By distilling thousands of pages of theory into a simple form the SEVER project hopes to:

1. Provide the fastest means of training novices about complex social engineering concepts.
2. Provide penetration testers with a methodology that minimizes their effort while increasing their chance of success.

You will begin by defining requirements, then brainstorm solutions, and then refine your solutions through multiple phases. Each phase increases in detail, allowing you to identify ‘show stoppers’ as soon as possible. This will help you avoid wasting time working on a plan that is not going to succeed. If an idea makes it through the entire process and you still feel good about it then you should have a very high chance of success.

The best format for this content would be an electronic form with a lot of context-sensitive notes. But since there is currently no effective, portable way of accomplishing that I decided to split the content into two PDF files – the SEVER Worksheet and the SEVER Instructions. Go through these instructions while you fill out the form until you have a thorough understanding of how the form works. If you cheat and try to do one before the other (or skip the instructions altogether) you will miss things which will make failure far more likely.

You can download both papers here:

- SEVER_Instructions_Final.pdf
- SEVER_Worksheet_Final.pdf

Or read more here.

As much as it may well have a use in law enforcement, I’m sorry but I don’t want any single organization, corporation or entity to have the power to take out domains.

It’s just plain wrong, and well the UK has already started tabling something like this back in September.

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.

The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.

VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.

The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.

That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.

Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.

But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.

Yes VeriSign do manage all the .com and .net domains, but they aren’t technically ruled under the US jurisdiction – there are plenty of .com domains that are hosted outside of the US, including the DNS infrastructure.

What I’m especially interested in, is how they plan to handle the fact that lots of things are illegal in some countries and perfectly legal in others. The part that scares me is they will be able to take down a domain without a court order, just on ‘request’ from a law enforcement agency.

To me, that opens it up to abuse – if you are going to do something like this, at least institute a due process to manage it properly.

“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.

The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.

It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.

VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.

The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.

That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

Scary thoughts really. However the malware scanning service sounds like something that would help the Internet clean up all the nasty stuff, but then again – do the registrars really care, and would they respond?

Either way, I don’t like the fact that these draconian control laws may be placed on the Internet as we know – that basically allow US law enforcement agencies to take down domains as they please.

What I’m guessing, if this is implemented, it may well become a major target for Social Engineering efforts. What’s more effective than a traditional DDoS attack? Having the domain completely killed by VeriSign – that’s what.

Source: The Register

SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target. Let’s dive into the menu and do a brief walkthrough of each attack vector.

This is an extremely complete and advanced toolkit, which also harnessed the power of Metasploit and Ettercap and it provides following attack vectors:

• Spear-Phishing Attack Vector
• Java Applet Attack Vector
• Metasploit Browser Exploit Method
• Credential Harvester Attack Method
• Tabnabbing Attack Method
• Man Left in the Middle Attack Method
• Web Jacking Attack Method
• Multi-Attack Web Vector
• Infectious Media Generator
• Teensy USB HID Attack Vector

You can find some tutorials and videos on how to get up and running and use SET here:

Social Engineering Resources

You can download SET using SVN.

svn co http://svn.secmaniac.com/social_engineering_toolkit set/

Or read more here.

I’m sure all the Firefox users reading have at some point or another been faced with the warning screen that tells you a site is not safe to visit, the red page which states in big white letters “Reported Attack Page!”.

Hackers have subverted warnings generated by Firefox about dangerous sites to punt fake anti-virus portals.

Surfers straying onto a web page offering the “Security Tool” rogue anti-virus are offered a warning page that convincingly mimics the genuine Firefox block page. The site offers supposed updates for Mozilla’s technology that are actually scareware packages.

If Windows users apply these updates they will be falsely warned that their system is infected and continuously nagged into buying worthless scareware packages that serve only to line the pockets of cyber-scammers.

The rogue application will automatically attempt to install itself on the machines of prospective marks in cases where scripts are enabled, net security firm F-Secure warns.

Personally I’d say this attack would be pretty effective, my only question would be – how would the user land on that site in the first place? I guess through the normal channels (e-mail spam, facebook wall worms and so on).

