“Critical System Error!” “Spyware Infection Detected!” “Danger: possible spyware infection!” “Click here to scan your computer for free!”
Sound familiar? Those are the alerts of rogue Anti-Virus or Anti-Spyware programs, constantly nagging and prompting you to buy their software. Claims of massive spyware infections and messages that mimic Windows alerts fool thousands of people into buying their software. I can’t tell you how many times a customer would call and tell me that they had spyware on their computer. So I would say, “How do you know that you have spyware on your computer?” and they would usually reply with, “Well, there is this little icon in the corner of my computer that keeps popping up telling me I am infected!” This always produced a chuckle from me and then I would tell them to bring their computer in and I would clean the infection from their computer.
Of course, after I was done cleaning up the computer the customer always asks, and I mean always, every single time, without fail, “How do I keep this from happening again?” “Stop looking at porn!” I think to myself, or worse, “Tell your kids to stop looking at porn!” There’s a conversation most parents would like to skip! But of course I don’t say that out loud. Plus, that’s not the only way people get infected, but it does account for quite a bit. No, instead I just talk about how they need to be careful which websites they visit, tell them to use an alternative browser instead of Internet Explorer, and recommend a good security suite – like this one here! Shameless plug, I know, but hey, like Garth Brooks, I’m shameless. Anyway, lately I have been quoting Star Trek lines to some of my customers, something like, “Well, you just need to re-route auxiliary power to the port necell and that should stop your computer from getting infected”. This always elicits a blank stare and sometimes I get a, “How do I do that?” which always makes me smile and then I tell them I’m just kidding and explain how they may have been infected and how to avoid it in the future.
After having this same type of scenario play out again and again, I can see the massive impact that these malware companies are having on the customer, essentially tricking them into buying their software. These malware programs incorporate messages and graphics that look surprisingly similar to common Windows alerts. This is an example of how social engineering is spilling into the malware market.
Social engineering is really just a bunch of techniques used by a person to obtain sensitive information. Generally they play on people’s weaknesses and the general human trait of wanting to help others. The attacker then uses this information to breach security. Social engineering has been used for decades with over the phone scams, and with the Internet being so widely used it is very common in emails and spoofed websites. Here is an example of some methods used by social engineers to trick people:
- The attacker pretends to be a legitimate end-user who is new to the system or is simply not very good with computers. The attacker may call systems administrators or other end-users for help. This "user" may have lost his password, or simply can't get logged into the system and needs to access the system urgently. The attacker may sound really lost so as to make the systems administrator feel that he is, for example, helping a damsel in distress. This often makes people go way out of their way to help.
- The attacker pretends to be a VIP in the company, screaming at administrators to get what he wants. In such cases, the administrator (or it could be an end-user) may feel threatened by the caller's authority and give in to the demands.
- The attacker takes advantage of a system problem that has come to his attention, such as a recently publicized security vulnerability in new software. The attacker gains the user's trust by posing as a system administrator or maintenance technician offering help. Most computer users are under the mistaken impression that it is okay to reveal their password to computer technicians.
- The attacker posing as a system administrator or maintenance technician can sometimes persuade a computer user to type in computer commands that the user does not understand. Such commands may damage the system or create a hole in the security system that allows the attacker to enter the system at a later time.*
These types of attacks are generally used by hackers to get access to some company or agency that they want to attack. What is interesting to me is how these methods are starting to be used by so called anti-malware companies to try and fool people into buying their products.
Recently I ran across a rogue anti-spyware program called Ultimate Cleaner and they had this fantastic security window that just made my day. Here is what the window looks like:
I love how much this looks like Windows Security Center:
So what the heck is the point to all this you ask? Well, my point is this. If you’re a computer tech make sure to tell people about social engineering so at least they are aware of it. I know the temptation is strong to just say some smart ass comment and be done with it, but people need our help and advice so give it to them in terms they can understand. Show them this blog if you must, so they can at least see a picture of what social engineering looks like in the real computing world. And if you are an end user, well, stop looking at porn! Just teasing you, instead be wary when you see a system alert. Familiarize your self with Windows enough so you know what a real alert looks like. If you have any question about a particular alert run your anti-virus/anti-spyware software, then contact a tech shop with computer guys that you trust and they can tell you if the message is fake or not.
Now, the reality check. Some people might consider the following a pessimistic view and to them I say just drink your half empty glass of happy juice and enjoy getting infected with malware! Anyway, I meet a lot of people who think malware will stop with the next operating system release. I meet a lot of people who say this particular software or that particular software will put an end to the madness that is spyware. I meet a lot of people who say education is the key; we just need to teach people how to use their computers. But the real, totally lame truth, is that malware will continue to persist because of social engineering. There really isn’t a cure that stops people from getting taken advantage of. That doesn’t mean that we shouldn’t try, it just means that we need to accept the fact that thousands of people will enter their bank account information into an email that looks like it came from US Bank. Thousands of people will click on an alert to install software just because it tells them to. Thousands of people will give money to some guy in Africa because he is the executor of some dead guy’s estate, but he needs to funnel the money through a U.S. partner. Hey, maybe you could be that lucky! If you liked this blog please send one dollar to me to help fight against social engineering!
References: Erik Guttman, Lorna Forey, & G. Malkin, Users' Security Handbook, Internet Engineering Task Force, July 1998 draft. http://www.ntc.doe.gov/cita/CI_Awareness_Guide/V1comput/Social.htm
