Phone phishing, just one way to social engineer information from end users

Social engineering is used to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

The following is a recent real life example which would seem very innocuous.

An associates phone rings.  The person identified herself as working for the accounts receivable department.  She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer.  She asked if he could provided the model and serial number for her records.  (Before we go any further, how many of you reading this sit “near” and HP printer?)

The user was keen enough to ask the caller’s name.  She responded with only a first name “Kathy”.  Fortunately this set off a red flag that something many not be completely legitimate with her request.  He then indicated it wasn’t necessarily a good time for him and asked if he could get the information and send it to her in an email.  Still suspicious but now afraid the caller may just hang up, the user stalled and answered “oh yes, there is an HP printer right here” and gave the model number, but nothing specific to the device or the company he works for (serial number or IP address).

After saying this, the caller seemed more interested again and continued to ask how they administer and maintain the printers.  The end user indicated he wasn’t sure and would have to ask.  He then asked for her last name to which she responded “White”.  Being resourceful, the user quickly checked the companies Active Directory.  No users matched that specific name.

He then offered to get the rest of the information and call her back.  The caller indicated that the phone she was using was only able to make outbound calls and she wasn’t sure what number would call her area (does this sound like any phone in your company?).  When he insisted he’d need to call her back, she quickly hung up on him.

By asking specific and probing questions, a caller may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.  While each of those pieces of information may seem insignificant by themselves, in total, they may give a hacker just the information they need to footprint a company or network in order to run a targeted attack on the environment.


Obama Birth Certificate search results yield malware

It’s long been a tactic of ne’er-do-wells to capitalize on topical issues to deliver malware.  Today is no different.  Many of the “1st page” Google image results for “Obama Birth Certificate” yielded images which had embedded exploits which would take advantage of known browser and/or Java vulnerabilities.

When you think about it, this is a very effective mechanism for malware delivery.  In our post-physical newspaper society, many get their news from online news sources.  Of that many, some will consistently goto the same sites to get information, the rest will simply search for (dare I say Google) what specific piece of news they are looking for.

Malware authors are well aware of this and capitalize on it quite often. While users may have become more aware of this when looking a links in a typical Google search, they may not be as aware when doing searches on images (like have occurred recently with Charlie Sheen and the Obama Birth Certificate searches).

So what can you do to help protect yourself in this ever changing malicious environment we call the Internet?

  1. As a “safe browsing technique” – try to use known, “reputable” new sites when you are looking for topical information.  I will concede that just because news site is well known does not make it immune from being hacked or to be delivering malware.  But the chances are much less with those sites than general unknown sites.
  2. Certainly use caution with all pop-ups that ask you to download, install, or run anything.  Also do not rely on the little red X to close those windows.  Chances are, it won’t do what you expect it to.  You are best off to bring up your system processes and just kill off your browsing sessions and start over.
  3. Make sure you operating system and security applications are kept up to date.  If you stay current with your patches and keep your security protection suite updated, you have reduced the opportunity for any of the known exploits to actually work on your system.
Follow these precautionary steps and you could be “winning” too…

P.T. Barnum wasn’t wrong – Firefox Beta Links spread Malware

It should not come as a surprise to you that Firefox is available for free download from Mozilla (hence the Open Source Project).  This must not be apparent to users who are being fooled by a fake Firefox 4.0 beta download scam.  

The scam goes a bit like this:

  1. You want software but don’t want to pay for it (in this case a new version of the Firefox browser)
  2. You get email/see link/etc that a new Firefox browser is going to be out
  3. Email/Link/etc portends to provide either a software crack or a key generation file (items used to break registration of what should be purchased software).
  4. You download and run crack files
  5. You get infected with a Trojan

Reports note the following trojans have already been seen using this scam:

  • FraudTool.Win32.FakeVimes
  • Trojan-Downloader.Win32.CodecPack.2GCash.Gen
  • Trojan.DNSChanger.Gen
  • Virus.Win32.Parite
  • TrojanDownloader-Win32/FakeRean

Moral(s) of the story:

  1. Always check an authoritative source.  If you are interested in the Firefox 4 Beta, check out Mozilla’s site and download it there.
  2. It’s always a bad idea to pirate software.  Sites that host/distribute cracked versions of software and keygens are already operating in a shady area, don’t be surprised to get infected/attacked if that is a site you visit.  (As I tell my kids, don’t touch that, you don’t know where it’s been).
  3. Patch and Update.  For at least the few noted pieces of malware being spread here, if your system is patched and your AV updated you should be okay.  However, this can change at any moment, so don’t test it.

Answer this question and paste the answer in your facebook status!!!


Let me repeat.  No.

No. No. No. No. No. No. No.

Why all the negativity you ask?

EXAMPLE: Where were you born?  Paste this question into your Facebook status (along with the answer) and tell all your friends where you were born.  Ask them to do the same!

Anyone what to guess what one of the most common questions people use for the password reset function on their bank accounts, credit card websites, or email?  If you post this information, along with your email, it gives someone most of the critical pieces of information needed to compromise an account.

What about this?

Answer these 10 questions and paste to your status.  Tell your friends to do the same and see how much you have in common:

  1. Where were you born?
  2. What is your sign?
  3. What is your favorite color?
  4. What is your favorite food?
  5. What do you do?
  6. What is your favorite movie?
  7. Are you a (insert a sports team name here) fan?
  8. Mac or PC?
  9. Dog or Cat?
  10. If you could go anywhere in the world where would you go?

I attended a presentation lately where this was said “if these people are REALLY your friends, they already know all this”.  So please don’t use that as a reason/excuse why you are publicising this information on your Facebook profile.  Most people may have technically “friended” you, but are loose social connections at best.

Given the number of changes to the Facebook security settings with the fact most people don’t have this set correctly, you can quickly see where these type of posts give entirely too much information to someone who shares a group with you or is a friend of a friend.

Since your profile already provides your location, maybe birthday, school, email address, etc.  One can approximate enough information to figure out where you are and how old.  In most locations there are probably 2-3 major banks in an area too.  So, one should have enough information to target your online banking account and/or your email account.  They aren’t going to have to guess or break your password.  They’re going to use all the information they’ve gathered about you to reset your password.

Anyone recall the issue with Sarah Palin’s email being “hacked’?  Well “hacked” is giving the guy a bit too much credit.  Socially engineered it more appropriate.  He simply went to her email service (which was known to be Yahoo),  to the password reset function, clicked on it and it prompted him:

  1. “What is your birthday”
  2. “Where did you meet your husband?”
  3. “What is your zipcode?”

If you were to have gone to the governors website at the time, it proudly displayed two interesting pieces of information.  She met her Husband Todd in High School and she spent her entire life in Wasilla.  Since Wasilla only had two zip codes, it was easy to guess.  A simple Wiki search will tell you  her birthday.

So since we are not all high-profile public figures with a ton of information about us on the Internet (though if you are, thanks for reading my post!), it’s probably best that we don’t voluntarily put this information out there for anyone to snag.

Here’s my litmus test: Would this be something you’d feel comfortable telling a stranger on the street?  Probably not.