What happens after a social engineering attack?
Table of Contents
You may encounter multiple types of endpoint configurations when responding to a social engineering attack against a network target. The victim could be targeted for pwning in a browser, a cloud-only attack, or on a workstation/end user system. Or the victim might be targeted on their mobile devices.
This article will describe what happens to victim’s computer when they use popular browser and email clients on a Windows system. We will also examine any artifacts that might have been left behind.
Ransomware was delivered by 97% of Phishing Emails in Q3 2016. This information is available here.
We continue to see email being used as an attack vector in corporate networks. The trend is not slowing down, as the previous study and many others indicate. Many corporations use multiple endpoint detection and reaction (EDR) solutions, as well as email security solutions at different levels. There are many options for securing against malicious email entering a target environment.
Even with all the security measures in place, there are still instances where malicious attackers can access an end user’s email inbox. Although the controls mentioned above have made it much easier to stop malicious content from being sent, it is still possible for an attacker to bypass them. Unless you set up your environment to only accept email from known senders, this current approach to email will allow these cases to exist.
EDR solutions will make it easier to correlate events that could lead to a system compromise. This can be done starting with the email client and ending with the parser software that executes remote code to any changes in the system that may indicate a compromise. EDR solutions combine machine learning with threat intel/compromise indicator to match system/software activity with attacker behavior. Let’s take a look at an example email that enters a corporate environment and executes remote code.
You can explore an Open Source EDR solution here:
Imagine that you get an email with the title “Invoice” and it looks very similar to the following. While you won’t open this email, let’s suppose that the attacker used a combination of tactics to sneak this email to you. To increase the likelihood that you will open the email, they could have used a side channel, such as an SMS, to build anticipation. This ZIP file was sent in an email and is password protected. Here is what it does:
1. A user receives an email containing a ZIP file. The password for the ZIP file is received through another channel, such as SMS.
2. The user is asked to save the attachment to their desktop. Word will notify them of the origin of the file and ask them to enable the content before running the macro within.
3. The user has saved the document to their desktop and unzipped the file to a folder, while entering the password. Let’s take a look at each file’s zone identifier using Streams.exe. The invoice.zip file is an attachment that comes directly from the internet.
You will be prompted with additional security warnings when you open the attachment from Outlook or Word. This is because it is not a trusted document that has been taken from a trusted source.
Example of social engineering attack