Social Engineering Techniques & Other Attack Types Flashcards
Name four types of phishing
- spearphishing (targets specific employees)
- whaling (targets high level employees, executives, or senior management)
- smishing (SMS phishing)
- vishing (voice phishing, targets cell phones, telephones or voip)
What is phishing?
a cyber attack that uses disguised email or other communication channel as a vector
Common phishing indicators
1) Vague salutations: for example, dear valued customer or dear employee
2) Suspicious-looking domain names/display names
3) URL Paths: for example, the company name is actually farther down into the url path or the domain is a common misspelling.
4) Wrong hypertext
5) Awkward grammar
6) Urgency in text
7) Lack of contact info
8) Spoofed headers/logos
Define Business Email Compromise (BEC)
This is a form of attack that targets companies who outsource, conduct wire transfers and have suppliers abroad. They often target corporate email accounts of high level employees. They’re either spoofed or compromised through tools known as keyloggers or other phishing attacks to perform fraudulent transfers.
Common BEC Schemes
Phony invoices and transfers
“C-suite” or “C-Team” fraud (impersonate the CEO)
E-mail or webmail account compromise
Attorney impersonation and hoaxing
Data theft of personally identifiable information (PII)
What is pharming?
a website’s traffic is manipulated or spoofed, and confidential information is stolen.
may be accomplished using a trojan or other virus that changes the computer’s host file to direct traffic away from it’s target and toward a fake website.
crackers may also poison a DNS server to re-direct multiple users to unintentionally go to the fake site, which can be used to install malware on their computers.
For the exam, remember that pharming has to do with name resolution or DNS (domain name system).
Spam
slang term for unsolicited commercial email or junk email
common categories of spam
email spam comment spam trackback spam negative SEO attack spiders and DDoS (bots)
Spim
Spam over instant messaging
disrupts chatting and can contain viruses or spyware
by blacking any messages from sources not on your contact list, you can prevent spim
most anti-virus programs include both spam and spim protection features
Typosquatting
Involves sitting on sites under someone else’s brand or copyright and targeting internet users who erroneously type a web site address into their browser address bar
other names for typo squatting are URL hijacking, sting sites, or fake URL
ex. - facebool, gooogle, amason
Tailgating
also called piggybacking
occurs when access tokens or badges are being used in a single-factor or multi-factor authentication scheme for physical access to buildings, rooms, or certain high security areas such as data centers
each subject uses their badge or token with the sensor every time they access a building or protected area
often considered a violation of security policy (AUP/acceptable use policy) combined with some enforcement policy if users do not comply
dumpster diving
credit card information invoices and receipts ip addresses organization charts names of key employees manuals and charts memos and sticky notes hard drives removable storage phone numbers
shoulder surfing
goal is to look over the shoulder as he or she enters password or PIN
easier to carry out today with spy cam technology and camera-equipped mobile devices
binoculars and telescopes from nearby buildings can see screens and keyboards
watering hole
leverage a compromised webserver in order to target groups or associations in social networks
only members of the association are attacked, while other traffic is untouched
can be difficult to identify using traffic analysis since most traffic from the infected site is benign
EXAM QUESTION
Why is social engineering so effective?
six reasons
1) lack of proper security and awareness training
2) inadequate acceptable use policy (AUP)
3) no buy-in from management and employees for prevention measures
4) no enforcement of policies - no carrot and no stick
5) outdated anti-virus, outdated DLP (data leakage prevention), and mobile device application management tools
6) poor perimeter security controls for e-mail, messaging, telephony, and web activities
difference between malware and exploit
all malware are exploits, but not all exploits involve malware/malicious code
Common types of malware
1) PUPs (potentially unwanted programs)
2) Ransomware
3) Trojans and RATs
4) Worms
5) Spyware and adware
6) Keyloggers
RATs
Remote access trojans
often part of multi-staged exploits
1) create backdoors
2) establish Command & Control communication with a backend server (we call these “botnets”
3) some well known RATs include Ghost, Poison Ivy, PlugX, and Sakula
4) Now on mobile devices
PlugX is now a common choice for nationstates which are using RATs as their payload
PUPs
Potentially unwanted programs
PUAs
Potentially unwanted apps
Ransomware
encrypts key files and holds them for ransom from the target organization.
