Saturday, 16 November 2013

How To Protect Yourself From Social Engineering

Image via Flickr user Travis V.
Social engineering is what powers phishing emails, and malicious websites that are dressed up to look like safe, popular websites. During a discussion with Chris Hadnagy, Chief Human Hacker at Social-Engineer Inc., I asked him how to spot these scams. His advice echoes what we've often told readers: always be suspicious.
More Than A Con
From my discussion with Hadnagy, it's clear that some of what we call social engineering are the same tricks that people have used influence decisions for years. The fast food industry, for example, famously explored what colors would encourage people to eat faster. Phony spiritualists from the 19th century (which includes members of my family) and today use a tactic called "cold reading" to trick victims into revealing information about themselves.
But there's more to social engineering than cheap tricks, as demonstrated by the Social Engineering Capture the Flag Competition held at Def Con. Here, contestants earn points for information they glean from researching companies and from contacting those companies directly. Hadnagy said that the best scoring contestants also did the most research, which demonstrates how useful it is to know your targets.
Unfortunately, now is a great time to be a social engineer doing research, or open source information gathering. Hadnagy explained that companies and individuals post a lot of information on social media, much of which can be used in social engineering attacks. Previously, we looked at how scammers tried to use information gleaned from Facebook to make their scams seem more appealing—sometimes with hilarious results.
Targeting Emotion
One of the best social engineering tactics is to keep you from thinking critically, usually by targeting emotion. Hadnagy said that one attack that nearly fooled him claimed to be an Amazon shipping email. "It was something personal, something that affected my life, and something that was important to me," he said.
In this particular attack, Hadnagy received an email saying that one of his important Amazon orders was delayed due to a declined credit card number. In the days leading up to a major conference, Hadnagy said that he was overworked and clicked the link in the email—instead of visiting Amazon directly. The page he was taken to was well crafted, but thankfully he noticed the ".ru" domain before entering any personal information.
While it was simple, this tactic was very effective. "I'm the guy that, because of what I do, phished over 190,000 people in the last few months," said Hadnagy, referring to his consulting work. "I almost fell for this attack."
Another advantage of appealing to emotion is that it doesn't require the kind of research the best social engineers employed. "What we'll see is that [attackers] pick things that are important to the masses." Hadnagy explained that this includes UPS shipping, Amazon orders, and PayPal transfers.
Mass appeal also works well for broadcasting en-masse, another frequent tactic. "They send these to millions of people at a time, so they don't care if they get 100 percent," said Hadnagy. "10 percent is still thousands of compromised accounts."
Staying Safe
Many of the tactics used to spot phishing emails are true for social engineering as well. Anything that sounds too good to be true—or too bad to be true—probably isn't true. Tactics like hovering over links to see the full URL, manually entering web addresses, and avoiding links that arrive out of the blue are all sound tactics.
But the live calling portion of the Capture the Flag competition highlights another facet of social engineering: institutional trust. This year, many of the contestants posed as coworkers or vendors, which gave the employees at the target companies an immediate reason to trust them. Sometimes, it pays to ask questions when someone claiming to be the CEO of your company calls you personally.
Hadnagy has made a career explaining social engineering, but he's not concerned if attackers are picking up his tricks. "The bad guys aren't looking for the data on how to do this," he told SecurityWatch. "They already know how. The problem is that the good guys don't." Through his work, Hadnagy believes he can teach corporate America and regular folks how to think critically about their daily interactions, and how to respond in worst case scenarios. Hadnagy explained it this way: "Instead of arming the bad guys, it arms the good guys."

Ten-Thousand CryptoLocked-Out

CryptoLocker 2 Just when you thought all your troubles were gone, CryptoLocker snuck back into the scene. Some of you may recall this malware menace from last month that was used in a ransomware campaign. In a blog post, security company Bitdefender revealed that CryptoLocker claimed over 10,000 victims in one week.
To refresh your memory, CryptoLocker is a Trojan that encrypts documents on victims' computers and holds them ransom for $300. If you don't cough up the money, CryptoLocker threatens that it will delete the decryption key, rendering the infected files unreadable.
Capturing CryptoLocker's TrafficBitdefender Labs researchers were able to reverse-engineer the CryptoLocker domain generation algorithm and capture traffic directed to its related domains between October 27 and November 1. Throughout the week, exactly 12,016 struggled to contact these void domains. Looking at the distribution of infected hosts and available payment methods, US systems seem to be the only ones targeted. Other unfortunate systems that fall victim to CryptoLocker just appear to be part of the collateral damage.
Domain generation algorithms of ransomware applications, like CryptoLocker, generate new command and control subdomains daily to avoid getting their networks shutdown by the authorities. CryptoLocker's command and control servers usually don't stay online for more than a week and are changed frequently. Bitdefender noted that during the time its researchers monitored the ransomware activity, these servers were located in Russia, Germany, Kazakhstan and Ukraine.
Protect YourselfIt shouldn't come as a shock that CryptoLocker nabbed more than 10,000 victims in a week. While people know they're at risk for malware attacks, some users don't bother to purchase antivirus software until their devices are hit. Obviously this mentality isn't exactly the best way to protect yourself.
Get antivirus software before you become victim to cyberattacks; there are plenty of options out there, including free ones. One of our favorites is Bitdefender Antivirus Plus (2014). Bitdefender also offers a CryptoLocker-blocking tool that prevents your PC from getting infected. Even if you think the chances are low, you can still be targeted in a malware campaign.

