Category Archives: Scams and Social Engineering

Scams to watch out for or play on your friends

February 20, 2013

PART 2 “The Attack” – THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Last year Aamir Lakhani and Joseph Muniz developed a fake identity known as Emily Williams with the purpose of compromising a specific target using social media. We created Emily Williams based on research from Robin Sage, which showcased how a fake identity could obtain sensitive information from social media resources. We wondered if a similar approach could be used for targeted attacks and developed Emily Williams for that purpose. More information on developing Emily Williams via Part 1 of this project can be found HERE.

Emily Williams and Robin Sage

This Part 2 post explains WHY the Emily Williams project is important to understand. Yes, it was humorous watching people endorse a fake person’s technical abilities and receive job offers based on a posted IT background (or possibly just because Emily is attractive) however those are not the worst outcomes from social media threats. Part 1 concluded with our lovely Emily Williams having friends with multiple parties from our target such as Human Resources, IT Support, Engineering and Executive Leadership. People were sharing information and considering Emily Williams an employee based on the profile we created. The information alone was very valuable however that was just the beginning.

Stage 3 focused on obtaining access to host systems through social media. There are many options to do this such as the very popular Blackhole exploit kit however we did not want to use any method that could potentially harm our target’s system based on personal ethics. Blackhole is the most prevalent web threat seen today leveraging a malicious payload that we felt wasn’t safe for our target’s systems. We chose to use The Browser Exploitation Framework (BeEF) based on our feeling that compromising browsers was not as evil as using malware.

Blackhole Exploit Kit Screenshot

Browser Exploitation Framework (BeEF) Screenshot

BeEF leverages browser vulnerabilities to assess the security posture of a target. BeEF “hooks” targets as beachheads for launching direct command modules. Different browsers have various vulnerabilities, which means the more vulnerable a browser is, the more unique attack vectors become available to the hacker. We installed Backtrack 5R3 on a server and developed a BeEF hooking server that was public facing. We tested systems by accessing our BeEF server, hooking systems and launched commands such as taking a screen shot capture. More on building a BeEF system can be found HERE.

The next step was luring employees of the target to our BeEF system. There are many methods hackers accomplish this such as offering free media sites (IE download music, movies, etc. … see more on why this is risky behavior HERE), phishing emails and fake URLs designed to look and feel like something else. We decided to post virtual holiday cards on Emily William’s social media pages and direct invites to specific targets. The goal was having a user click the holiday card, wait for the card to pop up and have our system probe the browser for vulnerabilities during the waiting period. Once we hooked the target, we would look for passwords and insider information to gain access to the target agency. We launched three campaigns targeting systems during Thanksgiving, Christmas and New Years. We were able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise our target.

Our research demonstrated a few points. First off, people are trusting and male dominated industries like IT are even more trusting of women. Second, social media can be used as a means to compromise targets if users are not educated on common attacks and proper use of public facing network resources. The risk extends beyond data leakage since many people that use social media also use the same systems for internal use while at work. Finally, we demonstrated how easy it is to carry out what many consider an advanced persistent threat (APT) meaning we chose our target and bypassed standard security technology. We believe our methods were not very sophisticated compared to the real threats that target people using today’s public Internet yet we were very successful with our goal of compromising a specific target. Security is an extremely important investment and needs to include education around proper use of social media (more on this HERE) as well as protection from insider threats.

I hate to drop a plug however I recently took a job at Lancope based on their technologies’ ability to detect insider threats.

Rating: 4.7/5 (3 votes cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as Aamir Lakhani, Access Control, BeEF, blackhat, blackhole, Cisco, cloudcentrics, Compliance, Data Loss Prevention, digital life, DLP, emily, Emily Williams, facebook, facebook hacking, fake facebook, hacking, hacking people, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, linkedin, linkedin endorsing, mobile, mobile device, Muniz, netflow, part 2, part2, pen testing, Penetration Testing, Robin Sage, Security, social engineering, Social Engineering Training, social network secuirty, social pentest, Stealth Watch, The Browser Exploitation Framework, williams

February 11, 2013

THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Disclaimer: This post has been modified to exclude specific subjects not approved for public viewing

Emily Williams and Robin Sage

Emily Williams and Robin Sage don’t exist in the real world. They are fake social network accounts designed to obtain sensitive information. Robin Sage was created in late 2009 to obtain information from intelligence on US military personnel. Her story was presented at the Black Hat hacker conference upsetting many people by exposing the type of sensitive data provided over social networks. Joey Muniz and Aamir Lakhani decided to go one-step further and ask the hard question: “what else can happen outside of data being leaked over social networks”. We decided to find out using Emily Williams.