usually demands crypto such as Bitcoin or Monero, which are difficult to track
cryptolocker toolkits have exploded since Gpcoder in 2005
average ransom demand has more than doubled
over 30 percent of victims are in the U.S.
newest trend is Ransomware-as-a-Service (Raas) on dark net, which is a subset of Maas (Malware-as-a-Service)
Steps of a ransomware campaign
1) installation: crypto-ransomware installs itself after bootup
2) contacting headquarters: malware contacts a server belonging to an attacker or group
3) handshake and keys: the ransomware client and server “handshake” and the server generates two cryptographic keys
4) encryption: the ransomware starts encrypting every file it finds with common file extensions
5) extortion: a screen displays giving a time limit to pay up before criminals destroy the key to decrypt the files
Trojans
Trojan horses have no replicating abilities like viruses or worms
They are malicious code and programs that masquerade as legitimate applications or are embedded in real programs
Trojan sources
Games Utilities and tools Device drivers Patches & updates Free/shareware System upgrades
RATs and C2 (C&C) Servers
1) attacker sets up a C&C server (aka C2)
2) RAT infected PC acts as a server and sends information back to the client via the RAT server program
3) allows the attacker to conduct malicious operations
a) capture webcam
b) keystroke logging
c) install a remote shell (like CMD.exe on a windows system)
d) Continuously update RAT version to evade anti-virus and anti-malware programs
e) download files
f) upload files
Worms
special form of self-replicating virus (malware) that generally spreads without user action
distribute complete copies (possibly modified copies) of themselves across networks
a worm can consume resources, infiltrate data, or simply cause the CPU on the system to waste cycles resulting in a computer becoming unresponsive
IOCs
Indicators of Compromise: the activity of the worm and the artifacts it leaves behind
Worms behaving as RATs
Because worms typically do not need to attach to a host program or file, they can also tunnel into a system and allow for remote control of the system or service
Classic examples are Sasser, ILOVEYOU, Conficker (four or five variants of this), and Stuxnet (launched against Iranian nuclear facilities)
Worm risk factors
1) shared computers with weak passwords
2) removable devices, such as external hard drives and USB sticks, may get infected with a worm
3) computers without the latest security updates may get infected by the worm
4) computers with open share permissions
5) computers with a proper password policy, current security updates, antivirus or security software, and secured shares are protected from infection
Spyware and Adware
Spyware is software that gathers data about a computer user without the user’s permission or knowledge
Spyware can show advertisements, track information and make modifications to endpoints without user knowledge
Malware, adware, and spyware are often found among P2P networks, download sites, and bit torrents
Alexa, Echo, and similar “smart” devices can be used as spyware
Keyloggers
Keystroke logging is typically done by a malicious code that records keystrokes and sends data back to a C&C server
Spyware uses keyloggers to capture passwords, credit card information, or other PI
Software can also be used to track employees or family members to adhere to acceptable use
It is also a valuable tool for analyzing human-computer collaboration
Keylogger detectors are special mitigation tools
Examples: PAL Keylogger Pro, and KeyGhost
Complex Malware Types
1) Rootkits
2) Backdoors
3) Fileless viruses
4) Botnets
5) Crypto malware
6) Logic bombs
7) Stegomalware
8) Polymorphic packers
9) Multipartate virus
10) Emerging variants (check out sans.org to keep up to date on these, can sign up for email and text bulletins)
Note: most malware attacks are multi-phased, stealthy, and polymorphic
Rootkits
malicious modules that are placed in unauthorized areas to do things like:
1) access data
2) monitor actions
3) escalate privileges
4) modify programs
5) conduct further exploits
term is a combination of “Root,” which represents the root user in a unix or linux system (or administrator in a windows system) and “Kit,” which is a software or malware toolkit
can be difficult to detect because they’re initiated often before the operating system is fully loaded into memory or fully “booted”
can target the BIOS or the UEFI, the bootloader or system files
they can install hidden files, hidden processes, they can run processes beneath the surface and can even install hidden user accounts.
because rootkits can be installed in firmware or software, they have the ability to intercept data from network connections, keyboard input or output, and other peripherals
Backdoors
Backdoors are considered Trojan programs
1) Most often masqueraded as some real program such as a game, device driver, or a patch. That is why it’s so important to digitally sign all of your code.
