New Breed of Malware Preys on Human Sympathy
Computer attacks may once have been solely the domain of the techy dorm room deviant, but a new breed of hacker is taking cues from Psych 101 as much as Comp. Sci.
It's called social engineering, and it's a method of using psychological manipulation to convince people to divulge sensitive information such as passwords and bank codes or to lead people to corrupted sites. As the name implies, social engineering predators add a layer to the hacker's usual bag of technological tricks by preying on shared human feelings insecurity, fear, gullibility, sympathy as an entry point to a digital attack.
In going after the user as well as his computer, security experts warn that social engineering gives hackers a unique method of exploiting the common computer user.
On antivirus maker Symantec's Security Response Blog, researcher Parveen Vashishtha outlined how some hackers are able to create fake alerts that (falsely) notify the user that he is about to encounter a page containing malicious software. The pop-up message will often say Download Updates!! as a way of scaring the user into protecting his system, and will keep appearing even when clicked off.
But it's a false warning the browser has been corrupted, and downloading the supposed security update only leads the user further into trouble. If the download update is chosen, Vashishtha explained, the user is directed to SecurityTool, a misleading application the user is convinced he must purchase to protect his system. In the security world such a malicious program is known as Scareware.
Malware authors are employing innovative social engineering tricks to fool users it's as simple as that, Vashishtha wrote.
In another Symantec blog, researcher Sujit Magar references a fake Microsoft Security Essential pop-up as a means of explaining how the everyday computer user is susceptible to manipulative efforts that pander to his sense of fear and insecurity.
The user sees the official-looking warning, Magar explained, and because all the scareware sites and links seem legitimate and he is being told in this official warning that he is in danger he agrees to do what the computer is telling him to. Eventually, following directions results in the user downloading the scareware, and then being charged for the removal of fake viruses found by it.
The process by which this fraudulent software walks the user along, step by step, is interesting and really is a convincing act, wrote Magar.
Social engineering attacks are of particular concern to those on the frontlines of computer security because of their effectiveness and ability to appear not only real, but from a trusted source such as a friend or family member.
These attacks have become more convincing, more anonymous, more international and more professionally done, explained Kurt Baumgartner, Senior Malware Researcher with Antivirus maker Kaspersky. The 'send me money to save your friend that I am writing on behalf of' schemes are a big focus because unfortunately they are a big money maker.
Baumgartner said social engineering scams are often camouflaged to look like a Facebook message from a friend, or timed to coincide with the release of a popular movie -- an innocent looking blog post with legitimate looking links offering a promise of unseen movie content. Because of this, he said this type of scam will play an inevitable role in the future security landscape.
And defending against such attacks is not easy, Baumgartner said, for the very same reasons that they work in the first place they play into human emotions and sensitivity.
He told TechNewsDaily, It seems that people that are going to fall for scareware delivered via specially crafted web pages are just going to fall for it every time, regardless of how many times we repeat ourselves.
- The Biggest Threat to Internet Security ... Maybe
- New York Times Site Infects Visitors with Malware
- Stealth Malware Steals and Imitates Social Behavior