Microsoft Office documents offer a convenient way to infect systems through the use of macros. However, the attacker needs to persuade victims to enable macros after opening the booby trapped file. Social engineering is an important aspect of these attack strategies.
The defense mechanism that such malware authors need to bypass is typically the yellow security warning that Microsoft Office applications display to explain that “Macros have been disabled.” How would you persuade the document’s recipient to click the enticingly-named Enable Content?
Misrepresent the Meaning of the Security Warning
One approach attackers have employed to deal with the warning involves convincing victims that the security message indicates that the document has been somehow secured to safeguard its contents. This is a clever way of using the pretext of security, which most users don’t understand, to persuade individuals. Kimberly’s post on the use of macro viruses presents several real-world examples that utilize this approach; these documents “explained” to victims:
As convincing as such text can be for some people, sometimes victims might require additional guidance to the activate macros.
Provide Detailed Instructions for Enabling Macros
Recognizing that some of the victims might not be tech-savvy, adversaries have been known to offer step-by-step instructions for enabling macros. This helps address scenario where the person’s Microsoft Office is globally configured to disable all macros.
For instance, take the real-world malicious Word document described by Dmitry Bestuzhev. The file was called DIAN_caso-5415.doc. When victims opened this file, they saw a nicely-formatted message that the adversary embedded in the document, explaining why the content could not be shown. The text is in Spanish, because this file was sent to recipients in Spanish-speaking countries:
The text advised that to view the document’s contents, the person need to enable macros. The malicious document included step-by-step instructions for accomplishing this. The instructions accommodated multiple versions of Microsoft Word and Excel and include detailed steps and screenshots like this:
If the Approach Works, Keep Using It
According to Dmitry, the document above was sent to victims in Colombia under the guise of a tax fraud notice. Interestingly, another malicious document that incorporated the same macro-enabling instructions was observed a month later by UNAM - CERT in Mexico. In that case, the context was a bank withdrawal notification. The file was called RETIRO-COMPRA_29882.doc.
As I explained in an earlier post about SRP streams, the analysis of SRP streams in both files reinforces the notion that these documents were probably used by the same adversary to pursue victims in multiple Spanish-speaking countries, including Colombia, Mexico and Chile. In each case, the document was crafted to social-engineer the recipient to enable macros and allow the malicious code to infect the system.
If you’re like to take a closer look at these two malicious documents, you can download them from the Malwr repository links I provided above for each file. Just be careful to conduct your examination on a properly-isolated laboratory system.
P.S. For those who like this stuff, let it be know that I’ll be teaching an online malware analysis course at SANS Institute starting July.
"You Have Been Selected for Family Resettlement to Australia," began the email that included the seal of the Embassy of Australia. "You are among the list of nominated for 2014 resettlement visa to Australia." The signature line claimed that the message had been sent by Hon Thomas Smith and came from "Australia Immigration Section <email@example.com>."
This was a scam, of course.
"What do I need to do?" I responded, curious what might come next. Hon Thomas Smith responded within a few hours, this time from firstname.lastname@example.org.
Request for Personal Information
The message attempted to mimic the letterhead of the Australian Department of Immigration and Citizenship and welcomed me “to Australia visa office.” It explained that:
"every year certain number of people are selected through our electronic ballot system for resettlement by Australia Government as part of support to Countries regarded as war zone area."
The miscreant requested that I submit a scanned copy of my travel passport, a recent photo and my phone number. In addition, I was to email a scanned white paper sheet with my fingerprints on it.
The email message included a PDF attachment that claimed to be Visa Form File/10121L-2014, which requested details such as date of birth, mother’s name and address. The PDF file didn’t have an exploit, as far as I can tell, and was merely designed as a place where the scammer’s target could conveniently provide personal information.
The scammer was pursuing this information probably with the goal of performing identity theft. Also, future interactions with the scammer would probably include a request for money to process the bogus application.
Free Sub-Domain Registration
The domain from which the scammer sent the application, immigrationsection.com.au.pn, is considered malicious by some security companies, according to VirusTotal. It redirects webs visitors to www-dot-popnic-dot-com, which some sources consider malicious.