NOTE: The research presented is real. Many people reading this are friends with Emily and probably mad at us. We have informed anybody attacked so if you haven’t heard from us, you are just social network friends with Emily.

Emily’s Real Employer

Emily Williams was created in November 2011 for Facebook and LinkedIn. Our goal was to pick a specific target and see how far we could penetrate the target using social networks as the entry point for infiltration. The plan was to build up a social network with key personal and launch attacks from Facebook and LinkedIn that compromised systems using social networks. From there, we could gain entry into the network and more or less capture the flag. The research was made public with the goal of educating employees about security around social networks as well as the current potential threats that could target people like you. We had executive approval before conducting the experiment.

Social Network Findings

The first step was creating the Facebook and LinkedIn accounts. We found a non technical female employee from the restaurant industry (that happened to be a few blocks from our target) to volunteer pictures for Emily’s appearance. We developed a fake social security number, residence and other areas that may be searched to make Emily seem real. We gave Emily an IT background from the University of Texas and updated her profile with a matching employment background.

Social Engineer Using Facebook Profile Info

User Flags Emily

Step two was building up friends prior to networking with our target audience. We decided to pick on Joey Muniz’s friends figuring if they flagged her as fake, they wouldn’t inform anybody from our target audience. Within hours we had over 100 friends using manual adding methods. We found very little resistance to accepting her as a friend however one individual not only denied her friend request but also posted to his friends a warning about Emily without actually calling her out. Another funny story was a friend ask “Do I know you?” and by simply replying with information from his social profile, we had him say he remember her. The lesson learned is think about what you post because it could be used against you!

Job Offer Based On Profile Info

Once we had a decent number of friends, we updated her status as a new employee to our target with a technical engineering title. From there, we start adding potential targets starting with sales and mid level technical staff as well as our partners with the target. We not only grew our friends from the organizations, we also started receiving job offers, meeting requests and congratulations on the new job with our target. As our target audience friend number grew, we started moving up the rank eventually capturing people from Human Resources and Engineering who would be responsible for hiring Emily if she existed. We moved all the way up to executive leadership and happy to say our President denied her friend request based on looking for her name is the corporate directory. We have a lot of respect for his diligence.

Can You Trust LinkedIn Endorsing?

At this point we have networked with our target audience and have enough key members linked to perform attacks. Part 2 of this story will feature how we leveraged the social network to obtain access to the network. Consider part 2 the answer to WHY Robin Sage and Emily Williams are a risk for organizations. Stay tuned for part two and again for those involved, don’t worry we didn’t do anything bad to you unless we told you. Oh and thanks for helping us prove our point about the dangers of social networks!

Article written and research conducted by:

Joey Muniz

Blog: www.thesecurityblogger.com

Aamir Lakhani

Blog: www.cloudcentrics.com

Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as Aamir Lakhani, Access Control, advanced persistent threat, APT, backtrack, BeEF, blackhat, Cisco, cloudcentrics, Compliance, Data Loss Prevention, digital life, DLP, emily, Emily Williams, facebook, facebook hacking, fake facebook, hacking, hacking people, hacking wwt, Home, insider threat, Joey, Joey Muniz, joseph, joseph muniz, LanCope, linkedin, linkedin endorsing, mobile, mobile device, Muniz, netflow, part 1, pen testing, Penetration Testing, Robin Sage, Security, social engineering, Social Engineering Training, social media, social network secuirty, social pentest, Stealth Watch, The Browser Exploitation Framework, williams

January 31, 2013

Invention Market Scam – Don’t Waste Your Money With Davison.

