We all know the benefits of the World Wide Web, and most of us gain from it on a daily basis. With the effortlessness of e-mail, social networking sites, and mobile technologies in allowing us to stay connected with one another, along with a boom in web content that continues to draw us to our PCs, we spend more and more time online.
But we also know the dangers that lurk on the Internet are growing increasingly sophisticated and personal. As more people make their way online and try new web technologies, one thing is certain: cyber scammers will be setting their aims on launching targeted attacks to nab greater profits.
At Lavasoft, it’s our goal to make sure you have clear, detailed information on real-life threats to your security, so you can stay a step ahead of the game. Educate yourself on the latest online tricks with this month’s articles on social engineering tactics, social networking-based attacks, phishing scams, and mobile threats.
If you want to comment on an article you see in LN or have an idea for a story, write to firstname.lastname@example.org.
Social Engineering: Good Triggers and Bad Triggers
Where’s the Party? Hackers Found in Social
Online Threats Get Personal
Smartphones Open the Door to New Mobile Threats
Study Quantifies UK Cyber Crime Garlick
New Targets in Detection (October 2007)
Join the Lavasoft Team!
To get all news on one, printable page, click here
Social Engineering: Good Triggers and Bad Triggers
Call them shortcuts. Call them rules of thumb. Call them heuristics. Herein I will call them triggers.
We all have these triggers, we all use them, and, in fact, we all need them to survive in today’s world. Robert Cialdini gives an excellent description of these triggers in his book “Influence: Science and Practice.” He writes:
“You and I exist in an extraordinarily complicated environment, easily the most rapidly moving and complex that has ever existed on this planet. To deal with it we need shortcuts. We can't be expected to recognize and analyze all the aspects in each person, event, and situation we encounter in even one day. We haven't the time, energy, or capacity for it. Instead we must very often use our stereotypes, our rules of thumb, to classify things according to a few key features and then to respond to them without thinking when one or another of these features is present.”¹
The above description involves good triggers; the ones we need to survive and thrive in today’s world. However, when these automatic responses are exploited against us, they become bad triggers.
The “science” of exploiting triggers is called social engineering; though it has many other names: influence, persuasion, deception, propaganda, marketing, advertising, etc. Cialdini contrasts good triggers and bad triggers:
“Most individuals in our culture have developed a set of trigger features for compliance, that is, a set of specific pieces of information that normally tell us when compliance with a request is likely to be correct and beneficial. Each of these trigger features for compliance can be used like a weapon (of influence) to stimulate people to agree to requests.”²
But if we’re dependent on automatically responding to triggers, how can we effectively recognize and counter bad triggers?
While there are other ways to counter bad triggers, I will describe one example method, which I developed. It involves adding a new, good trigger based on skepticism.
For some years now, I’ve been experimenting on my family. When watching television, I point out examples of social engineering in advertising.
Take for example, the common phrase “no product is better.” While people often take this to mean the advertised product is “best” my son now immediately points out that it means all the competing products are all equal. “If their product is the best, they’d say it’s the best.” He also triggers on specific words in claims as in “Emerging science suggests that Zap-o-Zit may reduce acne.” He often spots the phrases “results may vary” and “results not typical” in advertising’s fine print.
Such simple recognition based on skepticism has, for my family, mapped directly to our daily computer-based routines. Claims that trigger skepticism are now automatically suspect both on television or online.
Of course the key does not lie in this or any other specific method. It lies in knowing these bad triggers exist, in understanding how they work, and in methodically treating all claims with a modicum of healthy skepticism.
Where’s the Party? Hackers Found in Social Networking Sites
Engage with a social networking site such as MySpace or Facebook, and you will undoubtedly change the way you spend your time online. Every time you visit and interact, you will leave a trace behind. You will expand your digital footprint. As you do this, you will acquire an online identity.Your digital profile will be born.
However unassuming or grand your digital profile is, however private or public, you can be certain of one thing: Your nuggets of information can be turned against you by hackers with malicious motives.
The tables have turned. 2006 was the year that cyber criminals shifted their attention from e-mail to web traffic. In that year, the ScanSafe Annual Global Threat Report noted an increase in spyware of 254 percent. The motives shifted as well. Over 65 percent of web virus attacks in 2006 aimed at gaining a financial benefit from unsuspecting users. Displaying technical prowess or causing online chaos was no longer the main driving factor for attacks.
It is little wonder that social networking sites, with attention grabbing headlines that by turns praise and condemn the social changes they are helping bring about, are gaining the attention of hackers looking to spread their malware.
The so-called Web 2.0 provides a grand platform from which to launch attacks. Social network sites, wikis, blogs, chat, RSS feeds, and instant messaging are, by their open nature, fertile ground for the distribution of malware. The more freely users interact and contribute content, the more information hackers have that can be used against them.