Popnic-dot-com seems to be a front for Unionic-dot-com, which provides free domain registration, email forwarding, web hosting, URL forwarding, etc. under unusual TLDs such as .tc, .mn, .ms and others. More specifically, it offers registration under second-level domains that resemble TLDs assigned to major countries such as .uk.pn, .us.pn, .ca.pn, .au.pn, and others. No wonder it’s attractive to scammers, who want to get a domain that at a first glance seems legitimate.
With the increasing variety of TLDs available, scammers will have an easier job selecting domain names that catch the victims’ attention or evoke trust. Regardless of the domain used by the sender of the email message, if the offer sounds too good to be true and involves supplying sensitive information, it’s probably a scam.
Researching online scams opens a window into the world of deceit, offering a glimpse into human vulnerabilities that scammers exploit to further their interests at the victims’ expense. These social-engineering tactics are fascinating, because sometimes they work even when the person suspects that they are being manipulated.
Here are examples of 7 social engineering principles I’ve seen utilized as part of online scams:
Miscreants know how to exploit weaknesses in human psyche. Potential victims should understand their own vulnerabilities. This way, they might notice when they’re being social-engineered before the scam has a chance to complete itself. If this topic interests you, you might also like the following posts:
After agreeing to purchase the item or service you are selling, the remote buyer offers a check for an amount larger than you requested, with a polite request that you forward the difference to the buyer’s friend or colleague. You deposit the check, wait for it to clear, and send the funds to the designated party. What could possibly go wrong?
This is the gist of the check overpayment scam, which debuted on the Internet around 2002 according to Scopes.com. In 2004, FTC warned about initial variations of the scam, which began with the scammer agreeing to buy the item advertised online by the victim. A modern variation starts as a response to an ad for private lessons, placed on a site such as Craigslist:
"How are you doing today?I want a private lessons for my daughter,Mary. Mary is a 13 year old girl, home schooled and she is ready to learn. I would like the lessons to be in your home/studio. Please I want to know your policy with regard to the fees,cancellations, and make-up lessons."
How might you determine whether the sender has malicious intent? The lack of spaces after some punctuation marks seems strange. Also, a legitimate message would have probably included some details specific to the lessons being requested. The scammer probably excluded such details, because he or she used the same text for multiple victims, who offer different services. The message above didn’t include the recipient on the To: line, supporting the theory that the scammer sent it to multiple people.
If the victim responds to the original email, the scammer continues to weave the web of deceit:
"I’m a single parent who always want the best for my daughter and I would be more than happy if you can handle Mary very well for me. I would have loved to bring Mary for "meet and greet"interviews before the lessons commence, which I think is a normal way to book for lessons but am in Honolulu,Hawaii right now for a new job appointment. So,it will not be possible for me to come for the meeting. Mary will be coming for the lessons from my cousin’s location which is very close to you. Although,Mary and my cousin are currently in the UK and I want to finalize the arrangement for the lessons before they come back to the United States because that was my promise to Mary before they left for the UK."
"As for the payment, I want to pay for the three month lessons upfront which is $780 and I’m paying through a certified cashier’s check.Hope this is okay with you?"
I wouldn’t point to any specific aspect of this message as malicious, but the tone feels a bit off, even for a person who might be a non-native English speaker. The phrase “handle Mary very well for me” is strange. Also, it seems unusual to pay for private lessons using a cashier’s check. In addition, the message has more details about Mary and the sender’s travel than one would expect in this context. The scammer is probably doing this to justify a request that will be presented to the victim later.
If the recipient writes back, the scammer responds:
"My cousin will get in touch with you for the final lessons arrangement immediately they are back from the UK. I will want you to handle Mary very well for me because she is all I have left ever since her mother’s death four years ago. Being a single parent, It’s not easy but I believe God is on my side."