After landing the user would realize they’ve been spammed/scammed and see the Firefox warning…then download the ‘security update’ and install it – unknowingly pwning themselves in the process.

Firefox’s genuine attack warning technology is all server-side and never requests that users download updates. The attack relies, in part, on the ignorance of the majority of potential victims on this point.

The attack is a rare but not unprecedented attempt by malware slingers to use Firefox features to push their wares. Previous attacks by the same gang have involved tricking users into downloading scareware in the guise of a supposed Firefox/Flash update.

The malware is offered from a page designed to trick Firefox users into thinking their browser software has just been updated but that they still need to apply a Flash Player patch, which is actually a rogue anti-virus installation utility. The sneaky tactic, first spotted back in July, is explained in more detail in a blog post by F-Secure.

It just goes to show the bad guys are pretty creative when it comes to new ways to trick people into installing their malware, I wonder what we’ll see next?

The full entry by F-Secure can be seen here:

Reported Attack Site! – Security Tool’s Latest Trick

Source: The Register

Well it was inevitable really, I’ve noticed in the last couple of years Phishing e-mails have started to use targeted lists especially for banking sites and the next up of course is trojans developed for specific regions.

A security company Trusteer (who makes Rapport) has done some research on this matter which has pin-pointed certain malware which is specifically targeted at UK banking sites and their users. And they actually appear to be using the rather successful Zeus trojan, with 2 botnets targeting the UK.

I would guess that targeting on a per-country basis increases the chances of success hugely as there only limited banks in each country and especially in the small countries like UK there aren’t that many popular ones, especially with all the mergers that took place.

Cybercrooks have developed regionally-targeted banking Trojans that are more likely to slip under the radar of anti-virus defences.

Detection rates for regional malware vary between zero and 20 per cent, according to a study by transaction security firm Trusteer. This company markets browser security add-ons to banks, which offer them to consumers as a way of reducing the risk of malware on PCs resulting in banking fraud.

Trusteer cites two pieces of regional malware targeted at UK banking consumers. Silon.var2, crops up on one in every 500 computers in the UK compared to one in 20,000 in the US. Another strain of malware, dubbed Agent-DBJP, was found on one in 5,000 computers in the UK compared to one in 60,000 in the US.

The Zeus Trojan is the most common agent of financial fraud worldwide. The cybercrime toolkit is highly customisable and widely available through underground carder and cybercrime forums. Trusteer has identified two UK-specific Zeus botnets, designed to infect only UK-based Windows and harvest login credentials of only British banks from these compromised systems.

It seems like a sensible shift in the paradigm for the bot-herders and malware pushers, rather than spraying their malware everywhere they can geolocate the IP addresses they are attacking and send out specific versions of their malware for clients from different countries.

Rather than in the early days when phishing and trojans only targeted the very largest US banking organizations (Citibank, Bank of America etc.).

Plus the fact more and more people are using online banking, micro-payment systems and sharing all kinds of sensitive data with the World online and stored on their computers. This makes it a much richer field for the would-be fraudster.

Trusteer reckons the crooks behind the attack are using UK-centric spam lists and compromised websites to spread the malware while staying under the radar of security firms. It compares this process to the shift from mass assaults to targeted strikes in corporate espionage-motivated attacks such as Operation Aurora, which struck Google and other hit-tech firms last year.

“Unlike known malware kits such as Zeus, Torpig, and Ambler which simultaneously target hundreds of banks and enterprises around the world and are on the radar of all security vendors, regional financial malware such as Silon.var2 and Agent.DBJP are highly targeted,” said Mickey Boodaei, Trusteer’s chief exec.

“In the UK, each campaign would usually focus on three to seven banks and target them for a period of six to nine months and then morph and change the list of targets, using a new more advanced version of the malware.”