To limit your exposure and avoid being a target, it is wise to refrain from posting information that could make you vulnerable. This includes what others may be posting on you as well, for example, hobbies, addresses, memberships, routines, schedules, finances, employment – the possibilities are extensive. Only post information that you feel comfortable with anyone seeing since once you do so, you will not be able to fully retract it. Even if you remove it from a site, saved or cached versions may still exist elsewhere in the digital universe.
Just as it is important to be critical about what you post, it is also important to be critical about what you consume. Since much of Web 2.0 content is updatable by the public, it is possible for a hacker to embed links that send users to corrupt sites where they can be tricked into other scams. By blending with the crowd of users, hackers and cyber criminals can work underground.
Just how widespread is malware in the open Web? The ScanSafe Threat Center has found that up to one in every 600 social networking pages hosts malware. As the number of pages continues to rise exponentially, so does the potential for malware to spread.
Dan Nadir of ScanSafe told E-Commerce Times in a recent article that many traditional security solutions are not sufficiently capable in the dynamic Web 2.0 environment. What is required is a proactive solution, a type of real-time Web URL check.
Web pages that appear to be legitimate, can introduce malware and spyware into a network. The challenge is to tell the legitimate from the corrupt, and it’s not always easy. Often there’s no way to know one from another. According to Paul Henry of Secure Computing, in some cases hackers are corrupting legitimate technologies for their own gain. For example, even HTTPS connections, which are meant to be encrypted and secure, can be used by hackers to transmit malware.
Social networking sites pose special challenges for corporations seeking to protect sensitive data and intellectual property. According to the Reuters news agency, a July poll commissioned by Britain’s Evening Standard newspaper showed that more than two-thirds of London businesses have banned or limited employee access to Facebook and MySpace. The clamp down comes as the sites have begun catering to professionals. But while some believe that the sites are distracting and don’t belong in a work environment, others see them as powerful networking tools that can help the business.
Online Threats Get Personal
“We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below and confirm your identity.”
An e-mail communication that reads like this has probably appeared in your inbox recently. Sounds official, doesn’t it? Judging from the header on the e-mail, a trusted source has sent it – a government agency, your bank, your Internet service provider.
What will you do?
Anytime you receive an online request for personal information, you should treat it with a healthy dose of suspicion. What appears to be a trusted source may, in fact, not be what it claims to be. Chances are high that you have become a target of a highly individualized and persuasive attempt to steal your personal information for malicious purposes. Phishing, as this type of attack is called, has become increasingly common.
A phishing attack can originate when personal data is stolen. Not much is required. Bits of data can be simple enough, such as your e-mail address, telephone number and birthday. But those bits hold the potential for creating a profile of you that can be easily expanded through access to other sources of online information.
Resumes and CVs are a reservoir of useful data. As recently as August of this year, resumes and CVs were the target of an attack on Monster, a popular employment website. The attack, which began with stolen login credentials, enabled hackers to gain access to the Monster site and gather the personal information of over a million of its users. According to news agency Reuters, Monster responded by shutting the server that was used to access the information, and contacting the affected users.
But the Monster security breach was only the start of the phishing attack.
Phishing e-mails can be tailored to exploit the information at hand. For example, a Monster user could receive an e-mail that claims to be from a recruiter. Upon clicking a link in the e-mail, the user could be directed to a fraudulent website that looks legitimate. From there the possibilities for acquiring additional data are limitless.
Some phishing e-mails contain software that can harm your computer or others, or track your activities on the Internet without your knowledge.
How can you avoid being the victim of a phishing scam? The U.S. government, through its OnGuardOnline.gov website and National Cyber Alert System, has some practical tips to keep you safe online.
Responding to E-mail – If you are not sure whether an e-mail is legitimate, try to verify its identity. Contact the source directly by using any previously obtained information – telephone number or type in the correct web address – instead of using the information provided in the suspicious e-mail.
Providing Information – Do not provide personal or financial information in an e-mail, or by clicking on a link included in an e-mail. E-mail is not a secure form of communication and legitimate companies do not ask for information in that way. Also, do not send sensitive information over the Internet before checking a website’s security policy or looking for evidence that your information is being encrypted.
To help identify a malicious website, take note of its URL and see if it uses a variation in spelling or domain (such as .com versus .net).
Checking your Records – Review your bank and credit card statements as soon as you receive them and check for unauthorized charges. Since victims of phishing can also become victims of identity theft, check your credit report periodically to see if any new accounts have been opened in your name.