Several aspects of this message might trigger a careful reader’s anomaly detector. Again we see the strange phrase “handle Mary very well.” Also, the sender offers extraneous detail that don’t belong in the context of this email discussion, perhaps attempting to establish an emotional connection on the basis of death in the family and religion. There is more:
"I also want to let you know that the payment will be more than the cost for the three month lessons. So, as soon as you receive the check, I will like you to deduct the money that accrues to the cost of the lessons and you will assist me to send the rest balance to my cousin. This remaining balance is meant for Mary and my cousin’s flight expenses down to the USA, and also to buy the necessary materials needed for the lessons. I think,I should be able to trust you with this money?"
Now we see the classic element of the check overpayment scam. The sender is appealing to the recipient’s honesty and perhaps hopes to build upon the emotional response evoked in the earlier paragraph.
Scopes.com explains that the scam works because FTC “requires banks to make money from cashier’s, certified, or teller’s checks available in one to five days. Consequently, funds from checks that might not be good are often released into payees’ accounts long before the checks have been honored by their issuing banks. High quality forgeries can be bounced back and forth between banks for weeks before anyone catches on to their being worthless.”
Watch out for situations where a buyer is willing to overpay and asks for your help in forwarding the remainder of the funds to someone else. Also, look for anomalies that might indicate malicious intent, such as strange tone, unusual phrases, unnecessary details and uncommon punctuation. If you notice such aspects of the text, research them on the web before deciding whether to continue your correspondence.
Information security professionals need to keep an eye on the always-evolving cyber threat landscape. Accomplishing this involves understanding how changes in people’s use of technology influence the opportunities and techniques pursued by criminals on-line. Below are 5 tech trends that have affected the evolution of threats.
Mainstream adoption of the Internet into daily activities. The Internet has become so interwoven into our lives that we often don’t notice when activities make use of Internet-connected resources. Technology that allows people and businesses to utilize Internet connectivity has become so convenient, that even non-technical people, old and young, are able to harness the power of the web. As the result:
The increase in usefulness and popularity of mobile devices. Powerful pocket-sized computers with always-on Internet connectivity, also known as phones„ have become so common, that we rarely make a distinction between a regular and a “smart” phone. Overall, mobile devices have become as integral to the modern way of life as glasses, wallets and shoes. As the result:
The popularity and acceptance of online social networking. While initially seen as serving the needs of niche groups, websites such as Twitter, Facebook and LinkedIn, have been joined by numerous others to support new ways in which people socialize online. Social networking sites have become the backbone of modern interactions. As the result:
The connectivity between “physical” and “virtual” worlds. Objects, tools and other constructs (e.g., thermostats, industrial control systems, home automation devices) in the “physical” world are increasingly connected to the web, giving rise to the concept of the “Internet of things.” As the result:
The acceptance of cloud computing. The use of external, virtualized and/or outsourced IT resources has gained mainstream adoption for not only personal, but also enterprise applications. The cloud is permeating all aspects of modern life. It is becoming increasingly difficult and unnecessary to make a distinction between traditional and cloud-based technologies. As the result:
Though I’ve broken out technology trends as distinct observations, they are interrelated within a system that comprises the modern way of life, which incorporates phones, social exchanges, interconnectedness and cloud services into its very fabric. Similarly, the trends in attack strategies, targets and rewards are intertwined to create the reality that infosec professionals need to understand and safeguard.
Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels all but the most gullible, the scammer gets the most promising marks to self-select.”
This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from one such example:
"We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD."
An article in The Economist on this subject quotes Basil Udotai, a former cybersecurity director of Nigeria’s National Security Adviser: “There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.” One motive for this might be “Nigeria’s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.”
Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve social engineering and require human involvement on the attacker’s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.
Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.
So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won’t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.
Hand-picked related articles:
Even a professional-looking printed document backed up by a professional-looking website, and endorsed by objective-looking reports talking up the business, might still be a total scam.
When discussing scams and malicious activities that have utilized the linkedin.com website, I alluded to the use of fake of fraudulent LinkedIn profiles. Though it’s hard to confirm the true nature of suspicious-looking profiles, I came across several that were implicated in conducting illegitimate activities; also, several studies have used fake LinkedIn profiles to conduct security-related research.
