Dual-pronged social media attack vector discovered

News by Steve Gold

Symantec researchers have spotted a dual-pronged social media engineering attack.

According to Lionel Payet, the firm's threat intelligence officer, the first iteration of the attack was seen in May of last year and involved businesses receiving direct phone calls and spear phishing emails impersonating a telecoms supplier, in a bid to install malware on the user's machine. 

This latest version, he says, has been seen targeting French language users and uses a more advanced version of the malware, with the attackers distributing a new payload from a number of freshly compromised domains, resulting in a sudden increase in infection numbers. 

However, he says in his analysis, the payload is different from that used previously (Blackshade), although the attackers are still using the same command-and-control server. The payload, he adds, has been named Trojan.Rokamal and is obfuscated with a DotNet packer.   

Tim Keanini, CTO with Lancope, said the dual-pronged attack vector comes down to exploiting human trust, something that is older than the Internet because most humans by default are trusting. 

"We have to work hard at being suspicious and most cultures consider this to be rude. Before the Internet, this all worked out because you were physically invested in the community and when you got up the next day, you would have to deal with your deeds of the day prior, these days, you can be a part of someone's life several time zones away," he explained. 

Back at Symantec, Payet said the most interesting aspect of the malware is that it uses a number of actions, including downloading and executing potentially malicious files, as well as staging a distributed denial-of-service (DDoS) attack to steal information and even mine crypto currency. 

"French speakers are concentrated not just in France, but also in wide areas of Africa, nearby European countries, Canada, and various islands around the world. As such, French speakers present a large pool of potential victims who may not have been targeted as heavily as English speakers," says Payet. 

Mike McLaughlin, technical team lead with pen-testing specialist First Base Technologies, said that the dual-pronged strategy has been used by cyber-criminals for some time, although the use of social media is an interesting new channel. 

"I've heard of users being sent new job information and then receiving another email five minutes later with an attachment or a link," he said, adding that the first email establishes credibility - and the second feeds the user the malware." 

The problem, says McLaughlin, is that these attacks are usually tailored, giving them a greater chance of success. Coupled with the fact that many companies not spending enough on staff awareness of threats like this, he adds that - without training - the attacks will succeed. 

"The [training requirement] issue is slowly filtering through to C-level executives, and people are become more ware of the human element involved in these types of attacks," he said. 

Sarb Sembhi, director of client services with Incoming Thought, the business and research analysis house, said that dual-pronged attacks are often seen against people working in the accounts departments of major companies, as they are used to opening attached invoices - even from people they have not dealt with before. 

"And if you follow up the email with a phone call requesting payment of the attached invoice, you can persuade people to click on the attachment," he explained. 

Sembhi, who is a leading light in ISACA, the not-for-profit IT security association, went on to say the attackers are now using a dual-prong approach as a business model, and are also taking their time to understand their targets and their businesses. 

"The attackers are clearly playing a numbers game with their targets. It's probably not worth their while to use a zero-day attack, as the numbers don't stack up - it's simply a sign of the ways that cyberattacks are going to progress in the future," he explained. 

Mark Teolis, general manager with DOSarrest, said that dual pronged attacks allow the botnet masters to now have a concentrated group of zombies -in this case all of them are in French-speaking countries, with the majority being in France. 

“Should this botnet be used later in a DDoS attack on, say, an English retailer or German school, these organisations that know the origin of their customer base can just block out any IPs coming from France very easily," he said. 

"But if it is used to attack a French newspaper based in Paris and it's a slow and low type of layer seven attack, it will be very hard to tell the difference between friend and foe. If you want to rent a botnet for a DDoS attack and your victim is based in France, then this particular botnet is your weapon of choice," he added. 

ForeScout's chief marketing officer, Scott Gordon, meanwhile says that advanced cyber threats - and especially those that leverage social engineering - highlight the value of both security awareness training and the use of continuous monitoring technology. 

"The attackers may gain entry by leveraging a user's credentials, but then perform `land and expand' techniques to pinpoint and compromise more worthy systems," he said, adding that security platforms which afford interoperability to leverage an enterprise's layered defence infrastructure - including anti-malware, email and Internet filtering, SIEM and NAC technologies - serve to better identify, pre-empt and contain these exposures.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews