social engineering trickx - owasp doha 2015
TRANSCRIPT
Social Engineering Trickx
Michael HendrickxDoha, Qatar. 23 Nov 2015
$ whoami• Michael Hendrickx– Security Analyst in HelpAG– Working in infosec for past decade– [email protected]– Belgian
Social Engineering• You have a firewall, good for you.– Let’s target the users, not systems
• Human beings are helpful by nature• Defined as:
“Any act that influences a person to take an action that may or may not be in their best interest”
Find people Find Info Get access
Finding people• 2 Ways of finding people:– Phishing (casting a net)• Quantity over quality• Very noisy
– Spear phishing (targeted)• Quality over quantity• Takes more time, more effort
Finding people: phishing• People haven’t changed much
Finding people: phishing• People haven’t changed much
Finding people: phishing• People haven’t changed much
Finding people: phishing• People haven’t changed much
Finding people: phishing• People haven’t changed much
Finding people: phishing• People haven’t changed much
Finding people: phishing• People haven’t changed much
Recent “Rombertik” malware:- State of the art malware (evil though) - 97% of code never called - sandbox confusion - browser snooping - MBR destruction upon debug-detection- Lame Ineffective distribution
Finding people: phishing• Phishing not always best option– Very noisy – ISP / Hosting company may block you– Too many recipients• Somebody is bound to report it
Spear phishing is a better option
Finding people: spear phishing• Email from somebody
who “knows you”– You probably know them too
• Somebody who took time to research you
• Interested in you– Rather, what you know– Who you know– What you have access to.
Finding people• Target a domain, find its users:– Maltego, theHarvester, metasploit, recon-ng
Emails are probably: [email protected]
Finding people• Emails are [email protected]
Let’s look for more names:
[email protected][email protected][email protected][email protected][email protected][email protected]?…
https://ae.linkedin.com/in/nsolling
Finding people• Emails are [email protected]
Let’s look for more names:
[email protected][email protected][email protected][email protected][email protected][email protected]?…
Let’s dig just a bit further….
https://ae.linkedin.com/in/nsolling
Study the target: Nicolai Solling
Study the target: Nicolai Solling
We know Nicolai’s writing style
More target studying• Examine digital footprint
More target studying• Examine digital footprint
Nicolai’s Digital footprint:• Full name• Address• Interests:• Porsche 911• PADI Diver• Line6 Guitar pod• Merc GL550• Trivial Pursuit
More target studying• Examine digital footprint
Nicolai’s Digital footprint:• Full name• Address• Porsche 911• PADI Diver• Line6 Guitar pod• Merc GL55• Trivial Pursuit
So far, what do we know?• Nicolai’s contact details– Email address
• Who he knows / might know– His social network– School, hobby groups, …
• What he likes– His interests
• How he writes
And what can we do?• Target Nicolai:– “Hi, we met at Porsche club, ManAge spa…”– “Your 2013 Mercedes GL550 service is due, …”
• Or, pretend to be Nicolai– Target his contacts / colleagues
– We know his writing style– Exploit their trust
How can we do it?• Need to trick target to
“believe us”• Let technology help us• Abuse 33 year old protocol– Domain squatting– Fake email threads– Fake CC
Domain Squatting• Using “similar” domain for bad purposes– Homoglyphs, repetition, transposition…– Use DNSTwist
Original* helpag.com...Homoglyph heipag.comHomoglyph he1pag.comHomoglyph helpaq.com ...Transposition heplag.com...
Increase credibility• Make your email as legit as possible• Email footer?– Annoy somebody till they email you back
We got a
footer!
Fake Email Threads• SMTP just sends text
to a program. – “Email threads” have no
connection.– Unless we have the entire
thread, digitally signed, we can’t trust it at all
– Modern equivalent of saying:
“Can I go dad? Mom said I could go”
Fake CC• CC doesn’t really exist• It’s just a MIME
header
HELO blahMAIL FROM: [email protected] TO: [email protected]
From: Michael Hendrickx <[email protected]>Content-Type: text/plain;Subject: Very important emailCc: khaled hawasli <[email protected]>, [email protected]: [email protected]
Hey guys,
As per our conversation, please install the security update located at http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out!
Thank you,Security Admin
This is for the SMTP server
This is for the email client
Fake CC• CC doesn’t really exist• It’s just a MIME
header
HELO blahMAIL FROM: [email protected] TO: [email protected]
From: Michael Hendrickx <[email protected]>Content-Type: text/plain;Subject: Very important emailCc: khaled hawasli <[email protected]>, [email protected]: [email protected]
Hey guys,
As per our conversation, please install the security update located at http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and Obama will never get - but you can never find that out!
Thank you,Security Admin
This is for the SMTP server
This is for the email client
Fake CC• To, CC and BCC does
the same thing (SMTP wise)
• SMTP sends the message to every recipient
Putting it all together
Fake email thread
Fake CC
Domain spoofing
Same writing style
Get access• Invite user to visit URL– New intranet portal, survey, …– Capture domain credentials • Through basic auth popup
(many think it’s the proxy)• Through a webpage
– Make site seem as real as possible (logo, …)– Show the domain name filled in
Get access: phishing site
Or, deliver malware• Choose distribution method:– Exe, pif, cmd, scr: probably blocked– PDF, Office macro, .. : probably allowed
Lessons learned• Awareness is key• Minimize digital footprint– The more people know about
you, the more they can trick you.• Use digital signatures• Don’t trust anything sent to you.
