Guide | How To Social engineering and user-intervention

The associated guide may contain user-generated or external content.
W

Wave

Thread author
Previous thread: Why UAC should be taken seriously

Hello everyone at MalwareTips! :)

Today I would like to discuss user-intervention and social engineering, both heavily involved in a user becoming infected. It’s very common, it’s a massive threat and the worst thing about it is that security software cannot protect us from the thoughts in our mind, social engineering is very powerful and works by altering your thoughts to persuade you to do something (user-intervention).

What is social engineering?
Social engineering is a technique used to manipulate someone using various techniques to alter their behaviour and thoughts and perform a certain action. Think of it like a method of injecting thoughts and instructions into the targets brain, thus making them do what you want. Social engineering techniques are often used throughout the security industry by hackers with the intent of performing an illegal operation, such as infecting the targets system which may be a personal home user or an enterprise. Depending on the infection depends on the purpose, for example, the purpose for infection could be based on the intent of the attacker committing the crime of identity theft or fraud (although it could be anything malicious).

As an example to explain what the term “social engineering” means, let’s pretend I am a bank manager for a company called “FastGo Banking” called “Burt” and I have access to a PC which is linked to the enterprise server, under an account running with administrative privileges. I am doing my work as a bank manager, however I am interrupted by a new incoming email from someone under the title “Tim” (where Tim is the attacker). The e-mail looks legitimate and contains social engineering techniques to make me fall for the trap and accidentally leave the enterprise infected without me being aware. For this example, let’s pretend the contents of the e-mail were the following:

------------------------------------------------------------------------------------------------------------------------------
Dear FastGo Banking,

My name is Tim, I work at a company called [name of a famous security company] and have more than 21 years of experience with security programming, malware analysis and networking. I work with my team, and we go out to companies on the market and attempt to provide tips on how they can secure their network against malware propagation and how they can identify targeted attacks from hackers towards their company.

My team consists of 317 employees; each employee actively works for more than 27 hours a week. After their shift, they switch round with another employee. The reason they only work for 27 hours a week (and take different shift timings) is to ensure that they get the rest they need, as well as providing them with regular breaks throughout the day to aid with their health at preventing them from health related damages, such as eye strain due to prolonged timings with the computer screen.

We would like to help you at your company, which would be done by providing tips and to help you secure your network against attackers, no matter how experienced they are. Nothing is full-proof until you speak to us, we can guarantee the safety of your systems against malware propagation completely.

Below I have attached a document which outlines the details of our expertise. I recommend you take a look at it, you may be interesting in it.

Best Regards,
Tim.

[ATTACHED DOCUMENT]
------------------------------------------------------------------------------------------------------------------------------

While my example is not the best, and others will be able to create far better examples, hopefully it was good enough to explain this. The intent of this email is to trick the reader into handing over trust to the sender of the email, resulting in the download the attachment, then then the execution of it.

In this case, let’s say the attached document is actually malicious and has been specifically designed for Microsoft Word. When you run the attachment, it will exploit a vulnerability in Microsoft Word 2013 and 2016 and execute the attackers code on the system, which can be used to download malware in-the-background (such as a zero-day rootkit, ransomware, worms, or other malicious software). However, the bank manager, Burt, would not be aware of this occurring in the background. We would run the document on his administrator privileged account with access to the enterprise server, and he would see the document in-front of him. He would read the document, maybe leave it open in the background. Then he would close the document, the Microsoft Word process would terminate (the function ExitProcess would be called to terminate the process). But by then it’s too late, by the time the document is closed, it is most likely too late.

Why would it most likely be too late?
Malware typically incorporates (especially high-end malware where the malware was targeted for a specific enterprise) many propagation techniques, specifically designed to make sure it can continue execution even if the average user terminates one process or closes the office document (in the case of it being an exploit).