Initiating Contact Through LinkedIn in a Targeted Attack
Two years ago the LinkedIn profile that claimed to belong to Murray Rubens was being used to establish contact with employees at a well-known technology company. The person investigating the incident pointed out that the alleged scammer’s profile indicated that he worked at the targeted company since 1997; however, the company had no record of this employee. Here’s an example of a message sent by “Murray Rubens”:
I’d like to add you to my professional network on LinkedIn. I just got involved with Linked in and I wanted connect. I really love my job at Redactedand I want to connect to as many of my collegues as possible. I want to get off to a great start. Please connect if you do not wish to connect its OK. - Murray
Such an approach can be used to target the company’s employees with social engineering, malware or other attacks.
Note the apparent inconsistency between “Murray Rubens” claiming to be at the company since 1997, yet expressing the desire to “get off to a great start.” (Thanks to the investigator for allowing me to publish these details.)
Potential Scams That Involved LinkedIn Profiles
The Ripoff Report website documents numerous reports of confirmed and suspected scams. Some of them refer to them reference LinkedIn profiles that alleged scammers used when interacting with the complaining party.
One complaint describes a scam allegedly conducted by “Ana Velasco." According to the report, "Ana Velasco" followed the transcript of a classic bank guarantee scam over the period of 3 months. The alleged scammer is reported to have baited the victim out of $25,000 “by falsifying federal investment documents, wealthy client lists, worldwide contacts (Deutch Bank) falsifying her background in commodity trading and high yield investments.” The report includes a link to the LinkedIn profile of “Ana Velasco,” which is no longer present on the site.
Another write-up on Ripoff Report discusses an individual, who was reportedly “posing as an investor on LinkedIn." The person who filed the complaint explained that this individual contacted him through LinkedIn regarding investing in the person’s company. The report describes a number of red flags that made the person who filed it concerned, including inconsistencies in domain registration details. However, it stops short of presenting clear evidence that the interactions initiated via LinkedIn were part of a scam.
Fake LinkedIn Profiles Set Up by Researchers
A number of studies explored people’s willingness to interact with strangers on social networking sites, potentially revealing sensitive information or otherwise exposing themselves or their employers to scams. For example, Thomas Ryan of Provide Security set up a profile of a fictitious person named Robin Sage on LinkedIn, Facebook and Twitter. The profile used the photo below and described Robin Sage as “a flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command,” according to the Washington Times article about the experiment.
According to the paper Thomas Ryan wrote about the experiment, he used the Robin Sage profile to establish connections with “executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.” Thomas concluded that “the propagation of a false identity via social networking websites can be rampant and viral.”
Another experiment using a fake LinkedIn profile was conducted by Dennis Rand from CSIS Security Group. Seeking to research and demonstrate the potential for information leakage through LinkedIn, Dennis created a profile of a fictitious person named John Smith, after which he sent invitations to connect on LinkedIn:
Dennis provided the text of the invitation in the presentation he created to describe the experiment:
"I found you while I was searching my network on LinkedIn and found you.
In the future I might be interested in contacting you regarding a possible job/business connections, so this is my way to keep a list of interesting people/possible future business partners/connections. …
Hope you will take the time to read my profile and accept my invite : )”
Dennis reported that “in less than 2 weeks I had build up a network of 1300+ connections with email addresses, names and a lot of information about the different large companies.”
Wrapping it Up
The nature of on-line social networking involves establishing connections with people without the opportunity to establish the person’s authenticity and reputation. Making the initial connection requires taking a leap of faith, which can easily exploited by scammers. As we saw, security researchers have demonstrated the ease with which anyone can quickly build a respectable-looking profile on LinkedIn. We also saw that miscreants can rely on LinkedIn profiles as part of a cover story when conducting a scam.
This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:
Although malicious activities that involve LinkedIn aren’t as popular as those associated with other social networking sites, the service has seen its share of scams and fraud. The majority such incidents occurred outside of the LinkedIn website, and took the form of LinkedIn look-alike email spam. However, there have been cases where the scammers used the linkedin.com website itself to achieve their goals. Let’s take a look at some of them.
