Malware optimize

Support pros vs. social engineering attacks

Developers should always work to make software secure, but it is up to support techs and trainers to inform users how they can keep themselves safe online.

Developers should always work to make software secure, but it is up to support techs and trainers to inform users how they can keep themselves safe online.

---------------------------------------------------------------------------------------------------------------

Of note this week for many chat users was a phishing scam directing visitors to a fake online video service called Viddyho. I found out about the con when an unexpected chat message from an old work acquaintance appeared in my Gmail window. It consisted of a line of text — "hey, check out this video" — and a link. The link sent me to the Viddyho Web page, which asked for my Google user name and password. I thought "Umm, no," and then started doing some research.

An evolution of the old "send us your login info" password phishing attack, the Viddyho scam has been taking people in because of savvy social engineering. The Viddyho messages pretend to be from people we know, and the payload is well suited to the delivery medium. I mean, most people are used to getting "hey check out this link" messages from the folks they chat with. The message doesn't set off the same alarm bells as a phishing e-mail purporting to be from a bank I've never used.

That's all well and good, but the Viddyho phish has to get your password at some point, and that can happen only if you hand it over. How do people keep falling for things like this? The simple answer is that human beings aren't perfect. Software can be patched, virus definitions can be updated, but humans have to learn things the old-fashioned way. Usually, that's either from experience...or from being taught by an expert. So, developers and security researchers can keep tightening their systems. (They've already taken care of Viddyho; that site's been taken down.) It's up to those of us who interact with users to try and prepare them for the next time someone will try and fool them. Get the message out. Help your users protect themselves by making sure they live by the rules...

  • Use security software and scan your computers regularly for viruses and spyware.
  • Check hyperlinks to make sure their destination is legitimate before you click.
  • Use software only from legitimate and trusted sources.
  • Use your security software to scan any files you download from the Internet or receive as e-mail attachments.
  • Never give out your passwords or private information online. To anyone. For any reason.

These seem obvious to us, the tech-savvy folks, but there are smart people — and dumb ones — who haven't yet gotten the message. Twice I've had legitimate organizations ask me to send my credit card information to them via e-mail (once it was a charity; the second time was my lawyer's assistant). Experienced techs will read that and roll their eyes, but these were cases of smart people who didn't know better because they'd never been taught. Correcting mistakes like these and teaching people how they can safely use technology are responsibilities of support pros everywhere.

13 comments
jmbrasfield
jmbrasfield

In this day and age, why are intelligent people so stupid. If you are so dumb as to give out your username or password over the internet, or any personal information at all, then you deserve what you get. Call me, for $150 per hour I'll be happy to come by and clean your computer, stolen identities are your fault and your problem. Never give out your usernames, passwords or private information online, to anyone, for any reason, ever.

Dyalect
Dyalect

Security & Training are the fundamentals of preventing social engineering attacks. Most notably locking down machines is pivotal to prevent spam, viruses and protecting users from their own curiousity. If they want to donate to a nigerian prince, they can do it at home on their own computer and own time.

marrow
marrow

The quick answer is not in a million years. Most of my colleagues are torn between the professional "oath" to deliver best possible service to their customers (users) and certain resentment, disdain even, for the users' ineptitude and plain ignorance. Most users I work with in my new place are the exact opposite of "solid" so I really have my work cut out here, scary!

williamjones
williamjones

In my post for this week I relate my encounter with the Viddyho phishing attack. The con spreads using chat networks, so you know exactly who on your buddy list fell for the scam. I was surprised that the individual whose account sent me one of the spam messages was actually someone I used to support at an earlier job. I thought I'd actually done a good job of making sure that my users were well versed in safe online behavior. I was a little dismayed to see one of my folks taken in. Have any of your users been taken in by online scams? What do you do to try and keep them safe?

lordazoth
lordazoth

You realise that a crowd is only as smart as the dumbest person. Lets face it in an organisation you will get the types of people that refuse to take to heart warnings like caution: Hot glass do not touch, yet insist on seeing how long they can hold their hand there. It is a case of risk minimumisation. Some people know and take care to observe safe surfing practises but other couldnt give a rip about them. To sum it up: Some people just never learn no matter how you try

HaXsAw
HaXsAw

I feel your pain there, I think its a generational thing and social engineering will be a problem until the entire workforce is composed of people who have grown up with technology and understand it. That being said, people still fall for well known scams like the illegitimate telephone donation calls to "XYZ Charity", so this problem will probably never completely go away, and probably no amount of education will make it go away.....

Roc Riz
Roc Riz

...I inform them. The problem is that there are still, in the 21st century, many uninformed users. It's much easier to herd cats, than to inform the vast amount of people who barely have a grasp of how to run Windoze, let alone how it, the network, or the Internet work. There is the occasion where a user has some knowledge, and is willing to take the extra steps. I still get the, "I'm not a computer person," line, but I think I have a rebuttal for it, FINALLY. I think that the next person that uses this line will get it. Here it goes: "I am not a doctor, but I know how to take care of my body, eat healthy, and generally stay in good shape." Perhaps if this is used gently, it will make people see that though they may not be 'experts,' they can learn how to be stellar users, with just a teeny bit of non-technical reading.

d50041
d50041

Sorry, its the younger users who are most ignorant and unwilling to consider the online decisions. Oh yea, I'm over 60

darpoke
darpoke

...to an otherwise thoughtless phrase that I've come across, far more effective and constructive than my usual inward groans of anguish. It perfectly articulates the sentiment that you needn't be a qualified professional to take a sensible interest in an activity that may in a very tangible way risk the health of your network/machine, not to mention compromise the security of your personal information. Surely people who respond with this wouldn't dream of showing the same thoughtlessness in other daily activities such as crossing the road or driving their car? Yet for some reason it's condoned when using a computer. These same people who complain about identity theft. Sometimes I despair, I really do...

ginmemphis
ginmemphis

I will try this rebuttal in some form or another, soon I'm sure. Managing a church network, I get that people here are not tech savvy. But someone who uses a computer everyday should not brag about being able to cut and paste--that's like bragging about finding the radio on your car. Saying that, it is human nature to ignore what can be ignored. A friend's car just ran out of oil because she'd done nothing about a burning smell for six months. I keep the network fairly secure, send regular "tip o' the day" emails, and occasionally threaten them.

grrltechie
grrltechie

Some of the most "helpless" users where I work are ones that are 15 or more years younger than me and I'm only 39! These are the kids that grew up with IM and email and computers and yet some of these people don't understand the difference between the monitor and the computer, much less the difference between their network and application passwords!

gibsonrd
gibsonrd

And wisdom, not intelligence, provides protection from the social networking scams. Unfortunately, some people refuse to learn from experience, so these will always exist!

csmith.kaze
csmith.kaze

its all of them. the older ones don't know anything and the younger ones only think they know anything (but they really don't) and im only 20 and i see that :)