Social Engineering

The year of social engineering

Developed and propagated by criminal networks that can match the expertise and scale of the legitimate economy, Sudipta Dev comments on why 2008 should be called the year of social malware

Social engineering has a basic premise, which is to appeal to your emotions, build on your trust and then extract information for financial gains. It exploits simple human vulnerabilities and makes unsuspecting people its targets. The medium is devoid of any sophisticated technology and just needs human intervention—the click of a mouse in response to an e-mail message or a free software download, and you are a victim.

Gartner calls it the consumerization of IT—the inevitable spillover of social networks, Google apps, iPhones, and other mainstream technology tools into the enterprise. With it comes a whole new generation of threats and this next generation threat is coming from someone whom you trust. Gartner defines social engineering as ‘the manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer’. This involves criminals persuading a user to click on a link or open an attachment that they probably would not if they thought long and hard about it.

Simply put, it is where an attacker would exploit the trust of a social networking user by posing as a ‘friend’ for example, while launching a malware attack or stealing credentials. Analysts agreed that although many businesses today shun Facebook, MySpace, YouTube, and Twitter at the office, that will soon change as the next generation of employees expects to have access to these tools in the workplace. For example, we used to trust e-mail addresses, so the viruses and worms took advantage of that and invaded out networks... Now people trust their ‘friends’ list and it could spell doom for everybody. The goal is to get users to unwittingly carry that malware back into their enterprises and provide an opening for the attacker there, for example. Criminals are using social engineering either to steal somebody’s identity for profit, or to gather further information on an enterprise. This is not only a violation of the business, but of someone’s personal privacy.

In fact, an almost invisible criminal empire generating hundreds of millions of dollars in revenues is being run using social engineering techniques. Attacks come disguised as innocuous e-mails or e-cards, give links to (Phishing) Web sites to ensnare victims. Social networking sites are common hunting ground of these malware authors who use this as a platform to launch their attacks. For instance, soccer fans would be easy targets for any news related to their favorite club or as it was found in November 2007, MySpace profiles of Alicia Keys and other artists were found to be serving up malicious code to fans.

Watch that link

The methods of attack vary; it could be either a direct attack or an enticement. While the first delivers the malicious code through an e-mail attachment (for instance, the original Storm worm or the Sobig e-mail worm); the second lures you to visit a malicious Web site and you land up downloading a Trojan all the while thinking that you are actually downloading a music video. The links come through e-mail, messages sent through social networking sites or chat programs.

Then there is the ‘drive by’ attack, wherein merely visiting a Web site, even a legitimate one, can result in your computer coming under attack through your Web browser. “In the past couple of years, we have seen a dramatic number of researchers publishing exploit code for browser-based vulnerabilities, and a large increase in the amount of malware these sites deliver. This is rapidly becoming the dominant mechanism to infect systems with malcode,” explained Sam Sathyajith, Country Manager-India & SAARC, Arbor Networks.

Hard to detect

Social engineering or malware is difficult to detect because of the simplicity of the modus operandi, and because as typical of most malware attacks there are no obvious indications; for instance data on the compromised computer is not corrupted. The malware buries itself deep in the innards of the operating system making it difficult for an anti-spyware solution to locate it. Botnets operate in silence, are well coordinated and form relatively small networks that link to form larger ones.

“They are targeted at human psyche and not at technology or anything tangible,” asserted Manjula Sridhar, Co-founder &CTO, Aujas Networks. Technologically, some of the new malware comes in the form of a distributed botnet and uses peer-to-peer technology and hence it is difficult to pinpoint patterns and origins.

Additionally, cyber criminals have become adept at localizing malware to suit the country, language and culture of targeted recipients, which makes it almost impossible to find the original source. “They are not skilled solely in computer programming; they are also well versed in psychology and linguistics,” pointed out Amuleek Bijral, Country Manager, India & SAARC, RSA, the Security Division of EMC. Storm, which was detected in January 2007 wreaked havoc worldwide and is perhaps the best example of social malware employing as it did a combination of e-mail messages and Web sites to infect computers. It sent spam with news related headers, holiday e-cards and other convincing subject headers compelling the receiver to open links in e-mail messages.

Another factor that makes tracking social engineering malware so difficult is the fact that even with advanced heuristic engines anti-malware products find it difficult to detect custom-written code. “In most cases users choose to ignore the warning given by the detection software and continue to install the malware in any case. In some instances the malware is sophisticated enough to trap warnings raised by the detection software and replace these ‘warnings’ with seemingly benign messages,” added Raghu Raman, CEO, Mahindra Special Services Group. Many sophisticated viruses are also self-morphing and keep changing their signatures all the time.

On any given day there are hundreds of variants of the same virus, it is an almost impossible task for security companies to develop a distinctive anecdote for each variant.

Using social networking to enter corporate networks

What makes social networking sites so vulnerable to malware attacks is the fact that people disclose a lot of information about themselves and their employers. For enterprises, in particular, professional networking sites can pose a serious threat with employees disclosing sensitive information in their blogs, which could be misused by criminals.

Disclosure of personal information makes individuals easy targets. Based on the information, an attacker can profile his victim and then design the malware accordingly. “For instance, a criminal could go to any chat rooms frequented by code developers and upload a cool error trapping tool. Or he could go to a site frequented by system administrators appearing for certification exams and offer to give exam simulation software,” pointed out Raman. The chances of such malware finding instance acceptance are much higher these days.

