Social Engineering / SmartPhone and DriveBy
Beer-Talk Compass Security AG, October 25, 2012 Walter Sprenger
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Agenda Introduction to Social Engineering Attack/spoofing vectors Phishing Sites / Trojan Horses
Live Demos Compass Experience Numbers and Facts Social Engineering Pitfalls Countermeasures
Social Engineering Test Benefits
© Compass Security AG
www.csnc.ch
Slide 2
What is Social Engineering?
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
What is social engineering?
© Compass Security AG
www.csnc.ch
Slide 4
Attack Vectors / Spoofing Methods
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Attack vectors
© Compass Security AG
www.csnc.ch
Slide 6
Spoofing Methods Why do you trust a message? I know the sender (phone number, mail-address) I know the structure of the message I expect the message
Why do you trust a web site? I know the domain of the website I only provide data on secured web sites
© Compass Security AG
www.csnc.ch
Slide 7
Targeted Attacks Why make a lot of noise if one victim provides the information I want? Run attack to only a few individuals Take more time on one individual, better preparation of the attack
Targeted Attacks Do not raise suspicion No AntiVir patterns for used malware Hard to detect in log files / with intrusion prevention systems Longer infection possible, restart malware everytime the user logs in – long time compromise
© Compass Security AG
www.csnc.ch
Slide 8
Phishing Sites
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Simple Phishing Website
© Compass Security AG
www.csnc.ch
Slide 10
Simple Phishing Website explained
© Compass Security AG
www.csnc.ch
Slide 11
Example of complex Phishing Site
Phishing Site opened User receives Email with Link
Install Yes
Yes Credentials entered
Login
Video Page shown
Click Attacker takes control
View
Victim can’t decide any more Yes
No No No
Remote Shell started
Download malicious Video Codec
Malware
Phishing Website No
© Compass Security AG
www.csnc.ch
Slide 12
Analysis of complex Phishing Sites
Sum sent Phising Mails Clicked on Link in Email Entered Credentials Clicked on Video Page Downloaded Video Codec Installed Video Codec 0
© Compass Security AG
50
100
150
200
www.csnc.ch
250
300
350
400
450
500
Slide 13
Analysis of complex Phishing Sites (2)
Clicked on Link in Email Entered Credentials Before Detection
Clicked on Video Page
After Detection Downloaded Video Codec Installed Video Codec 0
© Compass Security AG
20
40
60
80
www.csnc.ch
100
120
140
160
Slide 14
Trojan Horses
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Trojan Horse Covert Channel Delivery via USB-Stick
Attacker „observes“ the victim computer Started by User Company Network
© Compass Security AG
Internet
www.csnc.ch
Slide 16
Trojan Horse explained
em R at C et N e ot l el Sh
© Compass Security AG
www.csnc.ch
Slide 17
Live Demos
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Live Demo – Computer Phishing A1) Webmail Phishing Attack Vector: eMail with URL Goal: Get Webmail/Windows credentials
A2) FaceBook Phishing (Invitation) Attack Vector: eMail with Facebook invitation Goal: Get Facebook credentials / Impersonation
© Compass Security AG
www.csnc.ch
Slide 19
Live Demo – SmartPhone Information B1) SMS from your Bank Attack Vector: SMS with call back number Goal: Get personal information
B2) GPS location Attack Vector: SMS with URL to location web site Goal: Get coordinates of victim
© Compass Security AG
www.csnc.ch
Slide 20
Live Demo – SmartPhone Phishing B3) iCloud Phishing Attack Vector: SMS with URL to phishing web site Goal: Get iCloud credentials Steal date stored in iCloud (contacts, files, backup, etc.)
B4) Android NFC Business Card Attack Vector: Business card with modifed NFC, points to phishing web site Goal: Get Google credentials Steal data stored on Google (mails, contacts, files, etc.) Install trojan app on mobile phone
© Compass Security AG
www.csnc.ch
Slide 21
Live Demo – Trojan User Interaction C1) Exe in Word-Dokument Attack Vector: Mail with Word-Document Goal: Remote control the workstation of the user
C2) Download EXE Attack Vector: Facebook chat message – download URL Goal: Remote control the workstation of the user
C3) USB Trojan Attack Vector: USB stick with interesting file (EXE) Goal: Remote control the workstation of the user © Compass Security AG
www.csnc.ch
Slide 22
Live Demo – Trojan DriveBy D1) Drive-By Java 0-Day Attack Vector: Web site with URL Goal: Remote control the workstation of the user
© Compass Security AG
www.csnc.ch
Slide 23
Numbers and Facts
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Phishing Website
84%
Credentials Phished No result
16%
© Compass Security AG
www.csnc.ch
Slide 25
USB-Stick with Trojan Horse
72%
Inserted No response
28%
© Compass Security AG
www.csnc.ch
Slide 26
E-Mail with Trojan Horse
93%
Clicked Not clicked
7%
© Compass Security AG
www.csnc.ch
Slide 27
Installing Access Point
100% Sucessfully installed Access Denied 0%
© Compass Security AG
www.csnc.ch
Slide 28
Phone – Give me your password
© Compass Security AG
www.csnc.ch
Slide 29
Social Engineering Pitfalls
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Social Engineering Pitfalls Technical Pitfalls Firewalls (also Personal Firewall) SPAM-Filter URLs blocked Virus/Process Scanner IDS Wireless Strength
Organizational Pitfalls System Administrator Employees Access Control Legal Bring somebody to shame
© Compass Security AG
www.csnc.ch
Slide 31
Countermeasures
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
But, you can protect your Company Technical Countermeasures Virus Scanner Disable Autorun / USB / CD-ROM Disable dangerous attachements in Emails Firewalls / Content Filter / SSL-Split-Proxy IDS Protocol Sanitation (HTTP / DNS) Limit user permissions Secure WLAN Organizational Countermeasures Access Control Security Zones Educate Employes – User Awareness Security Policies Awareness Demo Social Engineering Test
© Compass Security AG
www.csnc.ch
Slide 33
Social Engineering Test Benefits
Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Tel +41 55 214 41 60 Fax +41 55 214 41 61
[email protected] www.csnc.ch
Social Engineering Test Benefits
I know Social Engineering always works. So why should I conduct a Social Engineering Test in my company?
© Compass Security AG
www.csnc.ch
Slide 35
Social Engineering Test Benefits
Technical Infrastructure – Sufficient? Incident Handling – Adequate? Security Awareness Courses – Learning Success? Security Processes – No Weak Points? Access Control – Impenetrably?
© Compass Security AG
www.csnc.ch
Slide 36
Thank you!
Thank you very much for your attention!
© Compass Security AG
www.csnc.ch
Slide 37
Contact Compass Security Network Computing Werkstrasse 20 Postfach 2038 CH - 8645 Jona
[email protected] | www.csnc.ch | +41 55 214 41 60 Secure File Exchange: www.csnc.ch/filebox PGP-Fingerprint:
© Compass Security AG
www.csnc.ch
Slide 38