Social Engineering / SmartPhone and DriveBy

Beer-Talk Compass Security AG, October 25, 2012 Walter Sprenger

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Agenda Introduction to Social Engineering Attack/spoofing vectors Phishing Sites / Trojan Horses

Live Demos Compass Experience Numbers and Facts Social Engineering Pitfalls Countermeasures

Social Engineering Test Benefits

© Compass Security AG

www.csnc.ch

Slide 2

What is Social Engineering?

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

What is social engineering?

© Compass Security AG

www.csnc.ch

Slide 4

Attack Vectors / Spoofing Methods

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Attack vectors

© Compass Security AG

www.csnc.ch

Slide 6

Spoofing Methods Why do you trust a message? I know the sender (phone number, mail-address) I know the structure of the message I expect the message

Why do you trust a web site? I know the domain of the website I only provide data on secured web sites

© Compass Security AG

www.csnc.ch

Slide 7

Targeted Attacks Why make a lot of noise if one victim provides the information I want? Run attack to only a few individuals Take more time on one individual, better preparation of the attack

Targeted Attacks Do not raise suspicion No AntiVir patterns for used malware Hard to detect in log files / with intrusion prevention systems Longer infection possible, restart malware everytime the user logs in – long time compromise

© Compass Security AG

www.csnc.ch

Slide 8

Phishing Sites

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Simple Phishing Website

© Compass Security AG

www.csnc.ch

Slide 10

Simple Phishing Website explained

© Compass Security AG

www.csnc.ch

Slide 11

Example of complex Phishing Site

Phishing Site opened User receives Email with Link

Install Yes

Yes Credentials entered

Login

Video Page shown

Click Attacker takes control

View

Victim can’t decide any more Yes

No No No

Remote Shell started

Download malicious Video Codec

Malware

Phishing Website No

© Compass Security AG

www.csnc.ch

Slide 12

Analysis of complex Phishing Sites

Sum sent Phising Mails Clicked on Link in Email Entered Credentials Clicked on Video Page Downloaded Video Codec Installed Video Codec 0

© Compass Security AG

50

100

150

200

www.csnc.ch

250

300

350

400

450

500

Slide 13

Analysis of complex Phishing Sites (2)

Clicked on Link in Email Entered Credentials Before Detection

Clicked on Video Page

After Detection Downloaded Video Codec Installed Video Codec 0

© Compass Security AG

20

40

60

80

www.csnc.ch

100

120

140

160

Slide 14

Trojan Horses

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Trojan Horse Covert Channel Delivery via USB-Stick

Attacker „observes“ the victim computer Started by User Company Network

© Compass Security AG

Internet

www.csnc.ch

Slide 16

Trojan Horse explained

em R at C et N e ot l el Sh

© Compass Security AG

www.csnc.ch

Slide 17

Live Demos

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Live Demo – Computer Phishing A1) Webmail Phishing Attack Vector: eMail with URL Goal: Get Webmail/Windows credentials

A2) FaceBook Phishing (Invitation) Attack Vector: eMail with Facebook invitation Goal: Get Facebook credentials / Impersonation

© Compass Security AG

www.csnc.ch

Slide 19

Live Demo – SmartPhone Information B1) SMS from your Bank Attack Vector: SMS with call back number Goal: Get personal information

B2) GPS location Attack Vector: SMS with URL to location web site Goal: Get coordinates of victim

© Compass Security AG

www.csnc.ch

Slide 20

Live Demo – SmartPhone Phishing B3) iCloud Phishing Attack Vector: SMS with URL to phishing web site Goal: Get iCloud credentials Steal date stored in iCloud (contacts, files, backup, etc.)

B4) Android NFC Business Card Attack Vector: Business card with modifed NFC, points to phishing web site Goal: Get Google credentials Steal data stored on Google (mails, contacts, files, etc.) Install trojan app on mobile phone

© Compass Security AG

www.csnc.ch

Slide 21

Live Demo – Trojan User Interaction C1) Exe in Word-Dokument Attack Vector: Mail with Word-Document Goal: Remote control the workstation of the user

C2) Download EXE Attack Vector: Facebook chat message – download URL Goal: Remote control the workstation of the user

C3) USB Trojan Attack Vector: USB stick with interesting file (EXE) Goal: Remote control the workstation of the user © Compass Security AG

www.csnc.ch

Slide 22

Live Demo – Trojan DriveBy D1) Drive-By Java 0-Day Attack Vector: Web site with URL Goal: Remote control the workstation of the user

© Compass Security AG

www.csnc.ch

Slide 23

Numbers and Facts

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Phishing Website

84%

Credentials Phished No result

16%

© Compass Security AG

www.csnc.ch

Slide 25

USB-Stick with Trojan Horse

72%

Inserted No response

28%

© Compass Security AG

www.csnc.ch

Slide 26

E-Mail with Trojan Horse

93%

Clicked Not clicked

7%

© Compass Security AG

www.csnc.ch

Slide 27

Installing Access Point

100% Sucessfully installed Access Denied 0%

© Compass Security AG

www.csnc.ch

Slide 28

Phone – Give me your password

© Compass Security AG

www.csnc.ch

Slide 29

Social Engineering Pitfalls

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Social Engineering Pitfalls Technical Pitfalls Firewalls (also Personal Firewall) SPAM-Filter URLs blocked Virus/Process Scanner IDS Wireless Strength

Organizational Pitfalls System Administrator Employees Access Control Legal Bring somebody to shame

© Compass Security AG

www.csnc.ch

Slide 31

Countermeasures

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

But, you can protect your Company Technical Countermeasures Virus Scanner Disable Autorun / USB / CD-ROM Disable dangerous attachements in Emails Firewalls / Content Filter / SSL-Split-Proxy IDS Protocol Sanitation (HTTP / DNS) Limit user permissions Secure WLAN Organizational Countermeasures Access Control Security Zones Educate Employes – User Awareness Security Policies Awareness Demo Social Engineering Test

© Compass Security AG

www.csnc.ch

Slide 33

Social Engineering Test Benefits

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Tel +41 55 214 41 60 Fax +41 55 214 41 61 [email protected] www.csnc.ch

Social Engineering Test Benefits

I know Social Engineering always works. So why should I conduct a Social Engineering Test in my company?

© Compass Security AG

www.csnc.ch

Slide 35

Social Engineering Test Benefits

Technical Infrastructure – Sufficient? Incident Handling – Adequate? Security Awareness Courses – Learning Success? Security Processes – No Weak Points? Access Control – Impenetrably?

© Compass Security AG

www.csnc.ch

Slide 36

Thank you!

Thank you very much for your attention!

© Compass Security AG

www.csnc.ch

Slide 37

Contact Compass Security Network Computing Werkstrasse 20 Postfach 2038 CH - 8645 Jona [email protected] | www.csnc.ch | +41 55 214 41 60 Secure File Exchange: www.csnc.ch/filebox PGP-Fingerprint:

© Compass Security AG

www.csnc.ch

Slide 38