Gone Phishing: Understanding Social Engineering Attacks 888.702.5446 | www.A-LIGN.com | info@a-lign.com
Director of Security Services at A-LIGN Presenter Director of Security Services at A-LIGN Areas of concentration include: Penetration Testing PCI DSS ISO 27001 FedRAMP FISMA HIPAA/HITECH Professional designations: CISA CIPT Petar Besalev Director of Security Services at A-LIGN
Agenda Understanding Social Engineering Recent Social Engineering Attacks Case Study of Successful Social Engineering Attacks Preventing Social Engineering Attacks Summary
Understanding Social Engineering
What is a Breach? A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to Data breaches may involve: PCI – Payment card information PHI - Protected health information PII - Personally identifiable information Trade secrets Intellectual property
What is Social Engineering? Any type of communication that exploits the human factor in order to gather sensitive information Could include: Phishing Pretexting Baiting Other
The Cybersecurity Landscape “No locale, industry or organization is bulletproof when it comes to the compromise of data.” -Verizon’s 2016 Data Breach Investigations Report Source: Verizon’s 2016 Data Breach Investigations Report
Recent Social Engineering Attacks
Gmail Attack Current attack compromises an account, and then looks for people you have recently sent emails to in order to send an email to that person with an attachment Once the attachment is clicked, the Gmail previewer doesn’t load the email – it opens a Gmail login box Utilizes a convincing URL – starts with https://accounts.google.com
Snapchat Attack Snapchat was the victim of a phishing attack Snapchat’s payroll department was targeted by an email scam where an individual impersonated the CEO of Snapchat and asked for employee payroll information Breach could include: Social security numbers Bank details Addresses Emails
Dropbox Attack Users received an email emulating Dropbox
Dropbox Attack Once the link is clicked, the following link pops up prompting users to login to their account
Dropbox Attack Once the information is entered, their account and passwords are compromised Savvy users would be tipped off by the URL being inconsistent with Dropbox’s URL Attacks are becoming more sophisticated
Identifying Social Engineering Attacks
Phishing Phishing is a series of communications that are sent in order to deceive individuals to provide sensitive information Phishing employs both technical wherewithal and social engineering in order to steal consumer information The most common type of social engineering attack 9,576 total incidents 916 with confirmed data disclosure 13% of people tested click on a phishing attachment
Phishing (cont’d) Phishing can take the form of email messages, website forms, or phone calls and can be designed to reveal different information. This information can take the form of: Credit card or other financial information Social security information Account logins and passwords Personal Identification Numbers (PINs) Examples of phishing An email from an account that you own requesting that you “reverify” the information in your account.
Pretexting Pretexting consists of creating a made-up scenario in order to engage with the target Typically, the attacker will do research to provide setup and use uncommon information in order to impersonate someone else in order to establish legitimacy Can be used over the phone or to gain physical entry to a location
Pretexting (cont’d) Examples of pretexting The attacker could wear a cable company shirt and come to your organization for an “inspection” The pretext of the shirt provides reliability that they are worthy of trust Once they are in, they can obtain access to networks, or search for confidential information on site
Baiting The modern Trojan-horse In these attacks, attackers leave malware infected items (USB, CD) in locations where people will find them, along with intriguing names such as “CONFIDENTIAL” Once the item is inserted into a computer, the malware is installed and provides access to computers and networks
Other Types of Social Engineering Tailgating As a manner of getting physical entry to a location, an attacker follows someone with legitimate access into a location Elicitation Extracting information from a subject via conversation Whaling This is a type of CEO fraud where after gaining access to an executive’s email, the hacker then requests finances or other information from lower-level employees The Snapchat attack is an example of whaling
Case Study of a Social Engineering Attack
Case Study A-LIGN ran an extensive social engineering campaign against Company A in the form of a false Security Awareness Training Program Results: 3 high level vulnerabilities that, if exploited, would allow the attacker privileged level access to the system
Case Study The email phishing campaign was broken into three sections: The phishing email was “sent” by the CISO of the company and sent to all employees, except C-level positions An embedded link that took users to a spoofed login page The login page itself, where credentials are captured A training video page that included a survey that would ask users for their first name and last name to verify information
Case Study A-LIGN sent emails to 72 inboxes 9 username and password combinations were obtained from users who clicked the embedded link and entered their credentials
Case Study - Vulnerabilities Submission of usernames and passwords High – CVSS 9.0 Many employees indicated that they login to company accounts while on public WiFi. Use of public WiFi coupled with the clear text password submission can allow attackers who are eavesdropping to capture their credentials
Case Study - Vulnerabilities Responding to phishing emails High – CVSS 8.0 During the social engineering testing, an employee responded to the phishing email stating “Nice try” – however, in doing so, gave A-LIGN an internal IP address and more information about the internal network.
