• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   From Alarming to Familiar: Different Social Engineering Techniques

From Alarming to Familiar: Different Social Engineering Techniques

  • Posted on:February 22, 2013 at 12:30 pm
  • Posted in:Bad Sites, Targeted Attacks
  • Author:
    JM Hipolito (Technical Communications)
0

In the course of our threat research, we’ve encountered different types of social engineering lures that aim to trigger different emotions such as fear and happiness. These lures are often effective, as we’ve seen happen in several incidents in the past. However, they are also easily recognizable as they often use a common theme, be it a recent event or an ongoing season.

There are also other techniques that use different, more sober approach. These techniques do not aim to trigger alarm, but instead to try to avoid it. They try to blend into their intended victims’ normal behavior or use their interests in order to get the them into schemes. And though these techniques are far less alarming in terms of the message they bring, they are harder to detect, and often more sinister.

An example of this is the watering hole technique, which was used recently in an attack that ended up affecting companies such as Facebook and Apple. Choosing to use a mobile developer forum as the watering hole, the lure was almost passive — it did not need any means to get the victims to visit the site. The site was strategically chosen because visiting it was already known to be a part of the victim’s normal routine.

Earlier this week, we also saw reports of an attack wherein the name of the report recently released by Mandiant is being used as the lure. The message in related to the attack comes as a recommendation from the sender to read the article, along with a PDF file which supposedly is the report itself (of course in reality the file is malicious — a PDF exploit we detect as TROJ_PIDIEF.EVF). We were also alerted of news regarding another threat using the Mandiant report, which supposedly targeted journalists. Detected as TROJ_PIDIEF.EVE, this malware drops the non-malicious .PDF file, Mandiant_APT2_Report.pdf and a backdoor detected as BKDR_POISON.EVE.

AdobeReader_pdf

Figure 1. Screenshot of the dropped .PDF file

mandiantpdf2

Figure 2. TROJ_PIDIEF.EVE drops this non-malicious .PDF file

This is a sad irony, because the recipients who might open the file in order to know more about a targeted attack will end up being the victim of one. Another case with a similar turn of events is the Java 0-day, wherein we found malware coming off as the update Oracle issued to address the vulnerability.

In our entry, The Trends in Targeted Attacks of 2012, senior threat researcher Nart Villeneuve tackled how cybercriminals employed research analysis by security researchers as a ploy to deliver malware. This trend was also in 2011 in the Nitro campaign that abused the Symantec report.

Initial attack vector aside, what we need to remember is that social engineering lures of today are no longer limited to things that are new or alarming, and that attacks can start even from the most familiar places. As Martin Roesler explained before, attackers have the upper hand and they will form an attack based on what they know about their intended victim. We must be alert of all times, and train ourselves to have that mindset that we can be a target.

With additional insights from senior threat researcher Nart Villeneuve 

Update as of Feb. 22, 2:38 PM PST

TROJ_PIDIEF.EVE has been renamed to TROJ_PIDIEF.VEV.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.