To learn more about Stickley on Security visit You can contact Jim Stickley at

Transcription

1 Thanks for attending this session on March 15th. To learn more about Stickley on Security visit You can contact Jim Stickley at Have a great day!

2 Fraud The new F word Presented by Jim Stickley

3 Fraud Cybercrime is a growth industry. The returns are great, and the risks are low -McAfee

4 Fraud How are criminals having so much success? is at the root of all major breaches

5 Why ? Attacking a network via the Internet is hard Employees have access to everything If I can gain access to an employees desktop or credentials, breaking in becomes much easier

6 Why ? The first click on average happens within 1 minute 40 seconds

7 How easy it is really?

8 Starting the attack Objective: Gain access to financial institution employee desktop

9 Target: Employee desktop Need names of tellers Many options available Phone is an option Google search can help There is a better way

10 credit union customer service

11

12 Targeting personnel I know the tellers at the financial institution Now need their address

13 Targeting personnel Finding the of teller Gmail is great for testing s Send numerous variations

14

15 Targeting personnel Whatever doesn t bounce back is real Send numerous variations bills@acmefakecu.com billsmith@acmefakecu.com bill.smith@acmefakecu.com b.smith@acmefakecu.com

16 ecard scams Starting the attack Send from Hallmark

17 Online viewer exploits

18

19 Online viewer exploits

20

21 Online viewer exploits We got one System connected on device 7 Have fun.

22 Online viewer exploits Microsoft Windows [Version ] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING

23 Online viewer exploits What is at risk? Complete compromise of computer Launch point for other attacks Can call home at scheduled times

24 Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target

25 Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target

26

27 Online viewer exploits Patches can t always solve this issue

28 Have a web cam? This can be used to watch what you are doing without your knowledge

29 What can you do? Never trust an Employee education Limited network access

30 What about blacklists? Many companies and security products depend on blacklists to filter Block based on sender IP Block based on sender domain Block authentication SPF / DKIM Block based on content

31 What about blacklists? Do they work?

32

33

34 Attacks through PayPal How is that possible?

35

36

37 Not just PayPal Numerous cloud based solutions offer the ability to send s with custom messages These organizations are trusted by most mail security Even legitimate s can contain malicious data

38 Tiny links Be cautious of tiny or bity links. Tiny URL s often hide where you are really going

39 Tiny links Before following tiny links, confirm where they go

40 Tiny links

41 Domain verification stickleyonsecurity.com

42 Domain verification

43 Domain verification

44 Technology is not a guarantee Blacklists and filters are not full proof Tiny (hidden) links commonly used for attacks When in doubt, research link first

45 Targeting Employees Hybrid Social Engineering

46 Starting the attack Objective: Use social engineering and malware to gain access to desktop

47 Targeting personnel I already know the employees at the organization Used LinkedIn I already know their address Used bounce technique To complete this attack I also need to know the IT security manager Get that through LinkedIn or simply call the organization and ask

48 Targeting personnel We are ready to start the attack Start with social engineering

49

50 The security update Employee calls the 800 number Operator conducts validation process

51 The security update Ask user to go to GoToMeeting.com Once there give them meeting code to connect GoToMeeting allows a free trial of their account This allows criminals to use the solution without using real information

52 The security update Now we assist them with their update Video

53

54 What does this mean? Kathy thinks everything is ok and her computer is secure Reality: Complete compromise of her desktop Bypassed security on the desktop / network Launch point for more attacks including core processor Warm handoff to other employee

55 What can you do? Never trust an Never allow remote control of your desktop Never install software or allow others to install software on your desktop without approval

56 What can you do? Never pass calls to co-workers Never assume a call passed from a co-worker is trusted. When in doubt, pick up the phone and ask someone in your IT department

57 Targeting Employees System Administrators

58 Attacking the admins Why target an admin? IT Managers & System Administrators have all the access When compromised, criminals now have all the access Easy to find IT admins

59 Attacking the admins Use their vendor relationships against them Most organizations work with many vendors Often these relationships are public

60 Attacking the admins Use their vendor relationships against them Most organizations work with many vendors Often these relationships are public

61 credit union chooses

62

63

64

65

66 Attacking the admins What we know We have the name of the admin We have the address We know their financial institution works with Fiserv What else do we need? Name of employee at Fiserv

67 Fiserv customer services

68 Fiserv customer services

69 Putting it all together We found an IT Admin via LinkedIn Bill Smith We know our plan of attack attachment We know a banking solution they use Fiserv We know who the will come from Katrin Rollins

70 Attacking the admins Lets start the attack

71 Attack the admins This will be the Vice President, Professional Services & Customer Support

72 Attack the admins This will be the

73 Attacking the admins Yep, it s on! New remote connection confirmed. Device: 3 Have a great day. :)

74 Attacking the admins Microsoft Windows [Version ] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING TCP : :0 LISTENING

75 Attacking the admins What happened?

76

77 Other attachments It s not just Adobe ---

78 Using Admin Access

79 Administrators have access High risk servers: Core processor Web servers Document management servers Database servers ATM s Patch Management Routers, firewalls, switches

80 Now that we are on Once on the network, what to do first? Install root-kit which includes Keyboard logging Audio monitor Camera monitor Screen scrape software Web traffic monitor

81 Systematic attack Started with attack Gained access to administrators desktop Used desktop to gain access to secured ATM network segment Once on network segment found server used as upgrade site for ATM s (No access to ATM s directly)

82 Upgrade server How did it work?

83 Upgrade server How did it work?

84 What does this mean? How could this be used to our advantage? We don t have access to connect to ATM servers We cant exploit any known vulnerabilities What if we make our own upgrade installer?

85 What does this mean? What could it do?

86 What does this mean? What could it do?

87 What does this mean? What could it do?

88 What does this mean? What should the malicious code do? Avoid trying to modify existing software Install code that accesses the cash dispenser Tell the ATM to dispense cash at a specified time

89 What does this mean? Can this really be done? Video

90

91 What can be done? Employee awareness & education Install security patches Be cautious of ALL attachments Even non-executable Be cautious of all websites Flash is not your friend Limit and monitor outbound data connections

92 In the end

93 In the end You can t prevent every security risk Education and awareness are an important defense against cyber attacks Remember that you can spend hundreds of thousands on security products and it just takes one human mistake to bypass it all

94 -Register for weekly security news letter-

95 Employee Education Solutions Jim Stickley