Thanks for attending this session on March 15th. To learn more about Stickley on Security visit www.stickleyonsecurity.com You can contact Jim Stickley at jim@stickleyonsecurity.com Have a great day!
Fraud The new F word Presented by Jim Stickley
Fraud Cybercrime is a growth industry. The returns are great, and the risks are low -McAfee
Fraud How are criminals having so much success? Email is at the root of all major breaches
Why email? Attacking a network via the Internet is hard Employees have access to everything If I can gain access to an employees desktop or credentials, breaking in becomes much easier
Why email? The first click on average happens within 1 minute 40 seconds
How easy it is really?
Starting the attack Objective: Gain access to financial institution employee desktop
Target: Employee desktop Need names of tellers Many options available Phone is an option Google search can help There is a better way
credit union customer service
Targeting personnel I know the tellers at the financial institution Now need their email address
Targeting personnel Finding the email of teller Gmail is great for testing emails Send numerous variations bills@acmefakecu.com billsmith@acmefakecu.com bill.smith@acmefakecu.com b.smith@acmefakecu.com
Targeting personnel Whatever doesn t bounce back is real Send numerous variations bills@acmefakecu.com billsmith@acmefakecu.com bill.smith@acmefakecu.com b.smith@acmefakecu.com
ecard scams Starting the attack Send email from Hallmark
Online viewer exploits
http://www.hallmark-e-card.com/ecard-link/id=1178jaj8s87hjffkjk1212
Online viewer exploits
http://www.hallmark-e-card.com/ecard-link/id=1178jaj8s87hjffkjk1212
Online viewer exploits We got one System connected on device 7 Have fun.
Online viewer exploits Microsoft Windows [Version 6.1.7601] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:554 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
Online viewer exploits What is at risk? Complete compromise of computer Launch point for other attacks Can call home at scheduled times
Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target
Online viewer exploits You don t need to download anything to be infected Adobe Flash player prime target
Online viewer exploits Patches can t always solve this issue
Have a web cam? This can be used to watch what you are doing without your knowledge
What can you do? Never trust an email Employee education Limited network access
What about email blacklists? Many companies and security products depend on blacklists to filter email Block based on sender IP Block based on sender domain Block authentication SPF / DKIM Block based on content
What about email blacklists? Do they work?
Attacks through PayPal How is that possible?
Not just PayPal Numerous cloud based solutions offer the ability to send emails with custom messages These organizations are trusted by most mail security Even legitimate emails can contain malicious data
Tiny links Be cautious of tiny or bity links. Tiny URL s often hide where you are really going http://tinyurl.com/hescmk2 http://bit.ly/2adfq25
Tiny links Before following tiny links, confirm where they go http://bit.ly/2adfq25
Tiny links
Domain verification stickleyonsecurity.com
Domain verification
Domain verification
Technology is not a guarantee Blacklists and filters are not full proof Tiny (hidden) links commonly used for attacks When in doubt, research link first
Targeting Employees Hybrid Social Engineering
Starting the attack Objective: Use social engineering and malware to gain access to desktop
Targeting personnel I already know the employees at the organization Used LinkedIn I already know their email address Used email bounce technique To complete this attack I also need to know the IT security manager Get that through LinkedIn or simply call the organization and ask
Targeting personnel We are ready to start the attack Start with social engineering
The security update Employee calls the 800 number Operator conducts validation process
The security update Ask user to go to GoToMeeting.com Once there give them meeting code to connect GoToMeeting allows a free trial of their account This allows criminals to use the solution without using real information
The security update Now we assist them with their update Video
What does this mean? Kathy thinks everything is ok and her computer is secure Reality: Complete compromise of her desktop Bypassed security on the desktop / network Launch point for more attacks including core processor Warm handoff to other employee
What can you do? Never trust an email Never allow remote control of your desktop Never install software or allow others to install software on your desktop without approval
What can you do? Never pass calls to co-workers Never assume a call passed from a co-worker is trusted. When in doubt, pick up the phone and ask someone in your IT department
Targeting Employees System Administrators
Attacking the admins Why target an admin? IT Managers & System Administrators have all the access When compromised, criminals now have all the access Easy to find IT admins
Attacking the admins Use their vendor relationships against them Most organizations work with many vendors Often these relationships are public
Attacking the admins Use their vendor relationships against them Most organizations work with many vendors Often these relationships are public
credit union chooses
Attacking the admins What we know We have the name of the admin We have the email address We know their financial institution works with Fiserv What else do we need? Name of employee at Fiserv
Fiserv customer services
Fiserv customer services
Putting it all together We found an IT Admin via LinkedIn Bill Smith We know our plan of attack Email attachment We know a banking solution they use Fiserv We know who the email will come from Katrin Rollins
Attacking the admins Lets start the attack
Attack the admins This will be the email Vice President, Professional Services & Customer Support
Attack the admins This will be the email
Attacking the admins Yep, it s on! New remote connection confirmed. Device: 3 Have a great day. :)
Attacking the admins Microsoft Windows [Version 6.1.7601] (C) Copyright 2009 Microsoft Corp. C:\Documents and Settings\Administrator> Active Connections netstat -na Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:554 0.0.0.0:0 LISTENING TCP 0.0.0.0:902 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
Attacking the admins What happened?
Other attachments It s not just Adobe ---
Using Admin Access
Administrators have access High risk servers: Core processor Web servers Document management servers Database servers ATM s Patch Management Routers, firewalls, switches
Now that we are on Once on the network, what to do first? Install root-kit which includes Keyboard logging Audio monitor Camera monitor Screen scrape software Web traffic monitor
Systematic attack Started with email attack Gained access to administrators desktop Used desktop to gain access to secured ATM network segment Once on network segment found server used as upgrade site for ATM s (No access to ATM s directly)
Upgrade server How did it work?
Upgrade server How did it work?
What does this mean? How could this be used to our advantage? We don t have access to connect to ATM servers We cant exploit any known vulnerabilities What if we make our own upgrade installer?
What does this mean? What could it do?
What does this mean? What could it do?
What does this mean? What could it do?
What does this mean? What should the malicious code do? Avoid trying to modify existing software Install code that accesses the cash dispenser Tell the ATM to dispense cash at a specified time
What does this mean? Can this really be done? Video
What can be done? Employee awareness & education Install security patches Be cautious of ALL attachments Even non-executable Be cautious of all websites Flash is not your friend Limit and monitor outbound data connections
In the end
In the end You can t prevent every security risk Education and awareness are an important defense against cyber attacks Remember that you can spend hundreds of thousands on security products and it just takes one human mistake to bypass it all
-Register for weekly security news letter-
Employee Education Solutions Jim Stickley jim@stickleyonsecurity.com www.stickleyonsecurity.com