from you if you have
any comments regarding this briefing, either what
you liked about it, or your suggestions for
improving it.
If you want to keep an eye on my research and
related activities, take a look at blog.zeltser.com.
You can also find me on Twitter at
twitter.com/lennyzeltser.
Copyright 2010-2011 Lenny Zeltser 68