Using linkedin.com as a Redirector to Malicious Sites
It’s simple to use linkedin.com as a redirector to other websites at the moment. The URL needs to look like this to redirect you to Google, for instance:
Attackers benefit from “bouncing” users off a website that has a strong reputation, because doing so lends credibility to the link that ultimately will lead to a malicious site. Gerald Dillera at TrendLabs described one such attack that used linkedin.com. The incident involved Facebook wall posts that promised to show “The Video That Just Ended Justin Biebers Career For Good!”
When the potential victim clicked the link, Facebook showed a confirmation that the person is about to leave Facebook.com and be taken to linkedin.com. However, linkedin.com would redirect the person once more to a malicious domain. According to Gerald, “the cybercriminals behind this attack benefit from those who paid to answer the online survey. In addition, this can also pave the way for malware infection and information theft.”
Fraudulent Job Postings on LinkedIn
The LinkedIn Jobs site is designed to pair up job seekers with employers. Perhaps it’s not surprising that this service can act as a venue for distributing fraudulent job postings. The examples I’ve seen involved recruiting money mules, though the creators of these job postings did their best to make them look legitimate.
Consider one such posting, which has been live on LinkedIn for about a month as of this writing and carried the title “*** COME AND WORK WITH US ***”. This work-from-home job promised to pay a weekly salary and a 10% commission for “assisting us in processing the payments from our clients.” The responsibilities were described as follows:
"1. Recieve payment from Customers
2. Cash it at any cashing point or at your banks and you will deduct 10% which will be your percentage/payon Payment processed
3. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to.(Payment is to forwarded either by Money Gram or Western Union Money Transfer.”
The posting claimed to be recruiting for a legitimate UK company. It was posted by “scott miller” with a mostly empty profile, 1 connection and the location of Nigeria.
The text in the above job posting was very similar to the one that Scott Allen from LinkedIn Intelligence described in 2007. It was titled “REQUEST TO ACT AS PAYMENT REPRESENTATIVE” for H & S International Limited:
Criminals recruit money mules in an effort to get money earned through illegitimate means out of the country. In some cases, dedicated sites are set up for the recruiting effort. In others, traditional job sites, including LinkedIn, help with the hiring process.
Scams Sent to the LinkedIn Inbox
Like many other social networking sites, LinkedIn allows the site’s users to contact each other using an email-like messaging service. This functionality can be used to contact LinkedIn users for fraudulent purposes. LinkedIn users tend to be in a sociable frame of mind when visiting linkedin.com and checking the contents of the site’s Inbox; this might make them more vulnerable to scams.
For instance, some LinkedIn users received in their Inbox a message from Natasha Kone, whose text followed the narrative of a classic 419 scam:
"Before the death of my father on the 12th December 2007,in a private hospital here in Abidjan,he called me secretly to his bed side and told me that he kept a sum of $6.500 000… I am inclined to offer you 15% of the total sum as a way of compensation for your effort after the successful transfer of these fund to your nominated account overseas."
In such advanced fee scams, the target is persuaded to “advance sums of money in the hope of realizing a significantly larger gain” according to Wikipedia. Contacting potential victims using LinkedIn offers the scammer the potential to build a believable social networking profile that could put the target at ease.
Consider another scenario, which demonstrates, at best, questionable use of the LinkedIn website. Joseph Dowdy from MeshMarketer described receiving “an invitation through LinkedIn to become listed in Stanford Who’s Who.” Joseph wrote that because “the invitation was coming from LinkedIn, I thought it must be legit without having to do the footwork to see if it was a scam.”
Joseph later became suspicious of the service after noticing that the sample profile shown on Stanford Who’s Who’s website was using a photo of his friend without her approval. He noticed numerous complaints recorded about the company on the Rip-off Report website, alleging that it deceives people into paying large fees.
Wrapping it Up
As you can see, scammers have been using the LinkedIn website in several ways, including treating linkedin.com as a redirector to malicious sites, posting fraudulent ads and interacting with potential victims using the LinkedIn website. It’s interesting to note that while the platform provides numerous other opportunities for fraud, I haven’t seen many publicly-documented incidents of this nature.
This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are: