SOCIAL ENGINEERING

Sheree Wright, CFEWells Fargo Corporate InvestigatorSouthern California

Newport Beach MarriottJune 14, 2012© 2012 Wells Fargo Bank, N.A. All rights reserved. Internal use only.

Objectives

At the conclusion of this presentation, attendees should have a better understanding of:

The principles of social engineering Goals of social engineering Recognize the signs of social engineering Identify ways to protect yourself and organization

from social engineering

2

Social Engineering - Agenda

Introduction Definitions Subliminal messaging Computer Based Social Engineering Human Based Social Engineering Case Studies Attack Indicators Prevention

3

Introduction - Global Cyber Attacks

According to the 2012 Data Breach Investigations Report (DBIR), in 2011 there were:

855 incidents

174 million compromised records

4

SecurID RSA Cyber Attack

5

RSA Cyber Attack Impact

In March 2011, Approximately 40 million records stolen, because

Hackers posed as co-workers the employees trusted to penetrate the company's network, and

Emailed a file with an Excel attachment containing malicious software the employees opened, costing

Over $66 million in remediation

6

Definition

Social-engineering is to persuade, trick or manipulate a target into performing an action or divulging confidential information

It is the name given to a category of security attacks in which someone manipulates others into revealing information that can be used to steal data and access systems

The goal is to trick someone into providing valuable information or access to that information

7

Social Engineering

Manipulates the natural human instinct to trust

Assumes that good will or greed trumps common sense

8

Three Card Monte

Who can explain the objective of this game?

9

Three Card Monte

Three cards and a card board table

A confidence game in which a target, is tricked into betting a sum of money, on the assumption that they can find the money card among three face-down playing cards.

10

AC Transit Three Card Monte Scheme – A personal story

11

Social Engineering in three steps

Target Manipulation to compel target to perform an act End result is a data and/or financial compromise

12

Three Card Monte and Malware Comparison

Three Card Monte Target Ability to manipulate

three cards and encourage participation.

To obtain cash or other asset from target

Malware Attack Target Entice to open

program/attachment or provide security code

To compromise network, financial information, or other sensitive data

13

Social Engineering and Subliminal Messaging What is your awareness level?

Sometimes information is placed directly in front of us and what seems to be obvious may not be as it appears.

Can you identify the hidden messages in these logos?

14

15

Amazon Logo

16

Baskin and Robbins Logo

17

18

Three Logos

19

Common Types of Social Engineering

Computer Based – refers to having computer software that attempts to retrieve the desired information

Human Based - refers to person to person interaction to retrieve the desired information/result

The most effective social engineers obtain information without raising suspicion about their actual intentions.

20

Computer Based Social Engineering Methods

Sending a virus as an email attachment Using a false pop-up window asking user to log in

again or sign on with password Leaving a CD around with malicious software on it Sending a free software or patch for a victim to

install

21

Malware

Malware, short for malicious software, is software designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

22

Phishing

Phishing is an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients. Typically, the messages appear to come from well known and trustworthy Web sites.

23

Malicious Websites

Malicious website presented a security warning to the users, asking to download an update -

24

Malicious Certificate

Malicious websites requesting user to install certificate information.

25

Cyber Attack Sarah Palin

Yahoo Mail prompted for Palin's birthday. Took only 15 seconds on Wikipedia to answer that question. When it prompted for ZIP code, Wasilla, Ala., has only two ZIP

Codes. Prompt - Where did you meet your spouse?" Took several tries

but eventually hit upon the correct answer: Wasilla High. 26

Phishers using enticing messages

Phishers are good social engineers and recognize that controversial or scintillating headlines convince Internet users to visit a web page or open an email.

15 year fixed rate at 3.00% FEDEX promotion–free gas card with shipping Big settlement for Amazon.com users Qualify for free NCAA tickets Summer fun with free Baskin and Robbins coupons

27

Personally-relevant messaging

Another variation on this kind of scam involves spoofing messages to look like they come from a trusted source. One common attack could use a

delivery company as the scapegoat. The message from claims there was a failed attempt to deliver a package, and asks the victim to print out an invoice to take to the center to pick it up.

Print the invoice and it's probably going to be a malicious PDF file.

28

Vishing

Vishing is the voice counterpart to phishing. Instead of being directed by e-mail to a Web site, an e-mail message asks the user to make a telephone call. The call triggers a voice response system that asks for the user's credit card number or some other type of financial information.

29

Wells Fargo Corporate InvestigationsSix US Regions – Northwest/Northern CA, SOCANU, Central, Northeast, Southeast, and Florida.Responsibilities include Global Investigations

30

Do you think somebody may try to solicit this team member?

