BOSTON — A prominent security consultant is urging a rethink of the way businesses handle user education and awareness, warning that the way attackers have latched on to social engineering techniques makes it difficult to cope with hacker attacks.
During a presentation at the SOURCE conference here, SANS incident handler and Savvis consulting manager Lenny Zeltser warned that current approaches user education “has failed” because it’s “too boring” and recommends that security practitioners look closely at the evolution of social engineering attacks.
“The outsider is now on the inside,” Zeltser said while presenting actual cases of social engineering attack techniques that have lured business and consumer end users to land on malicious sites or give up sensitive user credentials.
“Maybe the way we’re going about security awareness training is too boring these
days. We need to train employees and end users on the alternative channels in social engineering … they way they’re [attackers] are using personally relevant messaging, social compliance and the reliance on
“The way things are today, we should assume that social engineering will work. We need to train our users in a different way to understand exactly why these attacks are working. We need security awareness around social engineering to work and measure it via pen testing,” Zeltser added.
Zeltser discussed the way attackers have bypassed technology controls by making use of social engineering techniques such as:
- Starting attacks in the physical world, rather than the virtual Internet. Examples included the use of fliers left on windscreens of cars in parking lot asking people to log into a horribleparking.com web site. Once a user visited the site, they were asked to download a player to view media. The download turned out to be a fake anti-virus (scareware) attack.
- Attack that begin with voice messages on phones, welcoming users to a financial institution and tricking them into confirming account information. “The more uncomfortable you make the target, the more he is likely to click a link or give up information because they want to remove that discomfort.”
- Attackers purchasing advertising campaigns on legitimate Web sites by using information from real advertising agencies. “In one case, the attacker actually engaged the target on the phone over a span of several days, used the ad agency lingo, convinced the target that it was a real campaign,” he explained. It turned out to be a malvertising campaign that served PDF exploits to visitors.
- The Waledac Trojan used personally relevant messaging lures to increase the efficiency of the attacks. The malware used e-mail lures about breaking news of a bomb explosion and wne the user visited the rigged Web site, they saw a fake Reuters news report that used geo-location to determine where the victim was coming from. Based on the location of the target, the message was customized to the specific city.
- E-mail attachments that purport to be UPS invoices and malware purveyors that use live Web chat software to interact with victims in real time.
- Clickjacking on Facebook that lured users into clicking on a “want 2 see something hot?” button to spread a malicious link using invisible iFrame tricks.
“So far, we’ve been failing at educating end users. We must find a better way to do this,” Zeltser said, urging businesses to focus on internal segmentation and the principle of least privilege to limit the damage from attacks.
“We need to focus on what’s going on inside the organisation because an outsider can easily become an insider.”