“These Web sites rely on the trust factor, i.e. if I trust you and you trust someone, these sites would allow me to contact you and in some cases allow me to see details not available to non-trusted users. They could use the trusted networks in tricking victims to share sensitive information or download malware like Trojans and worms,” stated Bijral.

Most social networking Websites allow the users to add their own plugins, mashups or applications on a user’s networking page. These applications increase the surface attack area for hackers. Most people on the network run these applications on their desktops without thinking twice. Malicious code could also be added to advertisements and banners.

Use of P2P technology

As most P2P searches are for pirated copies of music, movies applications and games, malware authors focus on the most sought after software to trap potential victims—by attaching a malware program (usually a Trojan horse) with the host application. They wait for their victims to download the application. Raman added that as soon as the victim installs the application, the Trojan horse gets installed as well and signals to the ‘home-base’ that it is now active and ready to provide access into the target computer.

Malware authors make effective use of P2P technology via the User Datagram Protocol (UDP) to talk to other computers infected with malware and working collaboratively. “Most of the new malware

are self-propagating due to the P2P (botnet) concepts as well as technological advances. They look at the contact list of a victim and send automated Phishing mails,” stated Sridhar.

Self-defending malware

Storm is known to have launched an attack on the security agencies studying it, but are other pieces of social malware software self-defending? “Yes, they use the same security principles to protect ‘their’ assets. Firewall rules, operating system lockdown, etc.,” said Ambarish Deshpande, Regional Director-India and SAARC, IronPort Systems.

Sathyajith mentioned that Storm appeared to be the only one that launched automated DDoS attacks against researchers, but there have been a handful of external tools that have launched attacks against researchers. More common is for the malcode to block access by known researchers, or to disable their systems.

Rather than attack, camouflage is the key characteristic of malware and it is adept at hiding itself amongst the multitude of applications running on a host machine.

It is organized crime

Organized crime has spread its tentacles in cyberspace with the lure of easy money driving these criminals online. The modus operandi of making money from malware is constantly evolving. Criminals now specialize in different activities or as per location, and form a network to meet a common objective, which is to steal credit card or bank account details.

“This network works in concert to utilize the account: thieves, people who can make physical credit cards using the information, those who can drain the account, money launderers, or people who can convert it into stolen goods, etc. Stolen software, pirated movies and music, etc., are also usable by this economy,” disclosed Sathyajith. It turns out that game credentials are also a popular target in some circles for massive online games like WoW.

Indirect financial gain from malcode has grown in complexity and popularity in recent years with the introduction of ‘crimeware-as-a-service’. Not very different from software-as-a-service of the legitimate economy, criminals are being paid to install malware as a pay-per-install service. “This malcode can include specific bots or zombies, spam tools, [key-loggers], or other software that someone wants to pay to install on selected boxes,” disclosed Sathyajith. All make money through their field of operation—spammers from spam campaigns; the installer as a commission and per installation; and scammers directly or indirectly from infected boxes. This actually mirrors the service-based economy and outsourcing in the legitimate economy.

Social engineering is one of the key mechanisms for making illegal millions. Sales of data or accounts all come with a price tag varying from $4 to $100 based on whether it is a gaming password being sold or an online banking account login and password or even an Internet Explorer vulnerability. “Many new ones are also being used to divert a user into buying things like an anti-virus package, hijacking and ransom and illegal pharmaceuticals and other artifacts,” added Sridhar. The Storm botnet is supposed to have generated revenues to the tune of $150 million for the people running it.

The last five years have seen organized crime spread its tentacles far and wide into cyberspace. There are no international treaties to prevent the prosecution of such criminals, who are based out of one country and commit offenses in another. “Criminals and hackers have come together and social networking sites are easy targets. Security companies have a difficult task ahead of them with big criminal gangs getting into the picture. They will come up with more innovative ideas and malware will be used extensively,” stated Surendra Singh, Regional Director, SAARC & India, Websense.

Creating awareness

The problem is too large in magnitude for an easy solution. Awareness and education are the simplest and safest measures of prevention.

While companies cannot place a blanket ban on social networking sites they need to formulate blogging policies for their employees so that critical information about the organization is not given out; not even inadvertently. “A more effective approach would be to make sure that the enterprise implements a holistic security solution, which encompasses all aspects of security. If the enterprise can govern the access of information only to the right employees, loss of data by the attackers getting into the network could be minimized,” said Bijral. He believed that the anti-spyware software available is not effective for sophisticated malware as it can only clean 1% at a time and it is totally dependent on the consumers regularly updating the anti-spyware solution.

Sathyajith suggests a layered approach to combat these attacks. “It will require application-aware tools for the network and servers together with aggressive anti-virus on the end hosts and for screening content as it comes into a network.” In short, with more avenues for content to come in and out (chat, web, mail, etc.) increasing visibility will be key.

RSA Command Central, a 24x7 online fraud detection center continuously tracks new threats and such botnets to raise an alert and implement protective measures against their infection mechanisms. “The new kind of social malware which was discovered in 2007 (Storm) is continuing to grow and increase in sophistication,” stated Bijral. The new, widespread malware botnets share characteristics with Storm include Srizbi, Bobax, Kracken etc.

Pointing out that malware has been already used extensively in corporate espionage, Raghu Raman asserted, “This is and will remain one of the most potent tools in cyber warfare and cyber terrorism.”

With expertise moving over to the dark side and the scale of malware operations growing as large as the legitimate industry, any organization or an individual with an e-mail account and Web browser is at risk.

sudipta.dev@expressindia.com