Social Engineering: The Tainted PDF and a Sales Call

Thursday, January 12, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

 

Hello sir, I Just Sent You A PDF... Can You Open It and Tell Me How Many Pages There Are?

As Overheard From Two Bearded *NIX Masters

This morning I happened to overhear a conversation and a phone call that spurred it that, once all was said and done, had me thinking “WTF?” The phone call came in to a *NIX admin who, was asked to verify the number of pages within a pdf file that had been sent to them by the salesman on the phone.

*blink*

Uhh Say what? The admin did not go for it and was not willing to give out much information to the caller, but, after they had hung up I asked some pertinent questions about the call and just what they wanted from the admin. His response was that this had happened before on a few occasions and that he was just not interested in doing the dance with the sales rep at this time….

I was amazed at a few things in this exchange and immediately went into attack mode thinking as to what I had just witnessed and heard.

Uhhh Say WHAT? Sounds Like You Were Being Socially Engineered!

I informed the *NIX admin that this was really sounding like a social engineering exploit and asked just how many times and when (recently?) had this trend begun. He came back with a statement that then took me aback again;

“Yeah, well I really don’t care so much because I am running Linux on this box... So the exploit would not work”

*blink blink —>head—desk*

“Sure, you are running Linux but that does not preclude the exploit being something else that would work on a *NIX system” was what was screaming through my head here. This guy is no slouch and neither is the other admin, but both pretty much had the same blasé attitude about it. Though, they did admit after I told them that it sounded like a new script for an old SE attack, they still seemed un-phased.

My response to all of this was to immediately dash off a communiqué to the C levels explaining the potential exploit and that I had wondered just how many other people in the company were potentially being asked to open .pdf files on their Windows systems with Adobe and compromising themselves! Needless to say, this was going to have to be a learning experience from more than a few levels and actions would have to be taken to alert the masses and gently remind them about the problems of SE in the wild.

…Even for the likes of the *NIX admins who think they are immune to such puny attacks.. PFFT Windows *said like it was a social disease*

Situational Awareness

This is a teaching moment and I think that this is something that many companies need to pay attention to today. After all, how many systems have been breached of late and thousands upon thousands of email addresses released to the masses? How many of those have in fact fallen into the hands of the phishers out there? What’s more, how many of those addresses of late have been for military or military/government affiliated people that are high value targets for APT activities?

Generally, people just aren’t thinking all that much when they get these calls. Sure, we tell them that people should never be asking them for their passwords and some of the low hanging fruit attacks of old, but now this..

Open this file would you? Tell me how many pages it has to verify that you got it would you?

Wow, how many people are falling for this one? Even if it is just a sales rep, this is clearly a SE attack in the hands of a sales person to keep the mark on the phone right? What has the world come to now that the sales teams are blatantly using SE tactics on the phone? What’s more, in this day and age of all the hacking going on and worries about industrial espionage just how many workers are just falling for it?

Never mind them just opening up the files willy nilly when they get them anyway right?

Situational awareness should be a KEY part to any companies security program and should be something that is ever present if you really mean to protect your assets. Of course some could make this out to sound like a police state kind of feel to corporate environments that want to be all touchy feely today (being the best places to work kind of thing) So, being so dialled in to security issues like SE attacks, might be seen as more big brother and paranoid than really a boon. I think that there is a median to tread on this and any program for security should be cognisant of this issue as well as proactive in teaching the employees how not to be so easily manipulated.

Though, as a rule today, I think we as a society are not so “situation-ally aware” as we should be.. But that is for another day…

As They Say... “There Is No Patch For Human Stupidity”

There is a bumper sticker that I have seen at the con’s that makes the statement “There is no patch for human stupidity” I would like to change that to “There is no patch for human nature” What some see as stupidity is just human nature. I have written a few times in the past about my pov on this. People are no longer living on the savannah and have to worry about the lion in the grass. So, we as a species, have lost our ability to really sense danger and to listen to the little voice that we all have…

We instead might think we are just being paranoid… Well, there’s another phrase that you should be acquainted wit;

“Just because I am paranoid doesn’t mean that they aren’t out to get me”

People generally want to be helpful and can empathize with others. This is a main characteristic in our make up and something that can be lauded. However, it can also be used to the extreme by those who have more  “moral flexibility” than others lets say. So this will always be a problem and it should take a solid place in your security program… It’s just getting the C levels to understand and react..

That’s the key.

Anyway, pay attention folks. This SE exploit may be coming to you soon.. Or already is.

Happy Buffer Overflows!

Now, I have to write some more tutorials and re-program some *NIX beardy types…

K.

Cross-posted from Krypt3ia

Possibly Related Articles:
15599
General
Information Security
Phishing Enterprise Security Social Engineering Windows Linux Advanced Persistent Threats Exploits PDF Situational Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.