Case Study - Vulnerabilities Compromised systems via social engineering High – CVSS 9.0 A-LIGN was able to gain access to multiple machines following the social engineering engagement. A-LIGN used passwords and usernames that were entered into the fake login, and thereby login to employee machines.
Case Study - Vulnerabilities Compromised Systems via Social Engineering (continued) After logging into employee machines, A-LIGN was able to exploit passwords that were saved through the web browsers on these machines, and on any other secured sites that were left open. By using these credentials, A-LIGN was able to login to an external administrator page, vault server, and Office 365 systems.
Preventing Social Engineering Attacks
Report Attacks Create a procedure that makes it easy for employees to report social engineering attacks Create a culture of awareness to prevent sensitive information from being compromised If one employee is subject to a phishing attack, identifies it and notifies the IT department, it can stop the attack in its tracks before the organization or individual is compromised
Employee Education Teach employees how to handle social engineering attacks so that they are prepared in the event of an attack Show examples of recent attacks so that they know what to look for Train employees to report attacks
Check the Details Common tells: Poor spelling Poor grammar Abnormal sender Unfamiliar URLs Inconsistent URLs or information provided
Be Aware of Abnormal Request Are you expecting to receive a request from someone? RED FLAG: Someone is requesting information that they should already have Unexpected account reverifications should be treated cautiously Activating two-factor authentication on all accounts can help identify when an email is authentic or a phishing attack
Implement Policies Implement security policies such as: Only entering information on HTTPS-protected sites Utilizing anti-virus software to detect attacks Regularly updating and patching systems that could be corrupted or outdated
Test Your Organization with a Penetration Test Conducting a penetration test with social engineering is a way to analyze areas of security weakness within your organization Three comprehensive testing services Social engineering Network layer testing Web application testing
Social Engineering Testing Emulates an authentic social engineering attack May include: Targeted phone calls Targeted emails Attempts to bypass physical controls
Network Layer Testing Tests network devices such as: Servers Firewalls Routers Switches Used to identify security weaknesses such as: Unpatched systems Default passwords Mis-configured devices
Web Application Testing Testing of a web application’s: Authentication mechanisms Input screens Functionality User roles Identifies weaknesses in the application Screens for common vulnerabilities such as the OWASP and SANS Top 20 Tests vulnerabilities unique to your web application
Summary
Summary Stay updated on the types of social engineering attacks that are occurring in order to prevent them Understand the different types of attacks that your organization could face Test your system regularly in order to understand where remediation is necessary
Questions?
Please send additional social engineering questions to info@a-lign.com 888.702.5446 | www.A-LIGN.com | info@a-lign.com
Sources http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ http://www.forbes.com/sites/leemathews/2017/01/16/gmail-phishing-attack-targets-your-contacts/ https://techcrunch.com/2016/02/29/snapchat-employee-data-leaks-out-following-phishing-attack/ http://www.mailguard.com.au/blog/beware-another-fake-dropbox-phishing-scam http://www.mineheroes.net/threads/mineheroes-website-url-secure-connection-https.48774/ http://news.softpedia.com/news/Amazon-Customers-Tricked-with-Ticket-Verification-Number-Phishing-Email-473445.shtml#sgal_0 https://ulife.vpul.upenn.edu/careerservices/blog/2012/04/24/summer-checklist/checklist/