Last week, I touched on the subject of Social Engineering, as it was brought to my attention in Kasperky’s monthly online scanner as a prevalent and successful avenue of infection for attackers. Social Engineering is basically a method in which some ill purposed entity tries to convince company officials, or simply individuals, to divulge certain information. For example, bank account information, social security numbers, birthdays, etc. This technique can be done either on the phone or over the Internet and both methods are wildly successful.
Now that we have an understanding of Social Engineering, let’s take a look at a couple of online threats that use Social Engineering to infiltrate unsuspecting end users. One method that seems to be coming into action is attacking people through blogs. Blogs, if you are not familiar with them, are like little personal Web sites where the creator posts different topics or articles and the readers of it can usually comment on the content. They have grown in popularity substantially since their inception with more people by the day finding out about them. It’s a highly used new online resource. Well, since hacking is a numbers game and blogging is becoming exponentially more popular, it almost seems natural that this would become a major focus for hackers. And it has.
Hackers are now creating their own blogs and with any other sort of attack, everything appears normal. But, behind the scenes, the blog contains viral code waiting to infect your system. After putting together their online trap, the attackers will usually try to get the address out to the public in a number of ways, such as spam, chat rooms and instant messaging. In all actuality, the attacker could even put a link in one of his/her comments on someone else’s blog or message board post. After that, all it takes is for someone to click on the link and bam, they’re infected.
We also see that Social Engineering attacks are becoming common on Web sites like Facebook and MySpace. As a matter of fact, a recent study from CA / NATIONAL CYBER SECURITY ALLIANCE shows that 87 percent of people that engage in these social Web sites are leaving their systems vulnerable to attacks. Some of the other stats from the study are just as alarming:
- Although 57 percent of people who use social networking sites admit to worrying about becoming a victim of cyber crime, they are still divulging information that may put them at risk. For example, 74 percent have given out some sort of personal information, such as their e-mail address, name and birthday.
- 83 percent of adult’s social networking are downloading unknown files from other people’s profiles, potentially opening up their PCs to attacks.
- 51 percent of parents aware of their children’s social networking do not restrict their children’s profiles so only friends can view, leaving their child’s profiles unrestricted to potential predators.
- Furthermore, 36 percent of these parents surveyed do not monitor their children on social networking sites at all.
Once you’re infected potentially, all the information you type in your system from there on out is recorded and transported to the mothership. This is bad and if done in an environment, such as a home or business network, these infections can reap some serious benefits for its master.
This is really an interesting time in the evolution of cyber attacks. There is almost a shift in how people are getting attacked anymore and article after article that I read lately points to the same conclusion. The end users are the weak link. I’m not trying to be insulting or belittling at all. On the contrary really, but the situation is more like this.
Almost everyone has gotten themselves an antivirus protection program, your ISP, more than likely, has put an antivirus program on their servers, people have firewalls, antispyware software, identity theft protection, etc. You name it and we’ve got it, but with Social Engineering, none of this matters. If you invite code into you system by selecting an active link, you are putting yourself at risk. Between that and whatever the new exploit or vulnerability is at the time, can make the whole experience like walking in a minefield.
Okay, Chad, thanks for the “good news.” Now, what can we do to protect ourselves?
Of course, I have to give the traditional, yet fundamentally, sound advice of making sure you have an antivirus utility on your computer and that it’s up to date. Also, make sure you have a firewall in place and scan all the systems on your network regularly. It is equally important that you help protect your system by not clicking on any links from unknown sources. It’s also a good idea to severely scrutinize links from known entities to verify the user and the link before you open them. This includes e-mails, blogs, instant messages, etc. Any and all of these communication methods are being used for these insidious attacks, so be careful with everything!
Antivirus vendors are currently working on counter measures to protect users from these sorts of attacks. Hopefully, these preventive measures will become available to the public soon.
Until next week, stay safe out there.
~ Chad Stelnicki