Page 36 - Cyber Warnings
P. 36
Professional penetration tester, Chris Roberts of One World Labs states that, "Whether breaking
into buildings or slipping past industrial-grade firewalls, my goal has always been the same:
extract the informational secrets using any means necessary." When given the mission for
doing a penetration test for a high net-worth client, Roberts used the internet to find a phone
number and an email the client had posted in a public forum for concert tickets.
The office number for the client (in this instance) allowed Roberts to gain access to personal cell
phones numbers, mortgage info and a home address by posing as a publicist on the phone.
According to Symantec, bad actors aren’t targeting Windows vulnerabilities for exploit, they are
going after people. Approximately 3% of malware used by perpetrators is used to exploit a
technical glitch. The other 97% of malware is used to trick or as a ruse relating to a social
engineering scheme.
Common Attacks
91% of breaches are the result of phishing. Phishing has been around for quite a while and
may be the most common type of social engineering. Phishing uses threats, fear and a sense
of urgency to motivate and manipulate victims to act immediately on spoofed websites or sites
that have been shortened or embedded with links to suspicious websites. Ultimately, the
actions, if successful, will provide the social engineer with personal information like names,
addresses and credit card numbers. Phishing emails can run the gamut from mass produced,
low quality emails (i.e. spelling errors and obvious misinformation) to focused emails (spear
phishing) with detailed information and professional looking logos and signatures.
A McAfee Phishing Quiz found the most successful phishing email was spoofed from the United
Parcel Service (UPS). The logo and branding matched and the website URL shown as
UPS.com. Of note was the fact that the email contained only one malicious URL link. The first
URL was a bona fide package tracking link. Only the second one, which encouraged the
download and opening of an “invoice” (malware), was bad.
As we know, phishing, the (mostly) email based attack, gets its power from people clicking on
an embedded link within an official looking email that can take them to a nefarious site or
require victims to enter personal information under the guise of responding to a query from their
bank or trusted institution. Vishing, phishing’s lower tech cousin, uses the telephone to try and
extract personal information from potential victims. This technique precedes phishing and dates
back to the days when a social engineer attempted to get credit card numbers from trusting
victims.
Pretexting relies on a social engineer’s back story or scenario to gain the victim’s trust. By
using small amounts of actual, personal information (put together from various web sources) a
social engineer can gain enough confidence to extract more information from the victim. SEs
may advance their attacks to convincing victims to perform malicious acts without their
knowledge to exploit a company or business. These attacks can be done online or in person.
Impersonating a janitor who "lost his keys" is a perfect gambit for a social engineer to gain
access inside a building or room for a seemingly authorized purpose.
36 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