2) Closely related to the results of a botnet attack because it can attack more than one system
3) Typically it generates a covert channel, either to a C&C server or another member of a botnet
4) The remote attacker controls systems
5) Common now on mobile devices
Backdoor exploits
1) collect system and personal data from the system and even attached storage devices.
2) perform DoS attacks on other systems (DDoS and botnet)
3) run and terminate tasks and processes
4) download additional files for multi-phased attack
5) audit the system status. info which is gathered can be used to elevate or escalate privileges or be used as part of the killchain in a more advanced or persistent threat in the near coming future
6) open remote command line shells on remote windows and linux systems
7) modify computer settings like the registry or configuration files and can even shut down or restart systems
Fileless viruses
Fileless operates in memory without being stored in a file or installed directly on a machine
Fileless viruses go directly into memory and the malicious content never reaches a hard drive
An evolutionary strain of malicious software
One of the key categories that antivirus vendors and antimalware vendors are dealing with right now, using advanced systems like machine learning and AI to discover these fileless viruses
FVs have a tendency to target high value targets like banks, telecoms, and government agencies
Examples: Frodo, Dark Avenger
Bots and Botnets (DDoS)
Bots are the most common form of a Distributed Denial of Service Attack (DDoS) today
The robot network (botnet) consists of a zombie computer and a master command and control (C&C) server to remotely control victims, and many victims are unaware
The communication often occurs over Internet Relay Chat (IRC), encrypted channels, bot-centric peer-to-peer netorks, and even social media like Twitter
Bots can exfil data, log keystrokes, scan memory, force a system to participate in mining cyber currency, and more
Crypto Malware
Crypto malware is an advanced and evolving form of ransomware that encrypts a user’s files and demands ransom
Sophisticated cryptomalware uses advanced encryption mechanisms, so files can’t be decrypted without a unique key
What makes Crypto Malware different from run of the mill ransomware is its ability to have polymorphic variants that are being used and running, often changing their behavior during the lifecycle of the killchain
Cryptolocker Infection Chain
1) User receives spam with a malicious attachment
2) The malicious attachment, usually a UPATRE variant, downloads a ZBOT variant
3) The ZBOT variant exhibits several routines, including downloading CRILOCK variant
4) The CRILOCK variant encrypts files to force users to purchase the private encryption key
Logic bombs
Logic bombs trigger the exploit when a certain even occurs
1) mouse movements
2) certain file is accessed or a program is run
3) certain date or timestamp
4) program execution
5) number of times certain code is run
6) during a major event such as the super bowl or an election day
7) on a holiday
Stegomalware
Based on steganography, broadly defined as anything done by a cracker to hide data in an unexpected channel
A JPEG picture of a dog playing with bubbles may actually contain destructive malware
A dangerous banking RAT has hidden its settings in the icon file of a website (as an alternate example to the above)
Many stegomalware hosting sites are buried deep within Tor
Common tools are Steghide, rSteg, and Crypture
The same tool must be used to reverse the process and expose the hidden malware
Polymorphic Packers
Has the ability to change and move in stages
For example starting out in RAM memory the moving into compressed RAR files deep in the file system
Polymorphism is used in email attacks and drive-by exploits, and also in APTs (Advanced Persistent Threats) once the cracker has a foothold
Polymorphic packers are tools that bundle up different types of malware in a single package ( either an email attachment or drive-by malware from a website)
APTs
Advanced Persistent Threats
Multipartite Viruses
Also known as a multipart virus/malware
Often combines file and boot/system infector viruses
Simultaneous attacks the boot sector and executable files
Password Attacks
Repeated attempts to identify a user account, password, or both
Cryptographic Hashing
A one-way mathematical function that takes the password and runs it through a SHA-1 or SHA-2 (pronounced “Shaw”) process. The output is a fixed length fingerprint or hash, which is actually what’s stored on the backend database, windows server, etc.
