McAfee‘s (NYSE: MFE) fall 2008 Security Journal warns the world’s leading security threat is social engineering – the art of persuasion.
Improved sociological techniques are tricking users into sending their personal data directly to cybercriminals by appealing to human vulnerabilities, such as greed or fear.
Dave Marcus, director of security and communications for McAfee and Avert Labs, said the human element makes social engineering the most difficult threat to combat. And the financial payout involved with these scams means it’s growing. The goal of cybercrime is changing, he said. “Everything is financially-driven now, malware wasn’t written to make money four to five years ago.”
Customers at Nordea Bank in Sweden know how successful social engineering tactics can be, Marcus said. Customers at the bank lost US$1.1 million when they received a fake e-mail from the bank telling them to download anti-spam software. The anti-spam software was actually a Trojan that collected customer’s personal information and passwords – allowing criminals access to their bank accounts.
Cybercriminals are opportunistic, Marcus said. They will use fear and the headlines to play into human weakness and get people to send passwords or get people to open links they shouldn’t. A prime target for social engineering malware was this year’s Beijing Olympics, Marcus said. “Whatever is popular – will be abused.”
The added bonus of the free Tibet protest allowed cybercriminals to target both sports fans and political activists from around the world. Many e-mails sent during that time appeared to come from valid sources, but actually contained malware in the attachment, he said. Legitimate websites supporting Tibet were also hacked to embed a Trojan that downloads itself to visitors who frequent the site.
Often media attention around one particular event can accelerate malware on websites related to it, Marcus said. The most groundbreaking article to come out of McAfee’s fifth issue discusses the vulnerability of the stock market, he said.
The article examines Patch Tuesday, the second Tuesday of every month when Microsoft (NYSE: MSFT) releases security updates for Windows. The article hypothesizes that there is a downward pressure on the price of the stock every Tuesday due to negative reactions from news articles and a corresponding increase on Wednesday.
The most recent example of this effect involves Apple; (Nasdaq: AAPL); whose stock took a nosedive last week after fake information about Steve Job’s health was circulated on the Internet. The effect can lead cybercriminals to fraudulently exploit the stock market by posting stories about a company, knowing stockholders will fearfully react.
The current worldwide financial crisis is not leading to an increase in social engineering tactics, Marcus said. “There’s so darn much of it out there already. But cybercriminals will continue to use the headlines,” he said.
“Whatever is popular – that’s why Facebook and MySpace continue to be abused – people are already going there, so criminals just need to devise strategies to use that to their advantage.”
Users have a fake sense of security with popular websites, Marcus said. Yet many applications for these sites, such as Facebook, are not reviewed before they are accessible to the public.
And cybercriminals will exploit human error, as well, by using “typosquatting” on profitable pages. For instance, if a user spells their bank’s name wrong, a fake site might be set up to mirror the original page and with a Trojan that will copy all of your personal information.
McAffee ssid they have found more than 80,000 domains typosquatting on the top 2,000 websites alone.
The only way people can do things safely is to be sure the websites they are reading are legitimate to avoid reacting to false information or phishing, Marcus said, and users should all understand what a good link and bad link look like. “The long-term solution is education and awareness. Not knowing what you’re clicking on is a recipe for disaster.”