A Trusted News Channel:
About two months ago, a non-profit organization started receiving e-mails from a new Chinese news portal. While the site did not contain much content, the e-mails were insightful articles on Chinese affairs. The recipients were unaware where this content was coming from, but found it useful. As the mails did not contain links, slowly the messages became more and more trusted. Eight messages into the cycle, a link was included which pointed to a browser exploit.
Source: Sans.org
Security Examples
Convincing users to forward messages:
Most people have a limited circle of friends from whom they will trust any content. If an attacker is able to fingerprint this circle, for example through social networks, they can abuse this to make a message appear more trusted than it in fact is. In a real-life example, the attackers identified their target had a friend who was relatively less experienced in IT, and had publicly stated so in a random online article. They spoofed a message from one of this individual’s friends, saying he was interested in applying for a job with the organization where their actual target worked. They sent the message to the target’s friend, and asked him to forward. The target’s friend forwarded the message and identified the applicant as a “trusted contact”. As a result, malicious content suddenly became very trusted.
Matching content to topics of interest:
This probably makes most sense. What is of interest to the reader is more likely to generate click through. However, making use of specific situations and thoroughly understanding the target’s needs is even more effective. During the Tibetan protests in early 2008, a US-based NGO that was actively working with Tibetans on getting video material from Lhasa to activist groups started receiving malicious videos which were Trojans.
Tricky Social Engineering example: Infection on USB stick.
Social engineering is the act of manipulating people into performing actions or divulging confidential information.
According to F-Secure Conficker or Downadup, depending upon your AV tool, has infected millions of machines. The true number would probably be greater as some users will not notice a difference in their workstation function.
The reason for the number of infections is multiple infection vectors;
• It exploits a known vulnerability.
• It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares.
• It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
Embedded in an autorun.inf file is the bad stuff. When a user inserts an infected device, such as a USB stick, they would see the following as expected.
A normal user may not notice that the first and second option appear to be the same. This can easily fool the user into thinking they are opening the USB stick when they select the first option, instead of the second one, the real one. The first option will run the Conficker and infect the machine.
As of the writing of this article it is still unclear exactly what this Worm does, although it is known to be "phone home" and would probably allow for the remote control of the infected workstation.
Suggestions:
Disable the autoplay functionality, unless you really need it.
Completely disable USB.
This information compiled from articles on Sans.org
Home
GeneralContact UsAbout NewNet 66TestimonialsNewNet 66 SchoolsNewNet 66 BoardPartners & VendorsCalendar
ServicesServices OverviewE-Ratable ServicesNon-Erateable Services
SupportEmail SubjectsSys AdminNetwork Docs/DesignNetwork SecurityNetwork ToolsTelco Circuits
PoliciesAcceptable Use PolicySite Use PolicyPrivacy
Web LogTech SpotSite Map
Copyright © 2000-2012NewNet 66