Microsoft Office documents offer a convenient way to infect systems through the use of macros. However, the attacker needs to persuade victims to enable macros after opening the booby trapped file. Social engineering is an important aspect of these attack strategies.
The defense mechanism that such malware authors need to bypass is typically the yellow security warning that Microsoft Office applications display to explain that “Macros have been disabled.” How would you persuade the document’s recipient to click the enticingly-named Enable Content?
Misrepresent the Meaning of the Security Warning
One approach attackers have employed to deal with the warning involves convincing victims that the security message indicates that the document has been somehow secured to safeguard its contents. This is a clever way of using the pretext of security, which most users don’t understand, to persuade individuals. Kimberly’s post on the use of macro viruses presents several real-world examples that utilize this approach; these documents “explained” to victims:
As convincing as such text can be for some people, sometimes victims might require additional guidance to the activate macros.
Provide Detailed Instructions for Enabling Macros
Recognizing that some of the victims might not be tech-savvy, adversaries have been known to offer step-by-step instructions for enabling macros. This helps address scenario where the person’s Microsoft Office is globally configured to disable all macros.
For instance, take the real-world malicious Word document described by Dmitry Bestuzhev. The file was called DIAN_caso-5415.doc. When victims opened this file, they saw a nicely-formatted message that the adversary embedded in the document, explaining why the content could not be shown. The text is in Spanish, because this file was sent to recipients in Spanish-speaking countries:
The text advised that to view the document’s contents, the person need to enable macros. The malicious document included step-by-step instructions for accomplishing this. The instructions accommodated multiple versions of Microsoft Word and Excel and include detailed steps and screenshots like this:
If the Approach Works, Keep Using It
According to Dmitry, the document above was sent to victims in Colombia under the guise of a tax fraud notice. Interestingly, another malicious document that incorporated the same macro-enabling instructions was observed a month later by UNAM - CERT in Mexico. In that case, the context was a bank withdrawal notification. The file was called RETIRO-COMPRA_29882.doc.
As I explained in an earlier post about SRP streams, the analysis of SRP streams in both files reinforces the notion that these documents were probably used by the same adversary to pursue victims in multiple Spanish-speaking countries, including Colombia, Mexico and Chile. In each case, the document was crafted to social-engineer the recipient to enable macros and allow the malicious code to infect the system.
If you’re like to take a closer look at these two malicious documents, you can download them from the Malwr repository links I provided above for each file. Just be careful to conduct your examination on a properly-isolated laboratory system.
P.S. For those who like this stuff, let it be know that I’ll be teaching an online malware analysis course at SANS Institute starting July.
Researching online scams opens a window into the world of deceit, offering a glimpse into human vulnerabilities that scammers exploit to further their interests at the victims’ expense. These social-engineering tactics are fascinating, because sometimes they work even when the person suspects that they are being manipulated.
Here are examples of 7 social engineering principles I’ve seen utilized as part of online scams:
Miscreants know how to exploit weaknesses in human psyche. Potential victims should understand their own vulnerabilities. This way, they might notice when they’re being social-engineered before the scam has a chance to complete itself. If this topic interests you, you might also like the following posts:
Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels all but the most gullible, the scammer gets the most promising marks to self-select.”
This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from one such example:
"We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD."
An article in The Economist on this subject quotes Basil Udotai, a former cybersecurity director of Nigeria’s National Security Adviser: “There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.” One motive for this might be “Nigeria’s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.”
Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve social engineering and require human involvement on the attacker’s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.
Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.
So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won’t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.
Hand-picked related articles:
Phishing—a technique grounded in social engineering—remains an effective way for attackers to trick people into giving up sensitive information. Potential victims can be contacted by email, fax, phone calls and SMS text messages. Below is an example of such a scam sent through SMS—a practice sometimes called smishing.
In this case, the recipient is requested to visit update.vtext02.net to update account information, supposedly so that he or she can continue using Verizon services.
The phone number of the SMS message’s sender was most likely spoofed.
