The United States may be falling perilously behind on science and engineering education, but that’s nothing compared to how poorly we’re doing on social engineering education.
Social engineering (known as “lying” in the real world) is perhaps the oldest attack technique on the Internet. It’s been in wide use since long before the Web was in existence and attackers have changed and adapted as time has gone by, morphing their tactics to stay up with what the kids are doing. The emails promising racy pictures of Anna Kournikova or Monica Lewinsky (!) have given way to Twitter messages about Tiger Woods’ alleged indiscretions and poisoned search results with links to news stories about…Tiger Woods’ alleged indiscretions.
But what hasn’t changed over the years is the effectiveness of these techniques. This week brings news of new scams playing on the current fear of H1N1 infections, as well as reports of another major company falling victim to a phishing and money-mule scam. The H1N1 phishing campaign is similar to past scams in that it uses current events to lure users into visiting a malicious Web site.
The emails appear to come from the Centers for Disease Control and Prevention, saying that the recipient must register with the CDC and fill in a vaccination profile in order to get access to the H1N1 vaccine. The link, of course, leads to a malicious site that installs a Trojan and a remote backdoor on the user’s machine.The emails, which have the typically miserable grammar and spelling endemic to all phishers, have been flooding millions of inboxes this week, and researchers have found several different versions of the scam floating around.
The more worrisome and potentially damaging scam is the one that claimed a large Washington construction company as a victim. As Brian Krebs of The Washington Post reports, the president of Parkinson Construction received an email that looked like it was from the Social Security Administration and warned him that there might be problems with his Social Security statement. So he clicked on the link in the email, and you can guess the rest.
Parkinson fell for the ruse and ended up downloading a copy of the Zeus Trojan,
a prolific family of malicious software that criminal gangs have used
to great effect to steal tens of millions of dollars from victimized
businesses so far this year.
Zeus is primarily a password-stealing Trojan, and in short order the
thieves had stolen the credentials Parkinson uses to administer his
construction firm’s bank account online. From there, the hackers sent
$92,000 of Parkinson’s cash to nine different money mules,
accomplices hired through work-at-home job schemes who are instructed
to withdraw the money and wire it overseas (typically minus an eight
What these attacks have in common is both their simplicity and their familiarity. Anyone who has been using the Web for more than a week has seen any number of these scams. But despite their ubiquity and the warnings from security experts over the last 10 years, people continue to fall for these phishing schemes. The easy, and common, reaction is to blame the victim for being gullible, greedy or both. Do you really think Bill Gates is handing out money for forwarding an email?
Certainly the users should bear some portion of the blame in these scenarios for not paying attention to the sites they visit or being too free with their personal information. But the security community as a whole needs to play a larger role in educating users about the common dangers they face online. Many enterprise IT organizations have security awareness training programs, which are fine as far as they go. But they often focus on keeping laptops safe when traveling and not disclosing confidential company information via email or IM.
Few organizations take the extra step of showing users examples of the sophisticated, targeted phishing scams in use today or give them advice on how to protect their personal information online. IT departments don’t see this as their responsibility, but the reality is that many employees use their company-issued laptops at home for personal business, email, online banking and whatever else they do online. That makes their behavior the concern of IT.
User education clearly won’t solve the entire problem. It’s been tried and failed any number of times over the years, and it can be expensive and difficult to implement. And phishing and malware are pervasive, they’re big business and they’re not going away. But, greater end-user awareness of these problems can only help reduce their effectiveness and make the Web a bit safer for everyone. And we need any incremental improvement we can get.