《用户需要了解的十大社会工程攻击手段》--哈尔滨安天科技集团股份有限公司提供

2018-06-04

“国家网络安全意识月”是探讨被盗密码、网络钓鱼、恶意软件以及普通用户所不知道的一些社会工程攻击的绝佳时机。威瑞森《数据泄露调查报告》显示,去年有43%的数据泄露与社会工程攻击有关。

PhishMe首席技术官艾伦 - 希格比(Aaron Higbee)说:“我们发现了很多社会工程攻击,特别喜欢以寂寞宅男为攻击目标。攻击者向他发送美女裸照,诱骗他发一张自己的裸照,然后威胁说要将其裸照贴到Facebook,强迫他支付赎金。”

Social-Engineer首席黑客官克里斯托弗 - 哈德纳吉(Christopher Hadnagy)补充说,人们应该意识到,电话钓鱼诈骗(vishing)等社会工程攻击变得越来越普遍了。

“犯罪分子在暗网上购买数据,然后打电话给人们说几年前他们欠了几千美元的联邦税。”哈德纳吉说,“即使人们知道国税局(IRS)只会以书面形式通知他们,不会直接打电话,但是很多人还是会上当。”

根据对希格比、PhishMe首席威胁科学家加里 - 华纳(Gary Warner)和哈德纳吉的采访,Dark Reading整理出了十大社会工程攻击手段。

1.电话钓鱼诈骗

最终用户对欺诈邮件已经比较警惕,但是许多人忘记了黑客经常采用低技术的电话诈骗。

在一些电话中,骗子声称是微软技术支持人员,要求用户提供凭证和/或其信用卡号。千万不要上当!记住,微软不会突然打电话询问你的电脑运行情况。国税局也是如此。骗子不停地打电话,若有其事地声称纳税人欠了税款,如2012年的3000美元欠税。再强调一次,这种事绝对不会发生。国税局不会打电话给你,也不会发电子邮件给你。他们只会以书面形式与纳税人沟通。如果您收到假的微软技术支持电话,请上报给https://www.microsoft.com/en-us/reportascam/

2.利用SEO(搜索引擎优化)诈骗

您是否有需要驱动程序的旧打印机或扫描仪? 如果有,那您要当心了,因为攻击者花几美元就能使用营销策略将搜索引擎流量引向一个假驱动程序,从而感染您的计算机。

例如,您搜索打印帮助,它可能会把您带到一个看起来像官方驱动程序的网站,而实际上这里只有被恶意软件感染的服务器。他们不必花费大量资金来创建网站并购买关键的互联网搜索术语来引诱不知情的受害者。

3.钓鱼网站也可以是HTTPS

按照传统的观点,HTTPS站点上的SSL证书意味着网站是安全的。攻击者不希望花大价钱购买有效的SSL证书。现在他们可以如愿了,诸如letencrypt.org这样的网站免费提供SSL证书。

用户不能因为HTTPS就认为网站是安全的。对于重要的银行和其它登录页面,用户应该“寻找绿色条”,这意味着该网站不仅使用HTTPS,而且使用扩展验证SSL证书(EV-SSL),攻击者是无法免费获得这种证书的。

4.以假乱真的网站

人们浏览网页,但并不总是仔细看。黑客可以注册一个合法网站的域名,如PayPaleBay,使他们看起来近99%的真实。聪明的诈骗者在这些页面中隐藏恶意软件,并且还隐藏肉眼不容易看到的外语字符。

5.从右到左的覆盖

黑客可以使用“从右到左的覆盖”来启动恶意软件。会出现一个如下所示的文件:validate.exe.jpg,基本上是一个正常的jpg文件。但实际上,使用Unicode进行转换,发现该文件实际上是一个名为validate.jpg.exe的可执行文件。然后,用户会在不知不觉中启动恶意软件,感染计算机。

重申一条黄金法则:如果收到了陌生人发来的文件,请勿打开。

6.裸照勒索和色情网站取消订阅诈骗

这些诈骗的目标通常是寂寞男人。骗子发送美女裸照,诱骗受害者发一张自己的裸照。如果目标上当,骗子就会发一条赎金要求,威胁称会将裸照贴在Facebook或其它社交媒体上,强迫他们支付赎金。

这些类型的犯罪是低技术的,骗子甚至不必编写代码或建立网站。他们只需要几张美女裸照就行了。在另一起性欺骗中,用户在公司收到一个色情网站的消息,称他们订阅了该网站。要取消订阅,他们需要发送工作邮箱和密码。只要该公司的一名员工上当,骗子就能够入侵公司网络了。

7.低技术勒索软件

正如上文所述,一些攻击者走低技术路线。攻击者向用户发送邮件,声称黑掉了他们的文件和公司账户。当然,这完全是虚张声势,但通常黑客会要求支付价值300美元的比特币。

忧心忡忡的用户可能会为求心安而支付赎金。在这种情况下,黑客需要的只是一个电子邮件地址,这样就能赚些快钱了。

8.“文件太大”钓鱼邮件

你有没有遇到过在邮件中添加附件时被告知文件太大的情况?人们已经习惯于通过DropboxBoxOneDrive共享更大的文档和视频了。在这种诈骗中,攻击者向受害者发送一封看起来像来自同事或主管的电子邮件,并告诉他们看一下某个文件。使用这种方法,攻击者可以绕过电子邮件安全保护,诱骗受害者打开热门文件共享站点上托管的恶意软件。

9.获得管理员访问权限

攻击者有许多方法使用“横向运动”来达到目标,但是高权限用户并不总是能够意识到他们被攻击了。

可以通过这种方式获得人力资源数据库或电汇权限。或者,黑客可能需要IT服务台的管理员访问权限。因此,攻击者可以访问用户的机器,然后故意破坏某些东西,或者向服务台发送一条消息,称其机器上已禁用了Word等应用程序。当帮助台人员登录时,黑客会窃取缓存的管理员凭证,从而访问公司网络。

10.自动化工具

攻击者拥有自动化软件,用于检查密码是否包含字典中的字,因此在密码中使用任何字或名称都会降低安全性。这不是“猜测或不可猜测”的问题--用户应使用没有任何意义、并且不会在任何字典(或电话簿)中找到的字母和数字。


Social Engineering Attacks Your End Users Need to Know About


https://www.darkreading.com/attacks-breaches/10-social-engineering-attacks-your-end-users-need-to-know-about--/d/d-id/1330171

10/19/2017
02:30 PM

Steve Zurier


    It's the middle of National Cybersecurity Awareness Month: the perfect time to look beyond the obvious stolen passwords, phishing and malware, and into some of the social engineering attacks less known to the average end user. And here’s something you security professionals might not know: 43 percent of breaches in the last year were related to social engineering attacks, according to the Verizon Data Breach Investigations Report. 


    "We’re seeing a lot of social attacks, especially taking advantage of lonely guys at home," says Aaron Higbee, CTO at PhishMe. "Attackers will entice a person with a nude picture then get him to send a nude picture of himself. Then the attacker will say they will send it to Facebook unless they pay a ransom."

    Christopher Hadnagy, chief human hacker at Social-Engineer adds that people should be aware that social attacks such as phone-based vishing where attackers try to steal money over the phone are becoming more prevalent.

    "Criminals buy data on the Dark Web then call people saying they owe several thousands of dollars in back federal taxes from a few years ago." Hadnagy says. "Even though people may know that the IRS will only notify them in writing and will never call them directly, they still fall for it."

Based on interviews with Higbee, his colleague and chief threat scientist at PhishMe, Gary Warner, and Social-Engineer’s Hadnagy, Dark Reading has developed a list of 10 hacks that might not always be as readily apparent,

1. Vishing


    End users are so focused on looking for fraudulent emails that many forget hackers often prefer to go low-tech with voice, or vishing calls.

    In some of these phone calls, scammers purport to be Microsoft support and ask the user to give them their credentials and/or their credit card. Never do this. Remember that NO ONE from Microsoft will ever call you out of the blue asking how your computer is doing. The same holds true for the IRS, but people fall for it. Scammers call people all the time and tell them they may owe something believable, say $3,000 in back taxes for 2012. Once again, this will never happen. The IRS won’t call you and won’t send you an email. For better or worse, they will only communicate with taxpayers about back taxes in writing. If you receive a fake Microsoft Tech Support call, report it: https://www.microsoft.com/en-us/reportascam/.

 

2. Attackers using SEO to scam legit web users

    Do you have an old printer or scanner you need a driver for? Watch out, because for a few dollars attackers can use marketing tactics to drive search engine traffic to a fake driver that infects your computer.