Regionally-targeted malware has also cropped up in South Africa and Germany over recent months. A strain of malware called Yaludle, almost unseen outside Germany, has been used to target the online banking credentials of German surfers. Trusteer is urging banks to share information on targeted attacks locally as well as working with regulators and local law enforcement agencies to shut down command and control servers associated with regionally-targeted malware. The firm, naturally enough, also wants to persuade more banks to use its Rapport secure browsing software as a way of providing an extra defence against fraud.

As the report states, it’s started to appear in other countries too such as Germany and South Africa. If you live in a non-major country, I’d imagine it’ll be coming to your shores soon enough. I already started seeing regionally targeted phishing e-mails here last year, I’d expect the location aware trojans to hit soon too.

The trojans were actually identified by Trusteer’s Flashlight service, which is a kind of forensics software for banking. It allows banks to diagnose whether a client’s PC has been infected with malware following incidents of suspected fraud.

Anyway interesting stuff, if you work in the financial sector give those upstairs a heads-up about this, if you have a big user-base – please warn your users too.

Source: The Register

It seems to be a trend now, whenever someone famous dies some kind of malware or phishing scam will pop up playing on their death with the usual social engineering aspect.

The most memorable one recently of course was the passing of The King of Pop – Michael Jackson

The latest one is Brittany Murphy who passed away last Sunday, search results lead users to fake anti-virus products labeled as ‘scareware’ tactics.

Actress Brittany Murphy’s sudden death, just like Michael Jackson’s untimely demise before her, has quickly been exploited by scareware scammers.

A spike in searches on Murphy’s death has been taken as a theme for Black Hat SEO attacks, designed to push sites that have been hacked to redirect surfers to scareware portals into prominence in search engine results.

Windows users who click on links to poisoned search results get exposed to a fake anti-virus scan, designed to frighten users into buying rogue security software of little or no utility.

They have to act fast of course to get their results ranking at the top during the aftermath of a celebrity death.

For most tech-savvy users I don’t think it would be much of an issue, but for the average joe it seems they are fairly gullible when it comes to promises of anti-viral solutions.

Net security firm F-Secure, which has a full write-up of the attack here, detects the strain of scareware involved in the attack as Fakevimes-T. More detail on how search results were poisoned can be found in a blog posting be WebSense here.

Murphy, who starred in movies including 8 Mile, Sin City and Spun died on Sunday, 20 December after collapsing at her LA home. She was only 32. The precise cause of death is yet to be determined but an autopsy is planned. ®

It’s a sad event nevertheless and I hope the news doesn’t come out that yet another celebrity died from a drug overdose.

It has been rumoured that Brittany Murphy used drugs due to intense Hollywood pressure to maintain her slim stature.

Oh well, Merry Christmas indeed!

Source: The Register

Facebook has had a fair share of problems, being a large community of course it’s going to be a ripe target for spammers, scammers and malware distributors.

The latest to hit is a spam e-mail claiming to be from the Facebook team that actually spreads a nasty piece of malware called Bredolab. It’s also been observed the trojan will connect to additional servers to install more malware.

The ultimate goal as usual is to make the victims part of a botnet.

Researchers at several security firms have uncovered a spam campaign targeting Facebook users. The e-mails, which pose as communications from Facebook about password resets, contain a nasty downloader that ultimately makes users part of a notorious botnet.

Researchers at several security firms have tied the Bredolab Trojan to a spam campaign targeting Facebook users.

The malware is being blasted out by spammers in e-mails claiming to come from “The Facebook Team.” Inside the e-mails is a message that the recipient’s Facebook password has been changed. In order to get the new one, recipients are told to open the accompanying attachment containing the malware.

Researchers at Websense told eWEEK Oct. 27 that they have observed more than 350,000 of the messages. On the company’s blog, researchers explained that the malware connects to two servers to download additional malicious files. Among them is Pushdo, also known as Cutwail.

This spam campaign seems to be generating some fairly high levels of traffic meaning whoever is behind it is pretty serious and committed to this vector for disseminating malware.

Social engineering isn’t a new method for propagating malware as always the weakest link is never the technological barriers but is always the stupidity/greed/gullibility of humans.

You can ALWAYS hack the wetware.

