A 21st Century Con Game Presenter: Joseph A. Juchniewicz Senior Consultant - Assessment and Compliance agenda About Us
Phishing
Social Engineering
Questions
foundationthe we have built
TRUSTED ADVISORS: BREADTH OF SERVICE: LONG-TERM CLIENT RELATIONSHIPS: 31 years of experience Eight complementary practice areas with synergistic solutions Focused solutions Privately owned 100+ full-time engineers & a Responsible & flexible No debt or venture capital dedicated Pre-Sales Engineering team Constant performance Stong partner alliances evaluation Enterprise class service without the cost Feedback & insights
21st Century Con Game
Phishing and Social Engineering
Why are they still thriving today? 21st Century Con Game
What is the confidence game and why it still survives
§ A confidence trick (synonyms include confidence scheme and scam) is an attempt to defraud a person or group after first gaining their confidence, in the classical sense of trust. § A confidence artist (or con artist) is an individual, operating alone or in concert with others, who exploits characteristics of the human psyche such as dishonesty, honesty, vanity, compassion, credulity, irresponsibility, naïveté, or greed. § These cons have been transferred into the cyber world. 21st Century Con Game
What we are dealing with today...
§ Phishing is the act of attempting to acquire sensitive information, such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. The Short Con § Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access in that it is often one of many steps in a more complex fraud scheme. The Long Con Types of Phishing
Different types of attacks...
§ Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. § Clone phishing is whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. § Phishing which is directed specifically at senior executives and other high-profile targets within businesses may be referred to as whaling. Phishing
Why Phishing Still Exists.
§ An easy may to lure a large pool of people unsuspecting public Phishing Why Phishing Still Exists: § An easy way to lure a large pool of unsuspecting people § Was considered a victimless crime – now part of most criminal activity § Has developed over time and morphed to meet the changing environment § 1864 Spam message § 1978 DARPA network spam/phishing email § 1987 True phishing email with payload § 1995 AOL - associated with the warez community that exchanged pirated software and the hacking scene § Criminal Elements – buy email addresses, accounts and information Why Phishing Still Works
Excuses why this still works.....
§ Lack of computer system knowledge. § Lack of knowledge of security and security indicators § Visually deceptive text § Images masking underlying text § Lack of attention to security indicators. § Lack of attention to the absence of security indicators.
Dhamija, Rachna, Tygar, J.D. and Hearst, Marti “Why Phishing Works.” Conference on Human Factors in Computing Systems, April 2006 Cost of Phishing Impact of Email Cyberthreats...
SANS INSTITUTE Allen Paller, Director of Research
2012 VERIZON DATA BREACH INVESTIGATION REPORT Marcus Sanchs, VP National Security Policy
CARTNER SURVEY OF US CONSUMERS Consumer behavor impact from phishing Timing of Phishing Events
Impact of Email Cyberthreats...
2013 MANDIANT - Annual Threat Report on Advanced Targeted Attacks A FireEye Company Current Costs…
2013 Panda Security Report – The Cyber Crime Black Market: Uncovered Cost of Phishing
§ Verizon 2013 report - phishing attacks launched globally § 450,000 attacks the current record § USD $5.9 billion estimated loss Criminal Element Specialized frameworks and hacking tools, such as BlackHole 2.0 and others, allow easy setup for host hijacking and phishing.
How easy is it? For $700, a three-month license for BlackHole is available online. It includes support! Criminal Element Blackhole Statistics...
Criminal Element Blackhole Threads...
Criminal Element Blackhole Prefernces...
Criminal Element
Who needs to pay for it....
§ Free tools like the Social Engineering Toolkit is now in: § Backtrack § KALI Criminal Element Criminal Element Criminal Element Criminal Element Criminal Element Criminal Element Part of the Puzzle
Limited attack
§ Can only collect so much info § AV/IDS/Firewalls are getting better § Education/Re-education programs being created
Ways to improve the attack
§ Phishing is part of a larger attack structure § The bad guys are getting better organized Social Engineering Acts of the play…
To take a page out of history, the concepts of the con game were brought to life on the big screen by the movie The Sting* where Johnny Hooker (Redford) and Gondorff (Newman) beat the gangsters at their own game.
The film is notable for many reasons; one is how the con is actually revealed to the audience. In addition, the film is unique in that it divides the different pieces of the con into several parts, like acts of a play; each part setting the stage for the next act and which ultimately creates the sting. The parts of the con are the Set-up, the Hook, the Tale, and the Sting.
* The Sting. Director George Roy Hill. Universal Pictures, 1973. * The Sting. Director George Roy Hill. Universal Pictures, 1973. The Set-Up
Tricks of the trade
§ The setup is where the con artist tricks or exploits human weaknesses: § Greed § Dishonesty § Vanity § But also virtues like: § Honesty § Compassion § Or a naïve expectation of good faith on the part of the con artist * The Sting. Director George Roy Hill. Universal Pictures, 1973. The Hook…
Hooking the mark...
• The hook is to get the mark (the person the con is being played against) the hook on the idea/notion that they will get a large return for a minimum amount of effort.
• The Hook uses everything from fake franchises, to the "sure things", how-to-get-rich plans, gurus, sure-fire inventions, useless products, fortunetellers, quack doctors, and miracle pharmaceuticals, anything to focus the person attention away from them so they can run the con. * The Sting. Director George Roy Hill. Universal Pictures, 1973. The Tale…
Weaving the story...
• The tale is where the con artist uses his skills to weave their story and make the con seem more real.
• This is where the pieces of the setup and the hood come together and merge into this incredible tale. The con artist injects some variety of “human characteristics” into the story. The Tale…
Playing on their character...
• These characteristics include:
1) Human flaws 2) Superior people/attitudes 3) Someone is out to get them 4) They need the victim’s help to succeed and they are the only person that can help, or 5) Depending on the scam, using their religious or moral values to help them out. * The Sting. Director George Roy Hill. Universal Pictures, 1973. The Sting… § The sting is where all of the elaborate pieces of the puzzle come together. This is where they get the information, money, etc… § However, when they do have face-to-face contact with their mark, they are usually not caught. Due to playing their playing their part so well, they are nothing but believable. This only happens to people that are not prepared
Don’t believe it? Anonymous “Social Engineering” .n.d and www.google.com/search social engineering/pictures Tareq and Michaele Salahi Jan 20, 2011. Security Assessments What is needed to execute a social engineering assessment Our Setup, Hook and Tail § Initial Scoping § What the client is trying to find out § Parameters of the engagement § Reconnaissance § Targets § “Get out of jail free” letter § Assessment § Actual physical/computer attacks § Reporting / Presentation What’s involved
Prep Work... § Site observation § Physical / Wireless observation § Phishing § Email § Phone phishing § Social Engineering § Access to perimeter/building § Access to network § Access to systems Social Engineering Tool Kit
What tools every social engineer needs...
Tools Props • A�re • Computer(s) • Cell phone • Badge • Computer cables • Badge holder • Scanning tools/(Hacking tools/ • USB drive Password crackers) • Burn phone • Lock pick set • Cigare�e/lighter • Camera • Fake paper or work orders • Fake business cards Engagements
Ladies and gentlemen: the stories you are about to hear is true. Only the names have been changed to protect the innocent* § Bank § Hospital § University § US Trucking Company
* Dragnet, "Intro," Dragnet, http://www.dvdempire.com/Exec/v4_item.asp?item_id=1510115 Bank Job
A regional Texas bank Branches § IT employee with a contractor badge § Used a virus scare to get in (USB tool) § Drop names § Used intimidation on employees – fake form to refuse work Main office • Conducted a phishing assessment • Tailgated an employee in at receiving dock • Followed employees into secure areas § Set up scanning and phone phishing from empty conference room Bank Job
Findings...
§ Policies and procedures not being followed § Training inaccuracy § Issues in physical security processes § Issues in computer security processes Hospital Job
A Texas Hospital Branches § IT employee § Used a virus scare to get in (USB tool) § Drop names § Talked to employees, and made friends Main office • Created fake badge • Followed employees/talk my way into secure areas § Conducted interviews for additional intelligence Hospital Job
Findings...
