Security

Support pros vs. social engineering attacks

Developers should always work to make software secure, but it is up to support techs and trainers to inform users how they can keep themselves safe online.

Developers should always work to make software secure, but it is up to support techs and trainers to inform users how they can keep themselves safe online.

———————————————————————————————————————————————————————-

Of note this week for many chat users was a phishing scam directing visitors to a fake online video service called Viddyho. I found out about the con when an unexpected chat message from an old work acquaintance appeared in my Gmail window. It consisted of a line of text — "hey, check out this video" — and a link. The link sent me to the Viddyho Web page, which asked for my Google user name and password. I thought "Umm, no," and then started doing some research.

An evolution of the old "send us your login info" password phishing attack, the Viddyho scam has been taking people in because of savvy social engineering. The Viddyho messages pretend to be from people we know, and the payload is well suited to the delivery medium. I mean, most people are used to getting "hey check out this link" messages from the folks they chat with. The message doesn't set off the same alarm bells as a phishing e-mail purporting to be from a bank I've never used.

That's all well and good, but the Viddyho phish has to get your password at some point, and that can happen only if you hand it over. How do people keep falling for things like this? The simple answer is that human beings aren't perfect. Software can be patched, virus definitions can be updated, but humans have to learn things the old-fashioned way. Usually, that's either from experience...or from being taught by an expert. So, developers and security researchers can keep tightening their systems. (They've already taken care of Viddyho; that site's been taken down.) It's up to those of us who interact with users to try and prepare them for the next time someone will try and fool them. Get the message out. Help your users protect themselves by making sure they live by the rules...

  • Use security software and scan your computers regularly for viruses and spyware.
  • Check hyperlinks to make sure their destination is legitimate before you click.
  • Use software only from legitimate and trusted sources.
  • Use your security software to scan any files you download from the Internet or receive as e-mail attachments.
  • Never give out your passwords or private information online. To anyone. For any reason.

These seem obvious to us, the tech-savvy folks, but there are smart people — and dumb ones — who haven't yet gotten the message. Twice I've had legitimate organizations ask me to send my credit card information to them via e-mail (once it was a charity; the second time was my lawyer's assistant). Experienced techs will read that and roll their eyes, but these were cases of smart people who didn't know better because they'd never been taught. Correcting mistakes like these and teaching people how they can safely use technology are responsibilities of support pros everywhere.

Editor's Picks