“One of the first things we saw this Trojan horse download was the Pushdo bot which began spamming out more of these Facebook password reset emails,” according to M86 Security.

MX Logic noted that Bredolab bypasses firewalls by injecting its own code into the legitimate process svchost.exe and explorer.exe. It also contains anti-sandbox code to thwart researchers, and creates the following files: %AppData%\wiaservg.log, %Windir%\temp\wpv861256600826.exe and %Programs%\Startup\isqsys32.exe. Bredolab also creates the processes isqsys32.exe and svchost.exe.

Sophos is detecting the malware as Troj/BredoZp-M or Mal/Bredo-A.

“Don’t make life easy for the hackers hell-bent on infecting your computer, stealing your identity and emptying your bank account – exercise caution when you receive unsolicited emails and protect your computer with up-to-date security software,” Graham Cluley, senior technology consultant at Sophos, advised in a blog post.

It looks like a pretty advanced piece of malware code which evades firewall measures and even tries to thwart analysis by AV companies.

Anti sandbox code and process injection, these bad guys are getting smart.

That does not bode well for the average citizen.

Source: eWeek

For people of my age and generation and I’d guess for most readers of Darknet, Michael Jackson would have had a great influence on our lives.

The biggest news last week was most certainly his death, as usual the bad guys were extremely quick to capitalize on this and were sending out spam within hours of the announcement.

It was suspected malware would follow shortly after, and it did according to F-secure.

Within hours of the death of pop star Michael Jackson, spam trading on his demise hit inboxes, a security firm said today as it warned that more was in the offing.

Just eight hours after news broke about Jackson, U.K.-based Sophos started tracking the first wave of Jackson spam, which used a subject head of “Confidential — Michael Jackson.” The spam wasn’t pitching a product or leading users to a phishing or malware Web site, but instead was trying to dupe users into replying to the message in order to collect e-mail addresses and verify them as legitimate.

“The body of the spam message does not contain any call-to-action link such as a URL, e-mail or phone number,” said Sophos in its company’s blog today. “But the spammer can harvest receivers’ e-mail addresses via a free live e-mail address if the spam message is replied to.”

The original versions were just plain old spam to harvest addresses, but later malware laden versions followed which dropped IRC bots and backdoors detected as “Trojan.Win32.Buzus.bjyo”.

It’s sad to see such things happening, but social engineering attacks to spread malware are always expected when some big news like this breaks.

Nothing is sacred to the dark side of the Internet.

The timing of that campaign was not coincidental: It followed Jackson’s acquittal on all charges in child sexual abuse. “The news of his suicide attempt was believable,” said Cluley, who noted that scammers and hackers often trade on tragedies to get people to click links. In that case, users were hit with a hacker toolkit that tried several exploits against Internet Explorer.

“I wouldn’t be surprised to see hackers claiming that they have top-secret footage from the hospital, perhaps [allegedly] taken by the ambulance people, that then asks you to install a video codec,” said Cluley, talking about a common malware ploy. Users who click on the supposed codec update link are, in fact, then infected with attack code, often a bot that hijacks their computer.

So do warn people, if someone e-mails them pictures or videos claiming to be secret or exclusive footage surrounding the death of Michael Jackson – it’s most likely an infection vector.

Common sense prevails, but is sadly not common.

RIP Michael.

Source: Network World

We’ve mentioned Twitter a few times lately as it has become a larger and larger part of the social web and the premier ‘micro-blogging’ platform.

There was a recent Phishing issue on Twitter and before that Twitter Jacking and a CSRF bug that allowed auto-following.

Due to the large update of Twitter, the amount of datable available on the site and it’s easily searchable nature it has become a great platform for data-mining and information gathering (the first and sometimes most important parts of any pen test/vuln ass or security test).

Twitter is fun. It’s also a powerful research tool. People increasingly use Twitter to share advice, opinions, news, moods, concerns, facts, rumors, and everything else imaginable. Much of that data is public and available for mining.