To make an example out of the above, let’s say for arguments sake that the code executed which the attacker wrote after exploiting the vulnerability he had found in Microsoft Word was used to inject code into a running process, for example csrss.exe (Client Server Runtime Sub System). Then, even if you found suspicious processes running and terminated them or closed the document after the exploit had been used, you would be unaware of the code written by the attacker executing on a thread in the process it targeted for injection. The reason I specifically used code injection for this example is because it won’t require for example, a DLL to inject, like with DLL injection. I also believe DLL injection is detected easily compared to code injection. For example, it can be as simple as attempting to do something such as view the loaded modules in the process (assuming it wasn’t unlinked due to manual mapping).

The injected code could do anything from use APIs to download malware onto the system (and the loader for loading the malware correctly) to successfully continue the process of compromising the system.

The point of this thread is to make sure you all learn an important lesson for the future: ignore the dodgy emails, don’t click the suspicious link, don’t run the untrusted program… Don’t be that one who gets socially engineered by an attacker!

I apologise for this being a short thread, but hopefully someone found it useful.

Stay safe and never let your guard down,
Wave. ;)
 
W

Wave

Thread author
when will you write a book? xD
Thank you for your kind words, and I'm currently writing a few books, the next one should be posted by Christmas hopefully. ;)

Thanks for your post :)

Will you, one day, make one post that is useless ?!

Keep your great work, really like to read all of them :)

(Is the famous tim, @tim one ? :D)
Yeah, I was referencing @tim one! :) Hahah, his social engineering skills are just so over-powering, I cannot resist the temptation to click his link and download (then run) his malware so he can steal my banking credentials and become a millionaire. ;)o_O
 

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
thank you for sharing your knowledge :)

I saw/read that some attachment could be a zip with the malicious file inside.
some files could have double extension to pretend to be pdf for example ( pdf.exe )

so i was wondering..

1)could the attacker create a fake .zip (so the icon would be like winrar for example ) that is zip.exe ? so that it tricks you into thinking that as far as you don't click on the file into the zip you are ok?

2)or even more: could the attacker create a fake .zip that can be run with just one click?

thank you fo reading :)
 
W

Wave

Thread author
thank you for sharing your knowledge :)
No problem, glad you liked it. :)

1)could the attacker create a fake .zip (so the icon would be like winrar for example ) that is zip.exe ? so that it tricks you into thinking that as far as you don't click on the file into the zip you are ok?
Yes, an attacker can definitely do this and this has been done many times in the past, this technique is very effective for the attacker to use in many situations... Sadly many people do not check the extensions properly.

@Exterminator posted a thread yesterday regarding a new decryption tool developed by ESET for the CrySiS ransomware, which used the double extensions technique to social engineer the readers of the e-mail into believing the attachment wasn't really an executable (causing them to trust it and run it - and then they quickly learnt they had made a very big mistake). You can read the thread here: Crysis Averted: Eset Releases Free Ransomware Decryptor

Therefore the above is evidence in itself that these things really do happen, and double extension tricks are more common than you'd think.

2)or even more: could the attacker create a fake .zip that can be run with just one click?
Well this question is much trickier to answer since it really depends on numerous factors (e.g. are you using a web-client or software-client for reading your e-mails) and may also depend on your Windows settings (e.g. the attacker may find a way to exploit the e-mail client into auto-running (upon opening the e-mail) the attachment or having it executed with one-click, and on Windows there are settings for one-click execution).

Generally, the answer to this question is no, since you need to actually download the attachment and this download routine is separate to the execution of it. You can have malware stored on your system but just leave it inactive (non-executed), and unless it becomes active then you will not be infected. However, malware is evolving all the time and therefore I think it is safe to say that these things can definitely happen one way or another, at least somehow... It is not impossible. Unless in the case of an e-mail client exploit, I doubt this has happened (especially whilst using an web-client for e-mail like Google Mail, they have very good security) so far, but we're probably not far off before attackers can evolve to doing something like this commonly (the same way as double extensions is now a common method and has been for a long time).