Reporting Phishing Scams – Report these by sending an e-mail to email@example.com. The Anti-Phishing Working Group, a consortium of security vendors, financial institutions and law enforcement agencies, uses that information in their fight against phishing.
Smartphones Open the Door to New Mobile Threats
They are sleek, they are powerful, and they are a wish list standard. Smartphones, like iPhone and BlackBerry, are creating a collective buzz that can be heard worldwide.
The hype is well deserved. Mobile devices have matured and with their coming of age we now have capabilities that seemed far-fetched only a few years ago. For employees and executives the world over, smartphones make corporate data and applications available anytime, anywhere.
But just as a smartphone is now capable of downloading data and applications wirelessly, so can it download viruses, spyware, even pornographic content, without a user’s consent. The use of flash memory cards on some phones opens yet another door for malware to spread to these devices.
The threat is real and growing. A recent PC World article reports that malware writers are ramping up their activity in the mobile arena, learning from proof-of-concept threats and fine-tuning the amount of user interaction required to propagate the damage.
According to SMobile Systems, a company that specializes in mobile security, there are over 400 wireless threats currently, and more are predicted to arise by year’s end. The threats can take many forms. Among the attacks are those that attempt to delete data, those that record a user’s phone calls, and those that send SMS text messages with links to malicious web sites.
It is a simple equation: greater use equals greater exposure. The explosion in smartphone use and the productivity gains that come with it have increased the security risks for corporations. Given their functionality, smartphones should be treated as an extension of the computing network system, just as desktops and laptops are.
Until recently, enterprises were wary of pushing business applications onto mobile devices. Security concerns were also a primary focus for corporate users given the potential consequences and cost of exposing sensitive data. But strong demand has begun to turn the tide. In this endeavor, it is critical that IT organizations address security issues early on.
Different types of suppliers are working to deliver solutions – smartphone manufacturers, mobile networks, and security vendors – and increasingly finding that by coming together they have a better chance to prevent security issues from compromising the uptake of mobile technologies.
Matt Hines from InfoWorld recently spoke with several security executives. From Kara Hayes, a senior product manager at Nokia, he reports that encryption is one solution that is generating great interest. And from Scott Totzke, from Research in Motion, the maker of the BlackBerry, he reports that customers are increasingly demanding ways of protecting data. The InfoWorld article quotes Totzke on customer’s needs: “They want tools to kill information or lock it down when a handheld is lost, they want to encrypt sensitive data in transit and at rest, and there are growing concerns about compliance.”
Providers of security solutions are extending their reach by working directly with mobile operators. One of them, Finnish company F-Secure offers security bundles through mobile operators, such as T-Mobile and Swisscom, and mobile handset manufacturers such as Nokia.
Time will tell if mobile threats escalate as is assumed that they will. But following security best practices should be an equally wise move, whether using a smartphone or any other type of computing device.
Hacked GOP Site Infects Visitors with Malware
Germany Arrests 10 in Global Internet Scam Raids
Great Firewall of China More Like Chain-Link Fence
Financially Motivated Malware Thrives
When it comes to the using the Web, nothing is quite like content. Internet users spend more time online viewing news or entertainment content than on sending e-mail, shopping or searching for information. A study conducted by Nielsen/ NetRatings logged a 37 percent rise in the amount of time spent viewing online videos and news. Overall, nearly half of time spent online in 2007, 47 percent, is made up of viewing content. The study sites the explosion of web content, like social networking sites, along with an increase in online speeds as factors in the increase.
Term of the Month
The Hosts File is a file stored on your computer that is used to look up the Internet Protocol (IP) address of a device connected to a computer network. Some spyware changes your Hosts File in order to redirect you from a site you intended to visit to sites that the spyware company wants you to see.
Source: Anti-Spyware Coalition Glossary
You already know the paid versions of Lavasoft’s anti-spyware software have vital real-time protection to relieve the burden of constant malware attacks. But Ad-Aware 2007 Plus and Pro versions also include built-in privacy and security tools, for example, the Hosts File Editor. You can use the Hosts File Editor to take control of your Web navigation by blocking advertisement sites, reversing browser hijack entries, assisting with parental controls, and creating navigation shortcuts. To use the Hosts File Editor in Ad-Aware 2007, from the “Tools and Plug-ins” tab, select “Tools” and then click “Hosts File Editor.” New users can find more specific directions in the Ad-Aware 2007 Product Manual.
Creating strong online passwords is one piece of the security equation. If you are wondering just how secure that password you have created really is, Lavasoft News has come across a website you can use to rate passwords, to help you learn how to create better ones. Try out the “Password Strength Meter” on Securitystats.com. Remember, even though the site will not store the passwords you enter, test a password similar to one you might use (not your real password), as the site advises.