Social Engineering & Social Networking

Sharon Conheadysconheady@FirstDefenceIS.com

A Definition

efforts to influence popular attitudes and social behaviour on a large scale, whether by governments or private groups

- Wikipedia definition

What is Social Engineering?

techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through

- Kevin Mitnick

Why social engineering works• Tendency to trust• People want to help

– Customer service focussed society (e.g. call centres)

• Respect for authority– Milgram experiment

• Complacency– It’s easier to give people information to get rid of them

• People don’t like confrontations– The Yes Rule

• Social engineers are good at evoking emotion– Greed (passwords for chocolate)– Fear (of getting into trouble for not doing their job, of their

credit card being cut off)– Sympathy

What is Social Engineering from a Social Networking Perspective?

• An exploitation of TRUST • A social engineer is an exploiter of trust, who

leverages the TRUST of their victim to gain access to sensitive information or resources or to elicit information about those resources

What is social networking?• A TRUST platform

Social Engineering & Social Networking

1. Why social engineers use social networking

2. Why social engineering over social networking works

3. Examples of how social networking is used by social engineers

4. Tips on how to prevent social engineering attacks that make use of social networks

#1 Why social engineers use social networking

Why social engineers use social networking• HUGE attack surface• Quick and easy, even automated

• E.g. Set up a botnet to gather email addresses for phishing

• Low barrier entry point (skillz not necessarily required)

• Often relies on publicly available information (no obvious wrongdoing)

• No more dumpster diving☺

#2 Why social engineering over social networks works

Why Social Engineering over Social Networking works• Trust model• No real authentication

• Easy to impersonate someone else or set up a fake profile

• Influential (Cialdini’s principles of influence)• Social proof: people do things that other people are

doing• Similarity: people are influenced by people they like• Hey, look at this. John says it’s cool.

Impersonation in the Real World

http://www.silicon.com/technology/hardware/2007/12/10/criminals-posing-as-police-burgle-verizon-data-centre-39169416/

Impersonation in the Real World• Takes money (to buy police costumes)• May involve other criminal activities

(“procuring” police costumes, impersonating a public official, physically harming victims)

• Takes a lot of planning• Usually involves several people (5 people

in this instance)• Much easier to get caught

The Robin Sage Experiment• 28 day experiment run by Provide Security• Security researchers created a fake Facebook, Twitter

and LinkedIn profile under the alias Robin Sage• They used a photo of an attractive girl from an adult

website• They gave her the job title “Cyber Threat Analyst”• Established connections with more than 300 people in

the security industry, including National Security Agency, DoD and Global 500 companies

• Revealed information that violated operational security and personal security restrictions, such as troop locations, what time helicopters were taking off

Some Clues

• 10 years of cyber security experience at 25 years of age

• Robin Sage is the name of a military exercise

• AND• You DEFINITELY don’t know her – she

doesn’t exist!

#3 How social networking is used by social engineers

3 ways in which social networking is used by social engineers

1. To execute an attack

2. To propagate an attack (e.g. spread malware)

3. Reconnaissance phase for a larger attack

Using LinkedIn for SE• Tactical research:

• Build an organisation chart for the target organisation• Identify staff names and roles

• Target these individuals• Pretend to be these individuals• Name drop: <insert CEO’s name here> said... Or <insert

CEO’s name here> needs this document...• Check who is on holidays (Trippit).

• Set up fake profiles and link in to your target• E.g. It’s highly likely John from Company A knows Jane from

Company B. If they are not already linked in, set up a profile that looks like Jane and send a LinkedIn invitation.

• Lots of people will connect with people they don’t even know, so you don’t necessarily need Jane’s profile.

• You don’t even need to use LinkedIn. You know what a LinkedIn invitation looks like. Make one yourself with malicious links or malware... Your target doesn’t even need to use LinkedIn – we ALL get invitations.

Using other social networking sites for social engineering

1. Find the name of someone who works at the target organisation (maybe via LinkedIn, company website, etc).

2. MORE tactical research on that person.

#3.1 Executing attacks on social networks

Old attacks reworked on Social Networks• Nigerian 419 scam• Instead of coming from a stranger in

Nigeria attack comes from your friend• Instead of getting an email you are

contacted via a social networking site• Naturally, you want to help your friend

The London MuggingOh my God i am sorry i didn't inform you about my traveling to London, UK. It as been a very sad and bad moment for me, the present condition that I found myself is very hard for me to explain. I am really stranded i am in some kind of deep mess right now,I came down here to London,UK for a short resort got mugged at gun point last night at the park of the hotel where i lodged.All cash,credit cards and cell were stolen,I've been to the U.S embassy and the Police here but they're not helping issues at all,Our flight leaves today and I'm having problems settling the hotel bills, passport,documents and other valuable things were kept on my way to the Hotel am staying,

I am facing a hard time here because I have no money on me. I am now owning a hotel bill and they wanted me to pay the bill soon or else they will have to seize my bag and hand me over to the Hotel Management.,I need this help from you urgently to help me back home,I need you to help me with the hotel bill and i will also need to feed and help myself back home so please can you help me with a sum of 1720Pounds to sort out my problems here? I need this help so much and on time because i am in a terrible and tight situation here,I don't even have money to feed myself anymore

Volcano Friend Scam?

