Cb Connect 2018 | Power of You | Register Now


How to Thwart a Social Engineering Attack Using Trusted Icon Recognition

How to Thwart a Social Engineering Attack Using Trusted Icon Recognition
April 17, 2015 / Mark Gilbert

One of the most popular attack techniques used today is social engineering, most often via emails that convince a user to run an executable. For attackers, there are two critical components to making social engineering successful:

  1. The situation described convinces the user to click the attached executable
  2. The executable’s icon matches what the user expects

With Carbon Black v5.1, you now will detect the second component by using patent-pending image classification algorithms on the extracted icon. The more likely a user is to trust the icon, the easier it will be to detect it as a trusted icon. The more an attacker changes the icon to defeat image recognition, the less likely the user is to trust the resulting icon. This gives you another tool to detect malware, independent of signatures—even “zero days.”

For example, here’s an email received by Bit9 + Carbon Black:


The linked form was purported to be a PDF to be downloaded and completed:


While the icon makes it look like a PDF, it’s actually the Dyre malware.

In this style of social engineering, user psychology is critical to the attacker’s success: the user recognizes and trusts the icon. Unlike traditional malware detection that must decide if any arbitrary executable is malicious, the dependency on user trust lets us make a simpler decision: is an executable from the application the icon claims to be?

With Carbon Black v5.1, we are introducing a new feed to our Threat Intelligence Cloud: the icon matching feed. If you participate in the CB Alliance, share binaries with Bit9 and enable this feed, the CB Alliance image processing servers will use patent-pending technology to:

  • Extract the icon from all binaries executed across your enterprise
  • Apply image classification algorithms to categorize the expected application based on the icon.
  • Validate the binary is from that application using the Threat Intelligence Cloud’s Software Reputation Service, which provides the foundation of the Bit9 Security Platform’s whitelisting capability.

If the icon comes from a widely trusted source but the associated binary does not match that source, the binary will be tagged and your administrators notified. It does not matter if your antivirus vendor (or any other security vendor) has a signature developed for it yet.


Of course, as with any technology, the devil is in the details. There are a number of factors that complicate analysis, including attackers fighting image recognition with discoloration, blur, lighting, or etching to complicate automated image recognition.

For example, here’s a sampling of the icons from malware our classifier recognizes as Windows Media Player:


Soon, we’ll publish a second blog post describing the icon classification process and these challenges in more detail.

Our ongoing mission is to enable you to detect more and respond faster. Carbon Black’s continuous recording gives you a dataset to analyze that no one—enterprise organization or technology vendor—has had before.

Many Carbon Black customers are using the API to perform this type of custom analytics themselves. And the Bit9 + Carbon Black threat research team is working on advanced analytics, like this new feed, to provide you with groundbreaking detection and analysis capabilities.

We’re excited to hear your feedback, and look forward to what comes next!

TAGS: bit9 / Carbon Black / executable / icon recognition / new version Carbon Black / social engineering attack