    For example, based on your search for help with printing it may take you to a website that looks like it has official drivers, but instead serves infected malware. They don’t have to spend a lot of money to build a website and purchase key Internet search terms to lure unsuspecting victims.

 

3. Phishing websites can be HTTPS

    The conventional wisdom was that SSL on a HTTPS site is a sign that it’s safe. Attackers didn’t want the headache or expense of obtaining a valid SSL certificate, which made them extremely rare. Not so anymore, thanks to websites like letsencrypt.org, which give away free SSL certs.

    Users cannot assume a site is safe because of HTTPS. For important banking and other log-in pages, they should "look for the green bar" which means the site is not just using HTTPS, but is using an Extended Validation SSL certificate (EV-SSL), which bad guys cannot get for free.

 

4. Phony sites filled with malware that appear like real ones

    People browse the web freely and aren’t always paying close attention. Hackers can register a domain name of a legitimate website such as PayPal or eBay and make them look nearly 99 percent authentic. Clever fraudsters hide malware on these pages and also hide foreign language characters that aren’t readily visible to the naked eye unless the person works as a late night copyeditor.

 

5. Right-to-left override

    While it’s been around for a while, users should also be aware that hackers can use a “right-to-left-override” to launch malware. What happens is that a file will look like this: validate.exe.jpg, basically a normal jpg file. But in reality, using Unicode, an international translation system, the file is actually an executable named validate.jpg.exe. The user then unknowingly launches the malware, infecting the computer.

    Reiterate the golden rule: If you weren’t expecting the file from that person, don’t open it.


6. Embarrassing selfie ransoms and porn site unsubscribe scams

    For these lures, the targets are typically lonely men. A fraudster sends a nude picture of a woman enticing the victim to send back a nude picture of himself. If the man takes the bait, the fraudster then sends back a ransom threat, saying they will post the photo on Facebook or other social media unless they pay the ransom.

    These types of crimes are low tech, the fraudster doesn’t even have to write code or set up a website. All they really have to do is have a few .jpgs of nude women. In another sex scam, users get sent a porn site at work telling them they are subscribed. To unsubscribe, they are asked for their work emails and passwords. People take the bait and all it takes is one weak person to give away the keys to the corporate kingdom.

 

7. Low Tech Ransomware

    As just discussed, some attackers go low-tech. For this lure, the attackers send the user an email that their files were hacked and that the hackers gained access to corporate accounts. Of course, this is a complete bluff, but usually the hackers ask for $300 (USD) worth of Bitcoin.

    A worried end user may pay the ransom just for peace of mind. In this case, all the hacker needs is an email address and they can make some quick money.

 

8. “File Too-Big” phishing emails via DropBox, Box or OneDrive

    Have you ever tried to attach a file to an email but were told the file was too big? People have grown used to sharing larger document files and video via Dropbox, Box or OneDrive. In this lure, the attackers will send the victim an email that looks like it’s from a colleague or a supervisor and tell them to take a look at the document, presumably from an ongoing project. Using this method, the attacker can circumvent email security protections and get the victim to open the malware hosted on a popular file-sharing site.

 

9. Gaining administrative access

    Security professionals know that attackers have many ways of using "lateral movement" to reach their target, but highly privileged end users don't always realize they will be attacked via others in the company.

    Access to HR databases or wire transfer privileges might be obtained this way. Or a hacker may want an IT helpdesk worker's admin access rights. So the attacker may access a user's machine then purposefully break something or send a ticket to the help desk that says an app such as Word has been disabled on their machine. When the help desk person logs in, the hacker then steals the cached administrative credential, giving him access to the corporate network.

 

10. Automated tools that hack through any word

    Attackers have automated software that checks passwords for every word in the dictionary – so using ANY word or name in a password reduces security. It’s not a matter of being “guessable or not guessable” – users need to focus their passwords on letters and numbers that make no sense and wouldn’t be found in any dictionary (or phone book).



附件:

《Social Engineering Attacks Your End Users Need to Know About》--原文pdf

《Social Engineering Attacks Your End Users Need to Know About》--译文pdf



 

联系我们
办公地点:中国电子技术标准化研究院
地址:北京安定门东大街1号
邮编:100007
电话:010-64102639
邮箱:cciahyz@china-cia.org.cn

微信公众号