Social Engineering for Success
To distribute malware, send spam, and acquire sensitive information by posing as a trusted source (also called phishing), online criminals increasingly take advantage of human nature to get victims to open an email, visit a website, or give up information. They use sophisticated social engineering techniques, and they hijack reputations of trusted websites and email senders to get their message or malware into your system.
For example, they appear to offer useful Web 2.0 tools, cool games, or interesting news content. When you click the link in the email and visit the site, the site often appears normal. However, in the background it's probing your machine, searching for a vulnerability that lets it install malware on your computer.
Other attacks try to appear like a legitimate bank or commerce site in hopes of capturing your username and password—phishing for your information. Other forms of malware sites try to get you to "buy" something from the site, giving the criminals your credit card information.
In Figure 8-1, we contrast an image of the legitimate ticketing website for the Beijing 2008 Summer Olympics with a scam ticketing website. Oddly enough, the scam site was much better looking and more user-intuitive than the real ticketing site, with better graphics and navigation—which meant visitors to the fake site were lulled into a sense of comfort. Unfortunately, people who entered orders on the fake site received no tickets but had their credit card numbers stolen.
Figure 8-1 Fake Sites Can Look Better Than the Real Thing
Some malware is still distributed as email attachments, but the more successful of these campaigns also depend heavily on social engineering to make the emails appear trustworthy so that you'll open them. (And the more sophisticated malware payloads available today can avoid being filtered out by antimalware solutions for a longer period, also increasing the email-borne malware's chance of getting through.) Recent successful email-borne malware campaigns include
- Emails with attachments pretending to be "shipping department profit and loss statement" spreadsheets, which are highly personalized and sent to specific company executives.
- Emails with attachments that pretend to be delivery confirmation requests from major shipping services, such as UPS or FedEx.
- Emails that are highly personalized and pretend to be from tax authorities or consumer information bureaus, asking company executives to fill out the attached form in response to a tax concern or business complaint.
The social engineering involved in the preceding attacks often is irresistible to end users. How many of us wouldn't open an email from FedEx saying the package we sent on a certain date couldn't be delivered, especially if we had sent off a few packages that same week?
Advanced social engineering techniques usually involve additional information to personalize the attack and make it seem closer to legitimate traffic. To support this next wave of personalized attacks, criminals mine social networking sites for personal information that they can later use to personalize phishing messages sent to you, or to your colleagues, friends, or family.