Trends in Social Engineering Evolving with Cyber-criminals to better respond to tactics, techniques, & procedures

Agenda ▪ A Look at the Numbers ▪ Tactics, Techniques & Procedures ▪ Open Source Intelligence (OSInt) ▪ Phishing Trends ▪ SMiShing on the rise ▪ Physical Attack vectors ▪ Defense Measures ▪ Corporate ▪ Individual

Speaker Bio ▪ CEO of Cyber Security Firm, VerSprite ▪ 10 years of running social engineering exercises ▪ Successfully infiltrated banks, information processing centers, corporate law offices, financial institutions, IT service organizations ▪ Worked on hundreds of post-breach cases

Key Terms Social Engineer : Someone that manipulates individuals into divulging confidential information, used for fraudulent purposes. 01 “Send a Phish” : Command to order an impersonated email to target victim with false pretenses. 02 SMiShing : Sending a fake SMS message to a target victim in order to propagate malicious links or files. 03 PILFER : term synonymous with stealing and related to data theft. 04

More Key Terms Vishing : Using live or recorded phone based attacks to deceive target victims over the phone. 01 Phreaking : Hacking phone networks in order to make spoofed calls from corporate networks. 02 OSINT : Open Source Intelligence gathering on target entity or target individuals 03 Casing : Identifying favorable physical access points that could facilitate illicit access to a building. 04

Behind the #s ▪ Phishing attacks campaigns in 2016 shatter all previous records (since 2004) ▪ Phishing is the No. 1 vehicle for ransomware & other malware ▪ 60% of smishers ask for you to click a link ▪ FBI says $2.3M to CEO Email Scams ▪ Account takeovers estimated to hit $775M in 2020

Tools, Techniques, Procedures (TTPs) Behind Cyber criminal operations

Organized Cybercrime ▪ Cybercrime is more organized than you think. ▪ Social engineering ripe attack vector for cybercriminals ▪ Malware propagation ▪ Persistence ▪ PII Pilfering ▪ Exploit Kit implementation ▪ Collusion and Insiders ▪ Repudiation thru layers ▪ Social engineering opening up new markets for cyber criminals.

Leveraging Emotions ▪ FEAR : Presenting dire situations to victims that compel them to react, ideally in a controlled manner to cybercriminals ▪ POWER : Usually accompanied with perpetrated identities where cyber-criminals perpetrate ▪ INTIMIDATION : Bullying victim, generally via impersonated identities ▪ WINNING : Presenting the illusion of gaining rewards or monetary compensation ▪ TRUST : Confiding in the personality of an individual based upon affiliations, looks, or personality. ▪ SYMPATHY : Compassion driven decision based upon empathy to criminal story line ▪ Cyber-criminals will OSINT targeted individuals to identify possible emotional responses to social engineering ploys.

From Tactics to Practice Targeted Tactics Applied ▪ OSINT on online social media profiles ▪ Reveals causes supported ▪ Attire, posture, physiological signs ▪ Deducing personality ▪ Capture emails & network traffic ▪ Emails provide pretext ▪ Network traffic reveal periodic Practice Examples ▪ Cancer Society Ploy ▪ Target phished perpetrating for-cause events ▪ Observed helpful personality traits ▪ “File on USB” ploy + desperation ▪ Compromised emails with vendor provides ripe opportunity for vendor based perpetration

Phishing Trends ▪ Goals: ▪ Obtain PII (Personal Identifiable Information) ▪ Disseminate malware ▪ Techniques ▪ URLs & Attachments carry “payloads” ▪ Leverages emotional techniques ▪ Generic vs Targeted Phishes ▪ English is improving in these emails ▪ Targets ▪ Other industries on the rise in terms of being targeted ▪ Persistence over opportunistic ploys preferred

Phishing Tails Banking Link Scam (Carbanak) ▪ A billion dollar heist covering 30 countries and nearly a billion dollars in lost funds, nicknamed Carbanak (Feb 2015) ▪ Spear phishing emails sent to employees ▪ It was a pretty standard scheme: an email with a link that looked like it was coming from a colleague contained the malicious code ▪ Infected work stations ▪ Hackers tunneled deeper into the banks’ systems until they controlled employee stations ▪ Hackers made cash transfers, operate ATMs remotely, change account information, and make administrative changes.

From Spearing to Harvesting :: The Power of Persistence

Baiting & Drive by Downloads ▪ Baiting very similar to phishing but more passive in nature ▪ Leverages the art of enticement ▪ Examples: ▪ Rogue Mobile App ▪ USBs in parking lot ▪ “Claim a Prize” ploys ▪ Malvertising ▪ Plays on human emotions of want & need but in a more casual fashion

Profiling target users & baiting them for profit

SMiShing on the Rise ▪ Usual emotional techniques apply ▪ Intent is to leverage the informality of cell phones ▪ False sense of security attributed to cell phones ▪ Impact of Smartphone compromise can be the same as computer compromise ▪ Implications of 2FA (factor authentication) if cell phone is compromised

Physical Realm of Attacks :: Current Trends ▪ Physical attacks compliment other attack vectors (e.g. – phone, email, SMS) ▪ Persistence within an organization is the ultimate goal ▪ Criminals don’t need to walk away with flash drives of data anymore ▪ Planting bugs far more effect; reduction from getting caught ▪ Criminals will collude with cyber criminals to case a property and ‘plant’ a device ▪ Door shimming ▪ Drone based recon missions ▪ Tailing a target ▪ Diversion based attacks ▪ Tailgating is king ▪ Card skimming ▪ Bio Spoofing ▪ Dumpster Diving ▪ Colluding with the Insider

Protective Measures Addressing growing trends in corporate espionage, perpetration, and other social engineering based attacks

Corporate Countermeasures ▪ Annual ‘Red Team’ exercises ▪ Form a ‘Blue Team’ to see how you defend ▪ Tailored security awareness training ▪ No off the shelf training ▪ Particularly for ‘support groups’ or operations team members ▪ Network Segregation ▪ Reduced permissions in AD/ LDAP ▪ Incident Response Plan & Training ▪ Log Monitoring & Alerting ▪ Physical Cameras & CCTV ▪ Multi-facto authentication for Email ▪ Soft token based technology implementation ▪ Process based whitelisting software (e.g. – Carbonblack, Solidcore, etc.)

Individual Countermeasures ▪ Personal Shredder. Your trash is public property after it leaves your house. ▪ Cross cut is best ▪ Wipe old hard drives. ▪ Enable MFA for Phone Based Apps ▪ Use Google Authenticator or Authy ▪ Employ the use of a Password Manager ▪ Use the Password Generator feature of solution. ▪ Validate requests out of band. ▪ Beware of the trifecta social engineering attack (mail, phone, and email) ▪ Validating context is key ▪ Go to websites yourself over clicking on links ▪ If you don’t recognize a number, don’t answer ▪ Blacklist or block numbers ▪ Pay attention to personal trends ▪ Qualify your ‘friend requests’ on social media

Questions? Contact Info: Tony “UV” [email protected] Twitter: t0nyuv www.versprite.com