With all that being said, never handle attachments unless you really trust the e-mail sender. Attackers can also spoof the sender e-mail address through modification of the e-mail header which is another technique regularly and commonly abused by hackers/spammers... Depending on the circumstances, the e-mail may end up in the spam/junk folder due to identification from the e-mail provider that the e-mail header had been suspiciously altered (e.g. Google may flag it as potentially unsafe in some circumstances). As well as this, don't bother opening up suspicious/unexpected-looking e-mails... Once you open that suspicious e-mail you will naturally start to read the contents and this will buy the attacker a chance to social engineer you depending on what was written in the e-mail.
 

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
thank you !

as far as point 2 is concerned , I meant one click after download (so the zip already on your pc) and without that option of windows that let you run files with one click enabled(I know there is that option in windows) . sorry I forgot to specify
 
W

Wave

Thread author
as far as point 2 is concerned , I meant one click after download (so the zip already on your pc) and without that option of windows that let you run files with one click (I know there is that option in windows) . sorry I forgot to specify
Generally no, unless an exploit has been executed (and usually in this case the system can already result in becoming further compromised without any further user-interaction - so in this situation the attacker shouldn't need the victim to even bother handling the attachments to become infected). For example, the attacker may find a way to embed code (e.g. JavaScript) into their e-mail which will become executed once the e-mail has been read and exploit the system... Causing remote code execution, or something similar.

However without usage of things like exploits, no, just downloading the attachment should not result in infection. However, this is still a very risky thing to do, since you could accidentally mess up by running it or another program may accidentally access the downloaded attachment and cause it to execute (I know it sounds a bit ridiculous but this is all possible). If you are dealing with unknown attachments from an unknown sender, I recommend you handle them from within a Virtual Machine (also remember that data theft and the such can still occur from within a Virtual Machine, so should the VM become compromised, there are still benefits to the attacker unless things are done properly).

It is also good practise to make sure you scan all e-mail attachments at services like VirusTotal (and maybe even an online automated malware analysis service like Reverse.it or Malwr).
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
With all that being said, never handle attachments unless you really trust the e-mail sender. Attackers can also spoof the sender e-mail address through modification of the e-mail header which is another technique regularly and commonly abused by hackers/spammers...

Yes, beware. I have received e-mails that I thought were from from people I know and trust but were not. One policy I follow now is to check the sender's e-mail address against what I have for the person before I look at anything in the message. The one thing that a hacker can't do, as far as I am aware, is actually send an e-mail from another person's account. The quote does cause me to wonder if it's possible for a hacker to appear to have sent the message from a known source of mine. :eek:

For example, the attacker may find a way to embed code (e.g. JavaScript) into their e-mail which will become executed once the e-mail has been read and exploit the system

I use online mail, and scripting in messages is by default blocked. I leave the e-mails this way. Normally, I would say I do this unless I trust the sender, but I have received so many spoofed Paypal e-mails, that I don't even open Paypal e-mails anymore. Definitely e-mail is a serious risk for malware infection and potentially big trouble...the biggest. Gmail sounds like they are working to secure mail at Google, so that's good. I use Outlook online, and I don't know where MS is with this, but I do feel some confidence that it's not an easy thing for a hack to slip through. This is the hugest of concerns for those who actually download e-mail messages. I wouldn't do this today, although I did up until about 4 years ago.

Be careful of e-mails from people you know, especially with attachments. If a hacker knows this is your contact, they will add a loaded picture that is of something funny or anything that can carry their script and not alarm you or tip you off. I don't know how they get lists of contacts, but I have received e-mail that looked like it was from a person I know. This is very upsetting for sure.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Thank you so much @Wave for this brilliant post!! :) And thanks also for having mentioned me (the honeypot letter is so well made that for a moment even I believed in that one :D)

Well, there are no patches for human stupidity, a system can be 100% secure, but as long as it will be managed by a human, someone else can work around by targeting the person.

“The weak link in the chain of security is the user”: on this point, a large part of social engineering is based.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top