I discovered a scam while researching methods to develop new ideas. Like many people, I have ideas but unsure how to make them real products. I found firms offering research, prototype development and marketing services for inventions. I decided to run a few ideas through the top advertised firm on Google known as Davison Design & Development.

Experience with Davison

Davison presents itself as a successful invention firm. Their website has customer quotes, products they brought to market (see HERE) and videos from popular TV shows like Lifetime’s The Balancing Act (see HERE). If you search Google for Davison customer feedback, you will find endless complaints and lawsuits. I question Davison about the negative feedback and was provided rebuttal videos targeting the Better Business Bureau as a means to defuse the bad press (see HERE).

I submitted two ideas under different aliases to put Davison to the test. The first idea is something I believe is great while the other is ridiculous and should be discarded. I filled out an online form for both ideas and eventually spoke with a sales rep. One interesting part of the process is Davison requires users to accept that they have reviewed Davison’s success rate. As you can see, they are open about how unlikely they can bring your idea to market. My gut tells me this protects Davison from future lawsuits.

Users Must Agree Before Submitting Ideas (click to enlarge)

Continue reading →

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Scams and Social Engineering

Tagged as dare to invent, Davison, Davison Design & Development, Davison lawsuit, Davison scam, develop idea, George Davison, Home, inventions, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, netflow, netflow ninja, network security, product idea, prototype development, scam, scams, Security, The Balancing Act

January 15, 2013

How To Educate Your Employees About Social Engineering

A common saying is ” Amateurs Hack Systems, Professionals Hack People”. Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.

Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.

Explain Why Policies Exist

It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.

Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.

Provide Examples Beyond The Intranet

Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading →

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Scams and Social Engineering

Tagged as Access Control, Compliance, Data Loss Prevention, DLP, Education, FlowSensor, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, locked computers, mobile, mobile device, Muniz, NAC, netflow, network access control, network policy, network security, password security, Password strength, pen testing, Penetration Testing, phishing, phishing defense, policy enforcement, secure passwords, Security, security best practices, security education, social engineering, Social Engineering Training, social network secuirty, Stealth Watch, StealthWatch, unlocked computers, user training, weak passwords, wireless security

January 9, 2012

craigslist scam red flags: The story behind the craigslist con

A few months ago I posted about two craigslist scam attempts from adds I listed (go HERE to read). I recently had a few more craigslist scam attempts and noticed a pattern between the different methods to con me. Here are a few Red Flags for scams on craigslist or other merchant websites.

Flag 1: Want your item right away

I noticed the scammers never ask any REAL questions about what’s for sale. For example, I recently listed a glass table and received “I’ll take it, where do I send the check” request regardless of size, weight, looks, etc. Same thing happened when I listed a car. Real buyers ask questions before offering payment.

Flag 2: Location location location?

It seems like con artists believe people don’t have knowledge about the world. I had one guy claim he lived in Canada yet sent me a Utah credit union money order post marked from Spain. Uh huh … you were on holiday in Spain using money orders from a Utal account you never closed due to great service? The con artist ignored any questions and kept insisting I cash the money order. I recently had one scammer ship me a check without paying the postage. What a cheap con #$#@#$#@! At least have the decency to pay for the shipping so I can see the fake check! Come on!

Flag 3: Overpay for goods

The con is always about overpaying for goods and banking on the victim paying the difference. For larger items such as a car, the extra money is for “shipping”. For smaller items such as a table, the extra payment “was a return” which I’m suppose to wire the difference. I’ve noticed the scammers tend to send extra funds without initial notification and later justify things with an excuse to wire money. The most recent one was insane. I listed a table for $800 and received a check for $4,500! Everything looked pretty real minus they forgot the water mark. They get a B-

Flag 4: Engrish … I mean English

Most craigslist con artists seem to use language converting software to write emails. First sign is most emails are one or two long paragraphs, which makes sense if you copy and paste into a language converting software. Second flag is spelling and grammatical structure is off, which again is a sign of the use of language converting software. Scammers also love throwing in things like “god bless you” and capitalizing key phrases such as CASHIERS CHECK and MONEY TRANSFER.