31

Has this happened at your financial institution?

32

Who Solicits Team Members ?

• Most often by someone they know personally• Family Member• A Friend• Romantic Acquaintance• Co-Worker• Someone introduced by the above

33

Who compromises the security chain?

People are usually the weakest link in the security chain.

34

Catch Me If You Can

35

Common Human Based Social Engineering Methods Posing as a fellow employee Posing as an employee of a vendor, partner

company, or law enforcement Posing as someone in authority Posing as a new employee requesting help Using insider lingo or terminology to gain trust Third party authorization- Before he left for vacation said I should call you to

get this information

36

Social Engineering Attack Cycle

Information Gathering

Development of Relationship

Exploitation of Relationship

Execution to Achieve Objective

37

Information gatheringAttackers gather information used as a basis to build a relationship with someone connected to the target and makes the attack appear more convincing.Phone or employee lists

- I would have called so-and-so but they are not there. Can you open the door for me?"

Mother’s maiden nameOrganizational structures/proceduresSystem architectureVacation email auto responders

38

Information gathering

Dumpster Diving- Vacation or trip calendars - May help determine when to call support, pretending to be absent person- When to show up with a "package" for them, to gain (unsupervised?) access to their desk and even office computer

Shoulder surfing

39

Tailgating Scenarios

You wave your FOB key near the detector or unlock a building door and you go in.– Attacker catches the door before it finishes closing and follows

You don't challenge or report attacker and keep going OR

Attacker says -– "Please, hold the door, I have my hands full!

Thanks!"- “Oh, no, I forgot my key/badge/token!”

40

What do the fraudster’s want?

Gaining Access to high balance customer’s accounts

Gaining Customer’s Identifiers; Name, Social, DOB, Acct Numbers, Balance Information, Etc.

41

Personality Traits

Trust Relationships Diffusion of Responsibility Chances to earn favor or benefit Moral Duty Guilt Identification Desire to Help Cooperation

42

Trust Relationships

The social engineer expends time developing a trust relationship with the intended target.

- Usually following a series of small interactions

43

Safe Box – Scenario One

Wife of customer had no authorization to access her husband‘s sole owner safe box. She was very friendly.

Wife told Lead Teller she recently opened a safe deposit box with her husband and the Service Manager helped them out. (Self service safe box with ATM card access.)

She didn't have her debit card when the box was opened and needed her card added for access.

Wife had the safe deposit box keys (stolen from husband) and had Service Manager’s business card.

Lead Teller was persuaded to add Wife’s debit card for safe box entry without checking the safe box agreement.

Wife stole $15,000.00 cash, confidential documents, and flash drives.

44

Diffusion of responsibility

The target is made to believe that they are not solely responsible for their actions.

- The social engineer creates situations with many factors that dilute personal responsibility for decision making

- The social engineer may name drop May claim someone higher up with authority has made

the decision Disengagement

- Not my job- Laziness and conformity

45

Safe Box - Scenario Two

Suspect stole safe box keys from former friend and went to a branch.

Personal Banker A allowed suspect to sign log and access safe box area. Personal Banker A did not compare signatures on safe box log as required.

On the same day, Personal Banker B allowed the same suspect to access the same safe box again without verifying signatures or ID.

Initial loss was reported at $90,000.00 and revised jewelry loss was $15,050.00.

Suspect located by GPS, arrested and property recovered.

46

Chance to Earn Favor/benefit

The target is lead to believe that compliance with the request will enhance their chances of receiving a benefit.

- Gaining advantage over a competitor- Getting in good with management- Giving assistance to a sultry sounding female.

47

US Treasury Check Tax Refund Scheme -Scenario Three Personal Banker meets individual who is a tax preparer and they

agree he would open new accounts for her customer’s to deposit tax refund checks.

Tax preparer has a prepaid cell phone and her business (desk) is located in a barber shop.

Tax preparer provides banker with customer names and ID information.

Banker opens accounts, does not meet with or verify customer, and leaves WF applications with tax preparer for signatures.

IRS issues refund checks based on the bogus returns. Tax preparer collects refund checks from her customers and

gives to banker for deposit into their accounts. Banker denied kickbacks, and stated he needed sales credit.

48

Moral Duty

Encouraging the target to act out of a sense of moral duty or moral outrage.

- Requires the social engineer to gather information on the target and the organization

- Tries to get the target to believe that there will be a wrong that compliance will mitigate

49

ID Theft Ring – State of Illinois ID Theft Task Force – Scenario Four

50

ID Theft Ring compromised Charles Schwab database with intent to divert $50,000.00 from several customer accounts.

