Social Engineering

Introduction
Social engineering is evolving so rapidly that technology solutions, security policies, and operational procedures alone cannot protect critical resources. Even with these safeguards, hackers commonly manipulate employees into compromising corporate security. Victims might unknowingly reveal the sensitive information needed to bypass network security, or even unlock workplace doors for strangers without identification. While attacks on human judgment are immune to even the best network defense systems, companies can mitigate the risk of social engineering with an active security culture that evolves as the threat landscape changes. Security-aware employees are better prepare to recognize and avoid rapidly changing and increasingly sophisticated social-engineering attacks, and are more willing to take ownership of security responsibilities.

Security Awareness
Successful instigators of social engineering are constantly creating and deploying new attacks, forcing employees to recognize and deter threats that are outside of their specific security experience. Today, many hackers integrate technology into their schemes to launch even more creative, sophisticated, and destructive attacks.

Recently,there has been a mass increase in Trojan Horse downloaders and banking Trojan Horses. The malicious code is being hosted on malicious websites, which are used in combination with deception techniques through email and instant messaging to attract users to visit the sites and run the malicious code.

The websites are hosting either a Trojan Horse downloader (which, when run, downloads a banking Trojan Horse), or are hosting the actual keylogging code itself.

Malicious code monitors the behaviors of end-users in order to determine if end-users are accessing well known banking and ecommerce websites. When end-users access these websites, the malicious code monitors are invoked. The keystrokes are captured, and then they are sent through HTTP, SMTP, and sometimes encrypted through SSL.

The most common deception techniques that are being used are music-related dedication emails, greeting cards, IT-security warnings, and through online banking deception.

Some characteristics of the malicious websites and Trojan Horse downloaders are that they: * Commonly use free hosting facilities (such as, personal sites, setup blogs, and home directories).

  1. Commonly use email and social engineering to entice users to run them.
  2. Most often use entertainment (such as, greeting cards and music-dedication) or IT security-related deception techniques (such as, MS update patch and AV warning must clean).
  3. Most commonly use technical details. The Delphi, UPX, ASPACK, MEW, VB are the most popular wrappers and packing technology being used.
  4. Most commonly use URLs that are using the .scr,.exe, .jpg.exe, .gif, and .ex extensions.
Two examples of social-engineering techniques that integrate technology are phishing and pharming.
  1. Phishing elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a Website to update information such as a bank-account number.
  2. Most of the emails come in HTML format to appear as plain text making it much harder for the recipient to identify the hidden qualities of the emails content. These fake Websites look realistic enough to fool many victims into revealing data that can be used for identity theft. Statistics from the Anti-Phishing Working Group (APWG) show that between July 2004 an March 2005, the number of phishing attempts grew by an average of 26 percent per month.
  3. The following is an email being sent to many thousands of people with registered accounts at various websites.


Dear customer,
We recently reviewed your account, and suspect that your account may have been accessed by an unauthorized third party. Protecting the security of your account and of the EDS network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features.

To restore your account access, please take the following steps to ensure that your account has not been compromised: Login to your account.

In case you are not enrolled yet for online services, you will have to use your Social Security Number as both your Personal ID and Password and fill in the required information, including your name and account number. Review your recent account history for any unauthorized withdrawals or deposits, and check your account profile to make sure no changes have been made. If any unauthorized activity has taken place on your account, report to staff immediately.

  1. Pharming also takes advantage of false Websites, but redirects users to the false site as they attempt to access a legitimate Website. This redirection, also known as domain spoofing, can be perpetrated through an e-mailed virus that lies dormant on a PC until the user enters a specific URL, or by poisoning a domain name system (DNS) directory. A DNS translates Web and e-mail addresses into numeric strings. In a poisoned DNS, the links that associate Web addresses with numeric strings are changed so users are directed to a false Website when they enter a specific URL. Any secure information entered into the false Website, such as a user name and password, is captured by hackers.

Hackers are using familiar brands to lure users into visiting a malicious website. Users receive an HTML based email message claiming to be from Ask Jeeves, PayPal, Yahoo and similar frequently used websites that contain information similar to the following text:



The embedded link is different than the displayed one and sends people to a malicious website that is running on port 8081.

The first malicious website includes two frames:one with 100% width/height that goes to Ask Jeeves, and one that is http://:8081/adbanner.php with 0% width/height (hidden). The second adbanner.php includes code which starts a chain of IE/Java exploits.

This attack could result in a file called Q387984.exe being downloaded from the same site and being run on the user's machine. Q387984.exe is a Trojan Horse downloader which is designed to download from the website and run the keylogger (WINOS.EXE).

When the program starts up, it posts a GUID to another malicious website, http:///b64.php, with status information. Once running, it waits for access to banking institutions and logs keystrokes that are periodically uploaded to http:///post.php.

The sites which are attempting exploits:

http://:8081/adbanner.php
http://:8081/enter.php
http://:8081/banner2.txt
http://:8081/classload.jar

Defense In-Depth
Social engineering attacks are personal. Hackers understand that employees are often the weakest link in a security system; they are susceptible to trickery and their varied responses can give attackers many opportunities for success. One of the greatest dangers of social engineering is that the attacks need not work against everyone. A single successful victim can provide enough information to trigger an attack that will affect an entire organization.

Creating a security aware culture requires the commitment of the executive staff, the involvement of all employees, and effective security policies and procedures for everyone tied to the organization, including vendors and partners.

Security Awareness Training: Most employees do not cause security problems intentionally. Accessing un-secure Websites, deploying unauthorized wireless access points, or falling victim to social engineering ploys are common employee actions that result in security breaches. The best way to avoid unintentional security problems is to provide all employees with regular security awareness training. This training must inform employees of new threats and refresh their understanding of how to identify and avoid social-engineering attacks. An annual seminar or occasional memo is not an effective approach; organizations must treat security awareness training as a normal, enduring aspect of employment.

Conclusion
The security risks of social engineering are significant, and organizations must address social engineering threats as part of an overall risk management strategy. The best way to mitigate the risk posed by rapidly evolving social-engineering methods is through an organizational commitment to a security-aware culture. Ongoing training will provide employees with the tools they need to recognize and respond to social-engineering threats, and support from the executive staff will create an attitude of ownership and accountability that encourages active participation in the security culture.

For more information on protecting against social engineering, check out Security Spotlight: Pharming Capitalizes on Phishing's Success