Microsoft Silverlight users at risk from Angler exploit kit

Digital security padlock red image
Hackers are using the Angler exploit kit to automatically spread malware using a vulnerability in the Microsoft Silverlight service.
Malwarebytes senior security researcher Jerome Segura uncovered the attack targeting a vulnerability in Microsoft Silverlight versions 5 and below, warning that it has the potential to infect millions of PCs with malware.
"The flaw, which exists in versions prior to 5.1.20125.0, allows attackers to execute arbitrary code on the affected systems without any user interaction," he said.
"Upon landing on the exploit page, the Angler exploit kit will determine if Silverlight is installed and what version is running. If the conditions are right, a specially crafted library is triggered to exploit the Silverlight vulnerability. As with all exploit kits, leveraging vulnerabilities is just an intermediary step for the real motive: pushing malware onto the victim's machine."
Silverlight is a Microsoft service similar to Adobe Flash, which is used for rich internet applications. The Silverlight web plugin is used by several popular services, including Netflix, which currently boasts over 40 million global users. Segura said he expects hackers to add the Silverlight vulnerability to other exploit kits in the very near future.
"We can expect this CVE [common vulnerability and exposure system] to be integrated into other exploit kits soon, so it is important to make sure you patch all your machines now," he said. "If you don't need Silverlight – or other plugins – simply remove it altogether as that will help to reduce your surface of attack."
Exploit kits are hack tools traded on cyber black markets, which let users automatically mount cyber attacks on known vulnerabilities to spread a variety of malware. The kits have been used in several recent high-profile attacks.
Earlier this year hackers were spotted using the Blackhole exploit kit to mount a sophisticated phishing scam, sending out bogus malware-ridden emails claiming to be from high-profile companies such as Facebook and LinkedIn. Malwarebytes also discovered new ransomware being spread by the Neutrino exploit kit, targeting Java with a fake Skype file.

Microsoft opens Cybercrime Center to tackle malware and cyber crime

Microsoft has declared war on cybercrime by opening a new specialist Cybercrime Center on its Redmond campus dedicated solely to detecting and countering blackhat hackers.
The Cybercrime Center will offer its legal and technical expertise to law enforcement agencies such as Interpol. It will specifically focus on tackling crimes associated with malware, botnets, intellectual property theft and technology-facilitated child exploitation.
The centre will also be open to security experts from third-party partners and universities. Microsoft promised it will have advanced malware and threat-detection technologies that will let experts and law enforcement identify developing cyber threats in real time.
These include SitePrint, PhotoDNA and cyber-forensics services. SitePrint is a technology designed to track and map online organised crime networks, PhotoDNA is an anti-child-pornography technology designed to root out and remove illicit images of minors and cyber forensics detects global cybercrime such as online fraud and identity theft scams. The centre will also share cyber threat intelligence from Microsoft's botnet takedown operations.
Associate general counsel of the Microsoft Digital Crimes Unit, David Finn, said the centre is a key step in the company's ongoing bid to keep its customers safe from blackhat hackers.
"The Microsoft Cybercrime Center is where our experts come together with customers and partners to focus on one thing: keeping people safe online," said Finn. "By combining sophisticated tools and technology with the right skills and new perspectives, we can make the internet safer for everyone."
The centre's opening comes during a wider push by governments to increase collaboration between the public and private sector when combating cybercrime. The UK government's Cyber Security Strategy has seen the creation of several information-sharing initiatives similar to the Microsoft Cybercrime Center. This included the launch of the Cyber Security Information Sharing Partnership (CISP) earlier in the year.
Microsoft has been a constant supporter of the strategy and its Trustworthy Computing (TwC) arm has participated in several botnet-takedown operations. Most recently TwC partnered with the FBI to take down the Citadel botnet.
The opening of the Microsoft Cybercrime Center has been welcomed by several law enforcement agencies. Interpol executive director Noboru Nakatani said the centre will be an invaluable tool for agencies combating cybercrime and called for other companies to follow Microsoft's example.
"In the fight against cybercrime the public sector significantly benefits from private sector expertise, such as provided by Microsoft," said Nakatani. "The security community needs to build on its co-ordinated responses to keep pace with today's cyber criminals. The Microsoft Cybercrime Center will be an important hub in accomplishing that task more effectively and proactively."
Symantec pledged to create a centralised information-sharing big data hub to help customers spot and pre-empt custom-built malware.