Flag 5: Western Union … the fastest way to steal money

Craigslist con artist always ask to wire money though western union (or similar service). The game is having a fake check or money order look real enough to clear in a bank for a few weeks. This gives the con artist enough time to fool the victim into believing the payment is legit so they wire back funds before things bounce. One easy way to confirm things is to call the bank that issued the check to verify its authenticity. If you mention Western Union is involved to the teller, they usually will laugh and say its fake before running a trace in their system.

craigslist scam craigslist scam craigslist scam craigslist scam craigslist scam craigslist scam craigslist scam craigslist scam DON’T BE FOOLED!

Rating: 4.0/5 (4 votes cast)

Two craiglist Scams: PayPal Email Scam / Cashier’s Check Scam

I personally had two craiglist scams attempted on me last week via a PayPal email scam and cashier’s check scam. The background story is I just purchased a new car (fist pump!) and attempted to sell my old car on craiglist. I posted it and received two fishy emails, which common sense screamed SCAM however I played things out for the sake of education and my blog readers.

Scam 1: I received an email asking about the car. After some basic emails the person said they will take it. I ask about seeing it and get back “I need a favor, I got a message from the pick up agent H/Q in the US that I need to pay a commission of about $900 before the pickup. It’s a private shipper agent, which can only take western union. All I need from you is to include fees and assure me that you can help me wire the agent. There isn’t any western unions around here or I would do it”. I say fine and the person asks for my paypal email. I tell him it’s my gmail and 30 minutes later I get the email below. His Canadian address made me laugh (not shown).
So here is the scam. First off, the email just stinks. Paypal wouldn’t say things like “don’t worry about things just go ahead and WIRE MONEY”. The email address looks legit however spoofed (I wish I had my ironport setup to verify the sender’s location). I logged into my paypal and found zero dollars and no history of the transaction. I called paypal and confirmed they never deal with western union and my account doesn’t show the history of the transaction. I forwarded the email to spoof@paypal.com and asked the guy “why is paypal not showing the funds in my account?”. No reply … busted!

To summarize the scam, the target was $900 dollars. The scam artist attempted to convince me that I had money held by paypal that would be released once I wired the commission to a bogus private shipper. The real buyer of my car told me his friend had the exact same scam attempted when he posted his iphone. Email is easy to spoof so be careful!

SCAM 2: This scam was for more money and more elaborate. The same scenario happened however the email used VERY poor English. The person was also from Canada and didn’t need to see the car. This time I’m told the person represents an agent who was already paid by his client $5,000 more than my asking price. He offers to pay via cashier’s check, which I’m asked to wire the difference plus another $900.00 for shipping costs. I say fine mail me the check and receive a check 10 days later. The letter was post marked from Spain and contained an Utal Community Credit Union check. How AWESOME is this? I’m suppose to believe a Canadian went to Utal to get a cashier’s check and while on vacation in Spain mail it to me? Hmmm. I ask about things and later told the shipping agent is in Spain. Ok so a Canadian is contracting a Spanish shipping company to pick up my US car? Hmmm?

So the target here is $5,900.00 dollars. The scam artist hopes I cash the check and after it clears, mail him the difference before it bounces. Most likely it would take a week or so to get flagged, which is enough time for the victim to mail out the $5,900.00. I called the Utal Credit Union hotline and confirmed it was fake.

Don’t trust people on craiglist. There are many scam artists fishing for suckers

Rating: 5.0/5 (1 vote cast)

5 Comments

Filed under General Security, Scams and Social Engineering

Tagged as cashier's check, check in mail, craiglist, fake cashier's check, fake check, Joey, Joey Muniz, joseph, joseph muniz, Muniz, online scam, paypal, scam, scams, social engineering, western union, World Wide Technology, world wide technology inc., wwt

Category Archives: Scams and Social Engineering

Invention Market Scam – Don’t Waste Your Money With Davison.

craigslist scam red flags: The story behind the craigslist con

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll