The talk I gave on social engineering in the Owasp chapter in Doha, Qatar. This covers few of the same points which I talked about in the helpag spotlight event.

1. Social Engineering Trickx
Michael Hendrickx
Doha, Qatar. 23 Nov 2015

2. $ whoami
• Michael Hendrickx
– Security Analyst in HelpAG
– Working in infosec for past decade
– mhendrickx@owasp.org
– Belgian

3. Social Engineering
• You have a firewall, good for you.
– Let’s target the users, not systems
• Human beings are helpful by nature
• Defined as:
“Any act that influences a person to take an action
that may or may not be in their best interest”
Find people Find Info Get access

4. Finding people
• 2 Ways of finding people:
– Phishing (casting a net)
• Quantity over quality
• Very noisy
– Spear phishing (targeted)
• Quality over quantity
• Takes more time, more effort

5. Finding people: phishing
• People haven’t changed much

6. Finding people: phishing
• People haven’t changed much

7. Finding people: phishing
• People haven’t changed much

8. Finding people: phishing
• People haven’t changed much

9. Finding people: phishing
• People haven’t changed much

10. Finding people: phishing
• People haven’t changed much

11. Finding people: phishing
• People haven’t changed much
Recent “Rombertik” malware:
- State of the art malware (evil though)
- 97% of code never called
- sandbox confusion
- browser snooping
- MBR destruction upon debug-detection
- Lame Ineffective distribution

12. Finding people: phishing
• Phishing not always best option
– Very noisy
– ISP / Hosting company may block you
– Too many recipients
• Somebody is bound to report it
Spear phishing is a better option

13. Finding people: spear phishing
• Email from somebody
who “knows you”
– You probably know them too
• Somebody who took
time to research you
• Interested in you
– Rather, what you know
– Who you know
– What you have access to.

14. Finding people
• Target a domain, find its users:
– Maltego, theHarvester, metasploit, recon-ng
Emails are probably:
firstname.lastname@helpag.com

15. Finding people
• Emails are firstname.lastname@helpag.com
Let’s look for more names:
stephan.berner@helpag.com?
angelika.plate@helpag.com?
alexandra.pisetskaya@helpag.com?
nadia.zamouri@helpag.com?
aashish.sharma@helpag.com?
prashant.jani@helpag.com?
…
https://ae.linkedin.com/in/nsolling

16. Finding people
• Emails are firstname.lastname@helpag.com
Let’s look for more names:
stephan.berner@helpag.com?
angelika.plate@helpag.com?
alexandra.pisetskaya@helpag.com?
nadia.zamouri@helpag.com?
aashish.sharma@helpag.com?
prashant.jani@helpag.com?
…
Let’s dig just a bit further….
https://ae.linkedin.com/in/nsolling

17. Study the target: Nicolai Solling

18. Study the target: Nicolai Solling
We know Nicolai’s writing style

19. More target studying
• Examine digital footprint

20. More target studying
• Examine digital footprint
Nicolai’s Digital footprint:
• Full name
• Address
• Interests:
• Porsche 911
• PADI Diver
• Line6 Guitar pod
• Merc GL550
• Trivial Pursuit

21. More target studying
• Examine digital footprint
Nicolai’s Digital footprint:
• Full name
• Address
• Porsche 911
• PADI Diver
• Line6 Guitar pod
• Merc GL55
• Trivial Pursuit

22. So far, what do we know?
• Nicolai’s contact details
– Email address
• Who he knows / might know
– His social network
– School, hobby groups, …
• What he likes
– His interests
• How he writes

23. And what can we do?
• Target Nicolai:
– “Hi, we met at Porsche club, ManAge spa…”
– “Your 2013 Mercedes GL550 service is due, …”
• Or, pretend to be Nicolai
– Target his contacts / colleagues
(firstname.lastname@helpag.com)
– We know his writing style
– Exploit their trust

24. How can we do it?
• Need to trick target to
“believe us”
• Let technology help us
• Abuse 33 year old protocol
– Domain squatting
– Fake email threads
– Fake CC

25. Domain Squatting
• Using “similar” domain for bad purposes
– Homoglyphs, repetition, transposition…
– Use DNSTwist
Original* helpag.com
...
Homoglyph heipag.com
Homoglyph he1pag.com
Homoglyph helpaq.com
...
Transposition heplag.com
...

26. Increase credibility
• Make your email as legit as possible
• Email footer?
– Annoy somebody till they email you back 

27. Fake Email Threads
• SMTP just sends text
to a program.
– “Email threads” have no
connection.
– Unless we have the entire
thread, digitally signed, we
can’t trust it at all
– Modern equivalent of
saying:
“Can I go dad? Mom said I
could go”

28. Fake CC
• CC doesn’t really exist
• It’s just a MIME
header
HELO blah
MAIL FROM: admin@flurk.org
RCPT TO: michael.hendrickx@helpag.com
DATA
From: Michael Hendrickx <michael@flurk.org>
Content-Type: text/plain;
Subject: Very important email
Cc: khaled hawasli <khaled.hawasli@helpag.com>,
barack.obama@whitehouse.gov
To: michael.hendrickx@helpag.com
Hey guys,
As per our conversation, please install the
security update located at
http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and
Obama will never get - but you can never find
that out!
Thank you,
Security Admin
This is for the
SMTP server
This is for the
email client

29. Fake CC
• CC doesn’t really exist
• It’s just a MIME
header
HELO blah
MAIL FROM: admin@flurk.org
RCPT TO: michael.hendrickx@helpag.com
DATA
From: Michael Hendrickx <michael@flurk.org>
Content-Type: text/plain;
Subject: Very important email
Cc: khaled hawasli <khaled.hawasli@helpag.com>,
barack.obama@whitehouse.gov
To: michael.hendrickx@helpag.com
Hey guys,
As per our conversation, please install the
security update located at
http://evil.com/patch.exe
Well, in fact, this is an email that Khaled and
Obama will never get - but you can never find
that out!
Thank you,
Security Admin
This is for the
SMTP server
This is for the
email client

30. Fake CC
• To, CC and BCC does
the same thing
(SMTP wise)
• SMTP sends the
message to every
recipient

31. Putting it all together
Fake email thread
Fake CC
Domain spoofing
Same writing style

32. Get access
• Invite user to visit URL
– New intranet portal, survey, …
– Capture domain credentials
• Through basic auth popup
(many think it’s the proxy)
• Through a webpage
– Make site seem as real as possible (logo, …)
– Show the domain name filled in

33. Get access: phishing site

34. Or, deliver malware
• Choose distribution method:
– Exe, pif, cmd, scr: probably blocked
– PDF, Office macro, .. : probably allowed

35. Lessons learned
• Awareness is key
• Minimize digital footprint
– The more people know about
you, the more they can trick you.
• Use digital signatures
• Don’t trust anything sent to you.

36. Questions?
Thank you!
@ndrix
mhendrickx@owasp.org