Social Engineering (SE)

Size: px

Start display at page:

Download "Social Engineering (SE)"

Bruce Sanders
6 years ago
Views:

1 Social Engineering (SE) BeerTalk Berlin, 17. Februar 2015 Walter Sprenger Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

2 Agenda Introduction to Social Engineering Attack / Spoofing vectors Phishing Sites / Trojan Horses Live Demos Compass Experience Countermeasures Social Engineering Test Benefits Slide 2

3 What is Social Engineering? Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

4 What is social engineering? Slide 4

5 Attack Vectors / Spoofing Methods Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax team@csnc.de

6 Attack & Spoofing Vectors Slide 6

7 Misuse of Trust Why do you trust a message? I know the sender (phone number, mail-address) I know the structure of the message I expect the message Why do you trust a web site? I know the domain of the website I know how the web site looks like I trust the seal on the web site I trust the SSL/TLS certificate Slide 7

8 Targeted Attacks Why make a lot of noise if one victim provides the information I want? Run attack to only a few individuals Take more time on one individual, better preparation of the attack Targeted Attacks Do not raise suspicion No AntiVirus patterns for used malware Hard to detect in log files / with intrusion prevention systems Longer infection possible, restart malware everytime the user logs in long time compromise Slide 8

9 Phishing Sites Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

10 Simple Phishing Website Slide 10

11 Simple Phishing Website explained Slide 11

12 Example of complex Phishing Site Phishing Site opened User receives with Link Yes Login Credentials entered Video Page shown Install Yes Click View Attacker takes control No No No Phishing Website Yes Download malicious Video Codec Victim can t decide any more Remote Shell started Malware No Slide 12

13 Analysis of complex Phishing Sites Sum sent Phising Mails Clicked on Link in Entered Credentials Clicked on Video Page Downloaded Video Codec Installed Video Codec Slide 13

14 Analysis of complex Phishing Sites (2) Clicked on Link in Entered Credentials Clicked on Video Page Downloaded Video Codec Before Detection After Detection Installed Video Codec Slide 14

15 Trojan Horses Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

16 This image cannot currently be displayed. Trojan Horse Covert Channel Delivery via USB-Stick Attacker observes the victim computer Started by User Company Network Internet Slide 16

17 Live Demos Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

18 Live Demo Computer Phishing A1) Webmail Phishing Attack Vector: Goal: with URL Get Webmail/Windows credentials A2) FaceBook Phishing (Invitation) Attack Vector: Goal: with Facebook invitation Get Facebook credentials / Impersonation Slide 18

19 Live Demo SmartPhone Information B1) SMS from your Bank Attack Vector: Goal: SMS with call back number Get personal information B2) GPS location Attack Vector: Goal: SMS with URL to location web site Get coordinates of victim Slide 19

20 Live Demo SmartPhone Phishing B3) icloud Phishing Attack Vector: Goal: SMS with URL to phishing web site Get icloud credentials Steal date stored in icloud (contacts, files, backup, etc.) B4) Android NFC Business Card Attack Vector: Goal: Business card with modifed NFC, points to phishing web site Get Google credentials Steal data stored on Google (mails, contacts, files, etc.) Install trojan app on mobile phone Slide 20

21 Live Demo CallID Spoofing B5) CallID Spoofing Attack Vector: Goal: Call with spoofed sender number Get personal information Slide 21

22 Live Demo Trojan User Interaction C1) Exe in Word-Dokument Attack Vector: Goal: Mail with Word-Document Remote control the workstation of the user C2) Download EXE Attack Vector: Goal: Facebook chat message download URL Remote control the workstation of the user C3) USB Trojan Attack Vector: Goal: USB stick with interesting file (EXE) Remote control the workstation of the user Slide 22

23 Live Demo Trojan DriveBy D1) Drive-By Java 0-Day Attack Vector: Goal: Web site with URL Remote control the workstation of the user Slide 23

24 Countermeasures Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

25 But, you can protect your Company Technical Countermeasures Virus Scanner Disable Autorun / USB / CD-ROM Disable dangerous attachements in s Firewalls / Content Filter / SSL-Split-Proxy IDS Protocol Sanitation (HTTP / DNS) Limit user permissions Secure WLAN Organizational Countermeasures Access Control Security Zones Educate Employees User Awareness Security Policies Awareness Demo Social Engineering Test Slide 25

26 Social Engineering Test Benefits Compass Security Deutschland GmbH Tauentzienstr. 18 De Berlin Tel Fax

27 Social Engineering Test Benefits I know Social Engineering always works. So why should I conduct a Social Engineering Test in my company? Slide 27

28 Social Engineering Test Benefits Technical Infrastructure Sufficient? Incident Handling Adequate? Security Awareness Courses Learning Success? Security Processes No Weak Points? Access Control Impenetrably? Slide 28

29 Thank you! Thank you very much for your attention! Slide 29

30 Contact Compass Security Deutschland GmbH Tauentzienstr Berlin Secure File Exchange: Slide 30

Ethical Hacking. Content Outline: Session 1

Ethical Hacking. Content Outline: Session 1 Ethical Hacking Content Outline: Session 1 Ethics & Hacking Hacking history : How it all begin - Why is security needed? - What is ethical hacking? - Ethical Hacker Vs Malicious hacker - Types of Hackers