Phone phishing, just one way to social engineer information from end users

Social engineering is used to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

The following is a recent real life example which would seem very innocuous.

An associates phone rings.  The person identified herself as working for the accounts receivable department.  She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer.  She asked if he could provided the model and serial number for her records.  (Before we go any further, how many of you reading this sit “near” and HP printer?)

The user was keen enough to ask the caller’s name.  She responded with only a first name “Kathy”.  Fortunately this set off a red flag that something many not be completely legitimate with her request.  He then indicated it wasn’t necessarily a good time for him and asked if he could get the information and send it to her in an email.  Still suspicious but now afraid the caller may just hang up, the user stalled and answered “oh yes, there is an HP printer right here” and gave the model number, but nothing specific to the device or the company he works for (serial number or IP address).

After saying this, the caller seemed more interested again and continued to ask how they administer and maintain the printers.  The end user indicated he wasn’t sure and would have to ask.  He then asked for her last name to which she responded “White”.  Being resourceful, the user quickly checked the companies Active Directory.  No users matched that specific name.

He then offered to get the rest of the information and call her back.  The caller indicated that the phone she was using was only able to make outbound calls and she wasn’t sure what number would call her area (does this sound like any phone in your company?).  When he insisted he’d need to call her back, she quickly hung up on him.

By asking specific and probing questions, a caller may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.  While each of those pieces of information may seem insignificant by themselves, in total, they may give a hacker just the information they need to footprint a company or network in order to run a targeted attack on the environment.

Advertisements

Google Chrome and Instant Pages. A hackers new best friend?

Image representing Google Chrome as depicted i...

Image via CrunchBase

This is one of those articles where I start reading thinking, this is an interesting approach.  It seems to take caching to a new level to help speed up your web browsing experience by “pre-caching” sites before you ever go to them.

http://www.technologyreview.com/computing/37818/

But then I make a switch from right brain “this is cool and forward thinking” to left brain “immediate paranoia”.

One of the methods (discussed ad naseum) to promote malware is the utilization of popular search terms and optimized sites to get good search engine results.  Many AV providers use a “search ahead” feature to look at the sites in your search result and give you a visual indicator of what may be a malicious page.  If Chrome independently makes the decisions to load the pages on your behalf (to make your web browsing experience better), this also provides an effective avenue for malware delivery.

While I’m certain there will be an option to disable this feature, this raises enough concern to not use Chrome 13 for me.

Obama Birth Certificate search results yield malware

It’s long been a tactic of ne’er-do-wells to capitalize on topical issues to deliver malware.  Today is no different.  Many of the “1st page” Google image results for “Obama Birth Certificate” yielded images which had embedded exploits which would take advantage of known browser and/or Java vulnerabilities.

When you think about it, this is a very effective mechanism for malware delivery.  In our post-physical newspaper society, many get their news from online news sources.  Of that many, some will consistently goto the same sites to get information, the rest will simply search for (dare I say Google) what specific piece of news they are looking for.

Malware authors are well aware of this and capitalize on it quite often. While users may have become more aware of this when looking a links in a typical Google search, they may not be as aware when doing searches on images (like have occurred recently with Charlie Sheen and the Obama Birth Certificate searches).

So what can you do to help protect yourself in this ever changing malicious environment we call the Internet?

  1. As a “safe browsing technique” – try to use known, “reputable” new sites when you are looking for topical information.  I will concede that just because news site is well known does not make it immune from being hacked or to be delivering malware.  But the chances are much less with those sites than general unknown sites.
  2. Certainly use caution with all pop-ups that ask you to download, install, or run anything.  Also do not rely on the little red X to close those windows.  Chances are, it won’t do what you expect it to.  You are best off to bring up your system processes and just kill off your browsing sessions and start over.
  3. Make sure you operating system and security applications are kept up to date.  If you stay current with your patches and keep your security protection suite updated, you have reduced the opportunity for any of the known exploits to actually work on your system.
Follow these precautionary steps and you could be “winning” too…

iOS 4.2 is out! Update your iDevice!