I’m stranded in <random foreign location> because of the volcanic activity in Iceland. Please could you lend me some money...?

Hijack someone’s account to launch attacks against other users

• Attackers take over someone’s account and target their friends

• Contact comes from your friend, so you are more likely to trust it

• Google.cn• Terremark

http://www.ft.com/cms/s/2/c18091ee-09ee-11df-8b23-00144feabdc0.html

Terremark: Company Picnic, 2009

• An employee, Bob, posted on his Facebook profile that he would be attending a company picnic.

• Attackers hijacked Bob’s Facebook account and sent out a message after the picnic that read:

• Hey Alice, look at the pics I took of us last weekend at the picnic. Bob”

• Alice clicked on the accompanying link on her company laptop which installed a keystroke logger.

• The attackers used Alice’s company logon to access the company network for two weeks, gaining control over 2 servers.

• One of Bob’s friends mentioned to him that the photos he sent failed to render.

• A closer look at network traffic uncovered the attacker’s probing.

#3.2 Propagating attacks via social networks

Social Networks as Malware Distribution Platforms• Malware inserted via user-contributed content,

ads, compromised hosting networks and other third parties

• How do you get someone to visit a website hosting malware?

• Social engineering is the magic ingredient that makes these attacks work

• 3 examples

Example 1: Set up a group people want to join

From: "Your Facebook" <networks@facebook.com>Date: 17 March 2010 07:45:06 GMTSubject: Facebook Password Reset Confirmation! Customer Message.

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.You can find your new password in attached document.

Thanks,Your Facebook.

<Facebook_password_982.zip>

Example 2: Send a malicious attachment that looks like it’s from Facebook

Example 3: Koobface Virus

• Users receive a message in their Facebook inbox:– You look funny in this new video– Look, you were filmed all naked!– You look just awesome in this movie

• User clicks on (malicious) URL to view video to a website that looks suspiciously like YouTube

• A pop-up message says a Flash update is required to view the video; the viewer is prompted to open a file called flash_player.exe...

#3.3 Reconnaissance

Reconnaissance• Personal information (phone numbers, dates of

birth, home addresses, work details, etc) – often publicly available (directly or indirectly)– your friends post a message wishing you a happy

40th birthday• Answers to secret questions• Company profiles, org charts• Understand your target’s trust network

– Who do they work with? Name of boss?– Who’s in their family?– Who are their friends?

• Find information to hone phishing attacks (spear phishing)

Bob’s Profile

<screenshot removed>

How to social engineer Bob1. You know what company and city Bob works in. Establish which office

he is located in.• More online research• Call up each office and ask to speak to him until you get the right one

2. Get a Domino’s delivery shirt ($10 for 4 on eBay, share them with your friends)

3. Order a Domino’s Meat Feast Pizza for collection.4. Collect the pizza.5. Put the Domino’s t-shirt on.6. Deliver the pizza to Bob’s desk. 7. If Bob says he didn’t order it, tell him Paul (who we know is his friend

on myspace) ordered it for him.8. For an extra special touch, deliver it on his birthday as a birthday

surprise.9. Don’t forget to leave a key logger or access point in the office, or at

least grab some important looking documents while you are in there!

Jo’s profile

<screenshot removed>

Some more SE scenarios…

1. Jo has 45 friends on his MySpace page. Send Jo a birthday card on behalf of one of his friends with a USB key as a present. Put malicious software on the USB key.

2. Send Jo a “stop smoking” CD with malware on it.

3. Threaten him with creepy crawlies until he gives you the information you want!

Some interesting social networking sites for reconnaissance

www.blippy.com

Hi, I’m emailing/calling from Netflix to see how you enjoyed watching Spartacus recently...

<screenshot removed>

Screenshot from Mashable.com Search Term: site:blippy.com +”from card”

www.foursquare.com

www.pleaserobme.com

Go to Corcoran’s on 23 Boulevard Poissonniere, Paris. You know what your target looks like. Buy them a drink. Steal their bag.

<screenshot removed>

#4 Some ideas on how to avoid social engineering attacks over social networking

Tips on how not to be a victim• User awareness• Acceptable use policy• Use privacy settings• Be careful what you post online• Avoid “promiscuous friending”• Don’t click on links in emails received unexpectedly,

even if they appear to be from a friend• Don’t send money without speaking directly to your

friends☺• But most of all…• Think about the information that is available about you

online and consider how it could be used against you by a malicious social engineer

Final Thought

Most of the time people spend on social networking is during work hours and on work computers

How does this affect you?

Social Engineering &Social Networks

Sharon Conheadysconheady@FirstDefenceIS.com