§ Policies and procedures not being followed § Training inaccuracy § Issues in physical security processes § Issues in computer security processes University Job
A Community College in Texas
Main Campus § Conducted a phishing assessment § Student working for the IT group § Spot-checking Windows Updates § Checking on any other computer issues § Live network jacks in common areas Offsite § Checking Windows Updates § Requested to help enhance process and procedures University Job
Findings...
§ Policies and procedures not being followed § Lack of employee badging § Lack of reporting § Training inaccuracy § Lack of clean desk policy § Issues in physical security processes § Issues in computer security processes Trucking Company
A US Trucking Company
Offsite § Posed as an IT employee § Checking on computer issues § Issues with the wireless access in the shop area § Obtain information about systems and networks to use at other sites Main building § Used the wireless issues to investigate drop signals § Gain access to server room § Conducted phone phishing Trucking Company
Findings...
§ Policies and procedures not being followed § No wireless policies and procedures § Wireless network not configured correctly § Training inaccuracy § Issues in physical security processes § Alarm codes § Modems § Issues in computer security processes Defenses Be on the lookout...
§ These signs might include such behaviors as: 1) Refusal to give contact information 2) Rushing the process 3) Name-dropping 4) Intimidation 5) Small mistakes 6) Requesting forbidden information or access Defenses Phishing Defenses...
• Know that phishing can also happen by phone.
• If someone contacts you and says you have been a victim of fraud, verify the person’s identity before you provide any personal information.
• Job seekers should also be careful. Defenses Phishing Defenses... • Be suspicious of “phishy” emails asking for credit card or other personal info.
• URLs should be familiar.
• Never enter your personal information in a pop-up screen.
• Be suspicious if someone contacts you unexpectedly and asks for your personal information.
• Only open email attachments if you are expecting them and know what they contain. Defenses Phishing Defenses...
• Protect your computer with spam filters, antivirus/anti-spyware software, and a firewall, and keep them updated.
• Create a company email or hotline to report security incidents.
For office or home protection:
• Act immediately if you have been hooked by a phisher. • www.consumer.gov/idtheft
• Report phishing, whether you are a victim or not. • www.fraud.org Defenses Social Engineering Stage One - Understanding...
§ Understanding what happens when someone tries to: 1) Get information 2) Asks you to install a program 3) Click an unknown and possibly malicious link Defenses Social Engineering Stage Two - Awareness...
§ Corporations that care about security have programs to train employees how to be aware of the potential security risks via phone, Internet, and in person. § The goal is to make them think not just about what they do only at work and with the office computer, but also their own bank accounts, home computers, and how they treat security on a personal level. § If the company can make the security discussions engaging, interactive, and personal, their employees are more likely to remember it, and will be more open to being security conscious. Defenses Social Engineering Stage Three - Types of data...
§ Creating awareness to the value of the information that is being sought by social engineers, like trade secrets, formulas, and new product information. § Everyone in the organization needs to understand that not all data is created equal; in other words, some data is more sensitive than others, and should be more rigorously protected. Defenses Social Engineering Stage Four - Physical awareness
§ Additional physical security awareness ensure that only those persons authorized to be in the facility has been granted access. § Escorted visitors § A strong badging process § Train employees to challenge strangers § Reinforce the importance of physical security Reward...Don’t Punish
Good Catch
§ As part of this training or education process, reinforce a ‘good catch’ made by an employee. § When an employee does the right thing, make sure they receive proper recognition. Train the employees on who to call if they suspect they are being socially engineered. Defenses Social Engineering Stage Five - Contiunous learning...
§ Learn from past audits. § Discover what vulnerabilities have been an issue on past audits. § Often, audits and security assessments go hand-in-hand and supplement each other. § The phishing and social engineering process also needs to be stress- tested to see where weak points are to limit the possibility of a breach occurring. § Continue to learn…. Questions? Locations in Houston, Dallas, San Antonio, Austin, and Los Angeles. GLOBAL CAPABILITIES. contacts MAIN OFFICE: 281.897.5000 TOLL FREE: 800.246.4908 WEB SITE: www.accudatasystems.com
Joe Juchniewicz [email protected]