Here’s how to use Twitter to gather useful information about topics, companies, and individuals. I’ll cover native Twitter features, as well as third-party tools with catchy names, such as 5and2fish, Twitter Venn, TwitterFriends, PeopleBrowsr , Twitturly, Twitter Spectrum, and others.

Most of the techniques mentioned here don’t require you to be a registered Twitter user. If you use Twitter, consider what data tidbits you release there, and whether you need to be more careful.

People don’t tend to be so careful or post in such a considered manner when using Twitter as the tidbits posted are so short and off-the-cuff.

This leads to an interesting source of information for people like us doing research about an individual or organization. You can really get a good gauge on the publics feelings for a certain topic too by searching Twitter for relevant keywords.

For example if you search Twitter for ‘Darknet‘ you can see some people mentioning our posts and one guy pretty consistently re-syndicating our content onto the micro-blogging platform.

As you gather information on Twitter, be mindful of others attempting to manipulate you into arriving at their conclusions by feeding you misinformation. Cross-check data and understand its sources. For more on this, see Is Twitter A Market Manipulator’s Dream on the TwiTip blog. If the topic of reputational attacks interests you, also look at the SpinHunters blog.

If using Twitter to share information and stay in touch with your friends, be mindful of how others might misuse what you reveal about yourself, others, or your company. In the words of Wired magazine’s Steven Levy, “No matter how innocuous your individual tweets, the aggregate ends up being the foundation of a scary-deep self-portrait. It’s like a psychographic version of strip poker–I’m disrobing, 140 characters at a time.”

It’s an article well worth reading if you are a Twitter user or not, if you are an infosec professional it gives you another source to search when you are doing information gathering or data-mining tasks.

The Internet is always evolving along with the way people use it, as it becomes a more social platform – more information is bound to be ‘exposed‘ online – for us to find..

Source: SANS ISC

It seems like ‘vishing‘ (basically Phishing – but utilising VoIP call services) as it’s known is getting bigger, especially since the scammers have been using a flaw in Asterisk systems that allows them to hijack the VoIP exchange.

Older versions of Asterisk do have quite a number of serious flaws and it looks like scammers and phishing crews have been exploiting these to make thousands of outbound calls. The traditional way they did this was to setup the exchange themselves so they can receive calls that follow-up to their phishing e-mails.

Criminals are taking advantage of a bug in the Asterisk Internet telephony system that lets them pump out thousands of scam phone calls in an hour, the U.S. Federal Bureau of Investigation warned Friday.

The FBI didn’t say which versions of Asterisk were vulnerable to the bug, but it advised users to upgrade to the latest version of the software. Asterisk is an open-source product that lets users turn a Linux computer into a VoIP (Voice over Internet Protocol) telephone exchange.

In so-called vishing attacks, scammers usually use a VoIP system to set up a phony call center and then use phishing e-mails to trick victims into calling the center. Once there, they are prompted to give private information. But in the scam described by the FBI, they apparently are taking over legitimate Asterisk systems in order to directly dial victims.

So if you are running any kind of Asterisk exchange or derivative (even a hardware based VoIP device based on Asterisk) please make sure you’ve updated to the latest version (this includes firmware for hardware devices).

If not you might find yourself with a very large phone bill that’s hard to explain.

“Early versions of the Asterisk software are known to have a vulnerability,” the FBI said in an advisory posted Friday to the Internet Crime Complaint Center. “The vulnerability can be exploited by cyber criminals to use the system as an auto dialer, generating thousands of vishing telephone calls to consumers within one hour.”

The software, developed by Digium, has been available for nearly a decade, and a number of critical flaws have been found in the software. In March, researchers at Mu Security reported a bug that could allow an attacker to take control of an Asterisk system.

With the digital nature of Asterisk it’s very easy to dial out then play back a mp3 or wav file that was pre-recorded by the phisher.

They don’t need to take a lot of effort to do this, I imagine they just write a script that auto-generates the phone numbers to dial – then away it goes. Whatever the victim needs to do will be contained within the voice message.

I can’t believe people still fall for these things, but well they do.

Source: Network World