Charles Schwab detected data breach before funds were moved. Meanwhile, fraudsters needed somewhere to funnel assets and

looked for bankers to open new accounts. WF BBS was introduced by a CPA to suspect who used the banker

to open accounts with fraudulent ID’s that he never verified. Denied kickbacks and admitted to sales credit.

Suspect arrested and extradited to Illinois. Bankers phone number was in the suspects phone. Search warrant on banker’s personal email discovered suspect

was emailing ID’s and unsigned social security cards to banker.

Guilt

Most individuals attempt to avoid guilt feelings if possible.

Social engineer creates situations designed to:- Tug at the heartstrings- Manipulate empathy- Create sympathy If granting the request will lead to avoidance of guilt,

target is more likely to comply. Believing that not granting the request will lead to

significant problems to the requestor is often enough to weigh in favor of compliance with the request.

51

System Access /Fee Reversals – Scenario Five Service Manager aware of policy and procedures

regarding fee reversals. Asst. Manager aware it was against policy to request

subordinate to reverse fees. Service Manager reversed fees upon the request of

Asst. Manager. Said she made her feel guilty and it was easier to comply than do what was right.

Both were terminated.

52

Identification

The social engineer tries to get the target to identify with them.

- The social engineer tries to build a connection with the target based on the information gathered.

- Social engineers excel at creating an environment of informality.

53

Desire to help

Social engineers rely on people’s desire to be helpful.

- Holding the door- Logging on to an account- Lack of assertiveness or refusal skills Helpful employees and “team players”

“So and so is not here, but I’ll find the documents(s) he promised you.”

Friendliness- Conflict avoidance: Should I say something.

54

Cooperation

The less conflict with the target the better.- Voice of reason- Logic- Patience- Stresses the positive but can refer back to the

threat process.

55

Parole Search at Team Members Residence TM participated in work from home program. Gang member boyfriend released from jail and listed

her address as his residence. He was arrested for attempted murder and police

conducted parole search at her residence. They linked her to gang activity in personal photos

along with jail and DOC inmate numbers she had adjacent to WF customer information.

Only computer in residence belonged to WF. She denied providing customer information to inmates.

56

Cognitive Biases that Help Social Engineering Halo Effect

- Attractive, well-dressed, well-spoken people are more believable

In Group Bias- Preferential treatment given to members of own group.“I’m doing my job (just like you)”

57

Social Engineering Theater

Authority Specific Knowledge

- “ I’m here to pickup server #WC-1050 for repairs.”

Begging- “Just this time, only for five minutes.- “ I need to go to the bathroom! Now, please,

it’s urgent!” Appearance

- Clipboard, uniform, suit58

Wachovia Study 2007

• “I was promised a reward for the information”-Car, Jewelry, Vacation

• “I was paid for the information” • “I was threatened bodily harm”• “I traded the information for services”-rides to work, tax

prep, repairs• “I shared the information for a marketing venture broker”

–for a return % on earnings• “I provided customer referrals in exchange for broker

training” (Hollywood Case)• “I gave away the information to help start a new

business”-consultation 59

Employee Responses

• “Didn’t realize how wrong it was”• “Didn’t know it was a felony”• “Thought I couldn’t get caught”• “Help ease financial pressures”• “Deserved the extra perks”• “Have an addiction-Vice”• “Didn’t realize that EAC could help me”

60

Indicators – You May be Under Attack

Recognize the key signs that indicate you may be a target of a social engineering attack:

Refusal to give contact information Intimidation Small mistakes Requesting forbidden information You know you shouldn’t be doing this

- But you feel compelled to do it anyway It feels weird, uncomfortable Out of the ordinary requests

61

Indicators – You may be under attack

You’re in a situation where you can’t ask the appropriate person for confirmation- Or made to think so

You are being rushed Names and titles are being used (“name dropping”) Stresses urgency “I cannot be contacted” The number you were given is a “call out only”

number You’re afraid to offend or delay

62

Preventing Social Engineering Attacks

What you can do

63

Clean Desk Policy

64

There were 20 clean desk security concerns

65

Prevention Verify the identity of the person making the request Verify whether the person is authorized Become familiar with the techniques used Refrain from downloading or opening unsolicited

messages Trust your instincts; Trust but Verify Secure sensitive data Participate in awareness training Be aware of a team members change in behavior,

routines; maybe warning signs of potential involvement in wrongdoing

66

Sources

Karremans, J.; Stroebe, W.; Claus, J. (2006). "Beyond Vicary’s fantasies: the impact of subliminal priming and brand choice

The Art of Deception; Kevin Mitnick and William Simon

Social Engineering; Melissa Guenther (2001) Network World; Tim Green (2012) Data Breach Investigations Report (DBIR) (2012)

67