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

While many people (me included) are happy to update their devices to iOS 4.2 for the new features enabled, most are not aware of the security fixes included that are also necessary.  iOS 4.2 (like many iOS updates prior) includes fixes to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information on your iPhone, iPad, or iTouch.  (While there is an update for AppleTV also, I’m not aware of what, if any, vulnerabilities were addressed with that update).

A quick overview of these fixes includes fixing an issue with the new iAD service where the ads could send you to malicious sites, fixing mail issues where properly formatted HTML emails could send information back to the sender of the email, and a network issue where properly formatted PIM messages could cause a denial of service situation or the device to completely shut down.

To see a full list of the vulnerabilities addressed, please see Apple’s security page here:  http://support.apple.com/kb/HT4456

Related Articles

P.T. Barnum wasn’t wrong – Firefox Beta Links spread Malware

It should not come as a surprise to you that Firefox is available for free download from Mozilla (hence the Open Source Project).  This must not be apparent to users who are being fooled by a fake Firefox 4.0 beta download scam.  

The scam goes a bit like this:

  1. You want software but don’t want to pay for it (in this case a new version of the Firefox browser)
  2. You get email/see link/etc that a new Firefox browser is going to be out
  3. Email/Link/etc portends to provide either a software crack or a key generation file (items used to break registration of what should be purchased software).
  4. You download and run crack files
  5. You get infected with a Trojan

Reports note the following trojans have already been seen using this scam:

  • FraudTool.Win32.FakeVimes
  • Trojan-Downloader.Win32.CodecPack.2GCash.Gen
  • Trojan.DNSChanger.Gen
  • Virus.Win32.Parite
  • TrojanDownloader-Win32/FakeRean

Moral(s) of the story:

  1. Always check an authoritative source.  If you are interested in the Firefox 4 Beta, check out Mozilla’s site and download it there.
  2. It’s always a bad idea to pirate software.  Sites that host/distribute cracked versions of software and keygens are already operating in a shady area, don’t be surprised to get infected/attacked if that is a site you visit.  (As I tell my kids, don’t touch that, you don’t know where it’s been).
  3. Patch and Update.  For at least the few noted pieces of malware being spread here, if your system is patched and your AV updated you should be okay.  However, this can change at any moment, so don’t test it.

Android and iPhone exploits revealed in past week

Over the weekend, a new Web-based jailbreak became available for iOS devices, offering users a simple method to open their devices to installation of unauthorized third-party applications.  An error in the processing of Compact Font Format (CFF) data within PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page using Mobile Safari.

This is applicable to any iOS 4 device (all new iPhone 4s, iPads and any upgraded iPhone 3G and 3Gs).  On of the main features of iOS 4 was the SandBoxing approach to applications.  This exploit bypasses the SandBoxing by exploiting a third party app.  I have to say this doesn’t help Adobe’s popularity in Cupertino.

Time will tell if Apple will release a patch to iOS to resolve the issue or if Adobe will have to update their code.  For the time being, the best advice is to browse “safely” (if that’s really possible anymore) or just not browse at all.

The Andriod exploit has a completely different twist on it.  Spider Labs released a DVD at Defcon last week that provided a method to root the device.  Once the exploit is applied the Android device acts as a bot for the hacker who has full remote-control over the device providing access to all the user information on it.  What makes this more interesting is that Spider Labs is an ethical hacking team using this approach to incentivize manufacturer to provide  a fix to the issue more quickly.

“It wasn’t difficult to build,” said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker’s conference in Las Vegas on Friday.  Percoco said it took the team about two weeks to build the malicious software.

CNET reported that there were ten companies had data compromised.  The list included Pepsi, Coca-Cola, Apple, and Google amongst others.  All information was solicited through one phone call to an employee of the company.

************** UPDATE Aug 5th **********************

CNET has posted that Apple has acknowledged the issue and already have a fix.  They did not mention when it would be released but a software update is imminent.

************** UPDATE Aug 11th *********************

Apple has released iOS 4.0.2 for iPhone and iTouch as well as iOS 3.2.2 for the iPad to address this vulnerability.  Of course the a side effect to addressing this vulnerability is that it now breaks the functionality of JailbreakMe 2.0.  Not that this should be a surprise.