id="info"

Software

Cheat Sheet: Social engineering

The tricks of the virus writing trade...

Social engineering? I'm thinking community projects - building irrigation systems perhaps?
Then you couldn't be more wrong. This has nothing to do with that kind of engineering and 'social' certainly doesn't refer to anything which benefits society - quite the opposite.

Go on...
'Social engineering' refers to the practice of exploiting trends or developments within society to trick people into carrying out a task which is generally to their detriment - most commonly the tricks used by virus writers and spammers to encourage recipients to open emails, launch attachments or visit links.

What kind of tricks are we talking about? And what are these 'trends within society'?
We are talking about creating specific subject lines or attachment names which will tempt a user to click - even if they think they shouldn't. Often this will involve a promise of a sensational file attachment - such candid shots of female celebrities.

Shameful...
But effective. To date celebs such as Britney Spears, Shakira, Jennifer Lopez and Catherine Zeta Jones have all been the subject of such ploys. An email arrives which promises smutty pictures of one of the aforementioned and although they know they shouldn't there are still enough gullible recipients who are tempted to click on the file. Of course they don't get any pictures - they simply launch a virus.

So we shouldn't click on any smutty pics?
Social engineering to one side that is probably a wise rule - at least in the workplace. But it's not just a promise of smutty pics which identifies social engineering. It relies upon anything which is a hot topic. The war in Iraq brought a series of emails offering 'behind enemy lines' footage which was another ploy to get users to click on emails. George W Bush, Osama Bin Laden, Michael Jackson and even Harry Potter have also been used to lure users into clicking on attachments.

If something become a burning issue or a matter of massive public interest there is a good chance it will crop up as the hook on an email virus or spam message at some point soon.

In a perverse kind of way it is almost confirmation, for stars at least, that they have 'arrived' - a less welcome alternative to being given a star on Hollywood Boulevard.

So what works best?
As any salesman will tell you 'sex sells'. The candid shots of female celebs have always been a mainstay of the social engineers arsenal. But the example cited by many in the AV industry as the purest example of social engineering was the Love Bug virus and its 'I Love You' subject line.

Launched in 2001 the subject line and attachment name played upon individuals' naivety and most people's need to be loved. Even many those who may instantly have thought something wasn't quite right were tricked into opening it by their snooping suspicion it was a wrongly-addressed confession.

Since then we have perhaps wised up, but of its time it was a simple yet powerful ploy.

But eventually we'll cotton on and ignore such emails, right?
But sadly nobody innovates like a virus writer or a spammer. They are constantly thinking of new ways of getting users to open emails or fall for their scams. Just look at the phenomenon of the phishing emails which rely upon similar means and the scams purporting to be from the 'Dutch National Lottery' or Nigerian bankers which play on peoples' naivety and greed.

The nature of social engineering is that it's only obvious if you know it's a trick - and too often people are finding out the hard way.

So what else are these tricksters doing?
In recent times we have seen emails which purport to be from Microsoft or users' own IT departments asking them to remove files from their systems or download 'patches' which either way create or install vulnerabilities. We've also seen simple questions deployed such as 'Is this your picture?' - which has tricked recipients into wondering who may have pictures of them and subsequently made them click on the attachment.

The innovation and the simplicity of the right approach poses such a risk that Gartner recently declared social engineering as the greatest threat on the security landscape.

So what can we do?
Fortunately the prevention is as simple as the ploy. Just don't let them trick you. If you weren't expecting a file attachment then don't click on it. If you don't recognise the sender or haven't directly solicited the email then don't click on it. If you think there is anything strange about the email at all, be very wary. Ask yourself whether the email is likely to contain what it says it contains. If it comes from a friend and is an attachment you would want to see then check with the friend.

The absolute bottom line is 'don't be an idiot' - and don't be the gullible fool the creator is preying on. No matter how much you think you want to see those candid pictures of Britney Spears (which most likely won't exist) ask yourself whether it's a risk worth taking.

Having to go to your boss and admit you launched a virus in an attempt to look at smut at work is not a conversation you will enjoy.

No, indeed.

Editor's Picks