Cain
Password attack tool
John/John the Ripper
Password attack tool
Dictionary and word lists
openwall.com has a list of words, misspelled words, and common patterns on the qwerty keyboard
Spraying
Attempts to access many accounts, typically targeting a single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols (like SAML or Shibboleth, or OpenID Connect).
Attackers use a few commonly used passwords instead of traditional brute-force attacks that can quickly result in the targeted account getting locked out.
The “low and slow” methods involve the threat actor attempting a single frequently used password (such as Password123 or Letmein) against many accounts before moving on attempt a second password.
Rainbow tables
Used when passwords in a computer system are not stored directly in plaintext but are protected by a cryptographic hash function.
Rainbow tables
Used when passwords in a computer system are not stored directly in plaintext but are protected by a cryptographic hash function.
A rainbow table is a precompiled dictionary database of plaintext passwords and their corresponding hash values that can be used to find out what plaintext password produces a certain hash value.
Since a collision can occur (more than one password producing the same hash) it’s not important to know what the original password was, as long as the one selected produces the correct hash.
Spraying
Attempts to access many accounts, typically targeting a single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols (like SAML or Shibboleth, or OpenID Connect).
Attackers use a few commonly used passwords instead of traditional brute-force attacks that can quickly result in the targeted account getting locked out.
The “low and slow” methods involve the threat actor attempting a single frequently used password (such as Password123 or Letmein) against many accounts before moving on attempt a second password.
Using Rainbow Tables
A rainbow table works by performing a cryptoanalysis very quickly and effectively. It’s not like a brute force attack, which works by calculating the hash function of every string present. A rainbow table attack already has a table of computed hashes.
Malicious USB Cables
Also known as an “evil” or “lightning” cable.
Attackers have created an exploit using a generic looking USB cable that can get commands from a nearby smartphone and then run them on the PC it’s plugged into.
Some USB-to-lighting cables are tailored with a wifi chip inside one of the sockets, so that unsuspecting victims will assume the normal cable is safe to use with their computer.
Unfortunately the cable will be detected by the computer as a Human Interface Device that resembles a keyboard or a mouse.
It can also be connected to a malicious flashdrive
Skimming and Card Cloning Overview
The benefits of RFID / NFC for travelers and shoppers are numerous, and the tech is here to stay.
RFID and NDC devices are vulnerable to a variety of physical attacks.
Data stored on RFID chips can be stolen, skimmed, and scammed by anyone with easily obtained RFID readers.
Skimming
Uses devices that overlay an ATM machine or point-of-sale scanner to steal the information from the victim.
Crackers can also clone credit cards and debit cards by stealing the name, account number, expiration date, and three digit code.
Adversarial Artificial Intelligence
Incorporation of AI, machine learning, and robotic techniques with learning, reasoning and decision making abilities into security analysis, defense and of course, military systems.
Two types of attacks that can compromise unsupervised machine learning algorithms and systems
1) An evasion attack involves an adversary, constantly probing classifiers with new inputs trying to evade detection. These are also called “adversarial inputs” because they’re designed to bypass classifiers.
2) “Data poisoning” is when an attacker feeds polluted training data to a classifier. It can blur the boundary between what is classified as good and bad, in the favor of the attacker. The most common type of data poisoning is “model stealing”, which basically generates results in the classifier, categorizing bad inputs as good ones.
Supply-chain Attacks
Also called a “value chain” or “third party attack”. The attacker infiltrates a system through an outside partner, a vendor or a provider with access to your systems and/or data. It’s a form of a side channel attack.
