Proactive IT Security
 

Social engineering with a virtual twist

2009-02-13 [Malware discussion, Social engineering, Spreading mechanisms]

Introduction

Since scam was invented - in the days of the serpent in the Garden of Eden referred to in the Bible - social engineering has been used to trick someone.  The techniques that are used vary and have grown more sophisticated and clever, but the underlying basis is variations of the same good old.

According to Wikipedia, security-related social engineering is

the act of manipulating people into performing actions or divulging confidential information.

Social engineering in several forms has been discussed in numerous of our security articles. This time, we shall discuss it from a different angle - the traditional one, with a quite clever new twist.

A diary posting from SANS institute

The excellent SANS institute diary had a posting 3 February this year about Malware infection that began with windshield fliers. In short the technique used was that someone placed windshield fliers on cars in a parking place. The text on the fliers tricked the car owners to visit a particular malicious web site, which subsequently infected the visitors' computers with malware.

This is an interesting example of how to use "manual" social engineering (physically placing leaflets on cars) to trick the target(s) into a particular electronic arena (a special web site).

The particular web site and the malware that was distributed are not particularly interesting in our discussion. What we will focus on, however, is the technique used, and its implications, usefulness and limitations.

Targeted malware

Traditional techniques for spreading malware are e.g. by mass emailing, drive-by web infections, etc. Common for these is that the person or organization that initiates the attack usually does not know who will be infected by the malware. Thus, some of the "tempting" emails will often be nothing but ridiculous to several recipients, as it is so obvious that they are attempts to trick persons with other characteristics into something. The advantage with electronic mass distribution on the other hand, is that the distribution costs are so low, that it does not matter if most fail as long as a successful critical mass is obtained.

Recently we have seen an increase in more targeted attacks, often aimed at e.g. industrial espionage. Emailing has been a major spreading vector for these attacks. The advantage with a targeted attack is that it is possible to tailor-suit the content to the targets, making it more tempting for the recipients. The disadvantage on the other hand, is that the attacker would have to spend more time and resources on collecting the targets' addresses and other characteristics in order for the attack to succeed.

Obviously the manual social engineering combined with Internet usage, cannot be used for any kind of mass distribution. The cost of reaching lots of persons is too high.  

On the other hand, the potential for a targeted attack is huge!

By using some clever old-fashioned (pre-Internet) teasers, to trick the employees into visiting a special (malicious) web site, the potential for a substantial "hit rate" is very good. Systems for setting up illegitimate web sites are not within the scope of this article. Suffice it to say that they are several and may involve minor twists of the legitimate organization's domain name (e.g. .net instead of .com), continuously changing IP addresses to the web server hosting the illegitimate web site, and so on.

The purpose of the initial manual attack would normally be to trick some users to browse to a web site with malicious content, preferably from their office computer. This computer may then be infected by some specially written malware targeted at that particular organization. The real purpose of the attack could be for this malware to harvest confidential information from the organization, disrupt its systems in some way, etc.. Any action that software can perform is in principle possible.

Some attack vectors

Imagination only limits the variations of social engineering techniques that can be used to target an organization. Here are some examples:

  • Leaflets handled out to the employees when they arrive at work in the morning informing them that they have a very good chance to win in a one-hour lottery between 0900 and 1000 that morning. Visit web site 'whatever' to register.
  • A cool product brochure informing the employees that the first 100 persons that register on-line for a free one month's trial version of a particular newspaper or magazine, will get a one year subscription for free.
  • A professional hand-out informing about major potential to win the newest, most popular, must-have music device. Just visit the web site 'anothersite' and enter your phone number. Every twentieth phone number entered will win the prize...

Even a potential for collateral damage

This article has focused on using these techniques to targeted attacks against an organization. Since the attack itself may involve entering personal information on a web site (to make the attack more substantially convincing), the attacker can of course use that personal employee information to totally different and non-related malicious activity, like identity theft.

New distribution techniques lower the target's defenses 

In earlier security articles, e.g. the one about Facebook malware, we have discussed the fact that when a new communication device is used as a vehicle for spreading malware, our defense mechanisms are instantly lowered. This social engineering technique with an added touch of the virtual world, is another example. We are not used to being afraid of malware from a written link, therefore we are not security conscious about this. Weird, but unfortunately true.

To end on exactly the same note as the Facebook malware article referred to above:

We must learn to distinguish better between the legitimate and the illegitimate message - regardless of the medium used to display the message.

This general rule applies!