The malicious domain vtext02.net appears to have been shut down by its registrar several hours after the phishing text message was received. When it was still active, the victim visiting the link on the SMS message would have seen the following page that mimicked the Verizon Wireless website:
All elements of this page were unclickable images with the exception of the form that prompted the victim for his or her Verizon account credentials. The “Sign In” button would submit the data to the phisher’s server-side confirm.php script. Here’s an excerpt from the page’s HTML code:
A similar incident was publicly described by another person about a month earlier. In that case, the sender was being directed to another malicious URL. The phishing SMS message stated “V.erizon.wireless.update. Please click on http:// verizon.vtext-1.com and proceed.” (Don’t go there.)
Mobile phone users are especially vulnerable to social engineering scams. One of the reasons for this, as pointed out by ESET’s Randy Abrams, is that “virtually none of the visual indicators that help even a moderately savvy novice computer user make informed decision are present on mobile devices.”
Russ Klanke documented the steps for reporting a suspicious SMS message to the GSMA Spam Reporting Service by sending a text to short code 7726 (SPAM).
Hand-picked related articles:
— Lenny Zeltser
Tactics that incorporate social engineering can be highly effective at bypassing security controls. Perhaps we are vulnerable to social engineering because of the traits and behaviors that allow us to quickly make decisions that sometimes turn out to be wrong. It’s important to study and understand such persuasion approaches, so we can adjust defenses appropriately. Yet, such research needs to be conducted in a responsible and ethical manner.
As a society, we’ve been fascinated with the ability of some people to persuade others through language. In the context of scams, such skills have been exhibited by con artists, who are able to persuade victims into taking actions against their own interests. I dislike the term “con artist,” because the reference to art seems to glorify the practice of defrauding people and organizations.
Similarly, social engineering, when employed to someone’s determent or without permission is a scam—not an opportunity to show off one’s persuasion prowess. Just because it’s possible to influence someone to give up sensitive data, grant access to a system or otherwise aid the social engineer’s objective doesn’t mean that the social engineer should take advantage of this vulnerability.
We’re all vulnerable to social engineering. Researching such practices in a responsible manner can help strengthen defenses against attacks that target humans through influence and persuasion. Yet, we should be careful not to forgo a sense of ethics when employing social engineering to test defenses. Remember, the difference between any security assessment and a malicious attack often merely amounts to permission.
I can imagine that there are some people out there who will be so intrigued by the illegible message that they will open the archive file and then, out of curiosity, run the .exe file.
Having covered the risks related to on-line social networking on several occasions, I’d like to outline my tips for using these services securely. In compiling this list, I tried to stay away from impractical recommendations, and did my best to base advice on actual occurrences, rather than theoretical threats:
While the tips above were focused on social networking services, standard Internet safety recommendations apply: Limit the reuse of passwords across sites; keep up with security practices; disable risky browser plugins that you rarely use (e.g., Java).
Like any of our actions that involve interacting with others, using social networking sites exposes us to risks of being scammed, infected or otherwise attacked. My hope is that the tips above provide practical recommendations that allow people and organizations to derive benefits from these communication mechanisms while keeping the risks at a manageable level.
The the most popular method for distributing malware for mobile devices has been grounded in social engineering. We haven’t seen many exploits pursuing vulnerabilities to infect mobile devices because it’s simpler and often more reliable to persuade the user to install a malicious program. Let’s take a look at how such attacks have occurred and why they’ve been so effective.
Malicious Apps that Look Legitimate
The most common social engineering approach employed by mobile device malware involves masquerading as a legitimate application. This technique, which spreads malware in the form of trojan programs, has been employed by malicious software on other platforms for a long time.
This has been a major issue on Android, which offers few barriers to listing a program on its various app marketplaces. For instance, Google removed over 50 malicious apps from Android Market in Spring 2011 that seemed turned out to be variants of the DroidDream trojan, but looked like legitimate applications and had names like Super Guitar Solo.
The persuasion mechanism of this approach to distributing malware is simple: Create or customize an app that a user might want to download and list it in the app store/marketplace. Then wait for victims to install the malicious program. Examples of trojan mobile apps for other platforms include malicious versions of Terdial for Windows Mobile and Mosquito for Symbian games.
Advice: Don’t install apps from untrusted developers. Relying on the app’s ratings may be insufficient, because many users might be enjoying the app’s features without realizing that it contains hidden functionality.
Illegitimate Sources of Mobile Apps
The efforts to persuade the victim to install GGTracker malware on Android began with an ad displayed within a legitimate app running on the phone. According to Lookout, the ad directed the person to a website that claimed to analyze the phone’s battery.
After clicking OK, the victim would be redirected to a page that looked like Android Market, which attempted to convince the user to install a “Battery Saver” app that turned out to be malicious.
By default, Android is usually configured to disallow the installation of applications that originate from a source other than Android Market. In anticipation of this, the malicious app advised the user that:
"Due to the power savings this application produces, its only available outside of the Android Marketplace. You might need to unblock the install by updating your Settings."
Since Apple exercises a much tighter control over its App Store, it’s harder for the end-user to install an app that comes from another source. Moreover, all user-installed apps have to be signed by Apple. this is probably why we haven’t seen such incidents affecting iOS today. To install an unsigned and untrusted app, the iOS user would have to be running a jailbroken iPhone or iPad device. It may be possible for a malware developer to distribute an app outside of App Store using the iOS Developer Enterprise Program; however, Apple still exercises some control over the apps distributed in this “Ad-Hoc" manner.
Advice: Don’t enable support for installing apps from sources other than the phone’s manufacturer. If jailbreaking your mobile device, understand the risk involved in installing apps from potentially-untrusted third parties.
Installation Request from the Victim’s PC
In the case of ZeuS malware variants that target mobile devices, persuasion originates from the victim’s PC. When the person visits a banking site from an infected computer, he is prompted to “download an authentication or security component onto their mobile device in order to complete the login process” according to Trusteer. In one case, as reported by Kaspersky Lab, the message attempted to trick the victim into installing a fake version of the Trusteer Rapport app for Android.
Since the victim was under the impression that the request to install the program came from a bank (a trusted entity) and because the request was made in the name of security, the person was likely to drop his guard and install the malicious program on the phone.
Advice: Be cautious of requests to install a mobile device app, regardless of the venue through which the request arrives.
Wrapping it Up
As we’ve seen, authors and distributors of mobile device malware have been effective at using social engineering techniques to trick victims into installing malware. Though there are some steps people can take to avoid being manipulated in this manner, the reality is that withstanding well-crafted social engineering campaigns is incredible hard. This is especially applicable to mobile devices, where visual indicators that may help users understand the context of their actions are often lacking.
We all like knowing what other people are saying about us. That’s why vanity searches—searching the web for the mentions of one’s name—are so popular. Companies do it too by setting up alerts and RSS feeds to see what is being discussed about them on-line. Such “egosurfing” practices can also be used to target the individual or the company with a client-side or a social engineering attack.
The promise of revealing information about the person—offering either gossip or actionable intelligence—can act as a powerful lure. Consider what happens when you see a new mention of your name in Google on some web page or a discussion forum. “Cool,” you think to yourself, “I wonder what they are saying about me.” Then you click the link to go there.
Mass-Scale Vanity Search Attacks
Peter Tzor recently described an experience of encountering a fake anti-virus scam (MacDefender) when searching for his name in Google to locate an old photo from a conference. That malicious website aimed to attack as many people as possible, drawing in potential victims with black hat Search Engine Optimization (SEO) techniques. By clicking a link in Google search results, the person visited the website, which attempted to social-engineer him into installing malware.
Targeted Vanity Search Attacks
Knowing that many (most? all?) individuals and organizations conduct vanity web searches allows an attacker to target a particular entity, say the targeted company’s CEO. A commenter outlined this approach in response to my earlier post on Monitoring Social Media for Security References to Your Organization:
"All one would have to do is create the site with the key flags (CEO name, Company name, etc.) and watch the logs until Google does its indexing. Once indexed by Google, post the nastyware on the site and wait for the CEO to follow the alert they get."
By noticing a new reference to the monitored or searched-for name, the person would likely visit the malicious website and be subjected to a client-side attack or a social engineering scam. I bet this technique can be no less effective than emailing the potential victim a malicious link or an attachment. (Why go to them when you can lure them to come to you?)
Should we give up the practice of vanity web searches? I know that won’t happen. But perhaps it’s worth exercising extra caution when visiting the websites that show up the next time you egosurf.