Let’s get this straight right off the bat. I am not against love. In fact, I’m all for it. Been in love myself a few times. The thing is, love is such a strong emotion and such a basic need for people, (Maslow put it right in the middle of his hierarchy of needs) that seeking out love can make us do some things we really shouldn’t.
And it’s not just that time in the eighth grade when you got caught passing that love note and the teacher read it to the whole class. Malicious code writers know about Maslow and they use love as a tool of social engineering. And, it’s effective. In searching for love we get fooled, and when malware fools us, it gives new meaning to the phrase “love hurts.” In honor of these dishonorable lovers and in the spirit of Valentine’s Day, below is a short history on the use of love as a social engineering trick.
The place to start is of course LoveLetter. This is the one that introduced love as a social engineering tool to the masses. It was simple and perfect social engineering for a more innocent time. On May 4, 2000, hundreds of thousands of people received an email with the subject line: “ILOVEYOU.” Inside the email was one sentence that said: “kindly check the attached LOVELETTER coming from me.”
Who could resist? Not many could, or did. Once you clicked on the attachment (a VBS executable masquerading as a text file), it wasn’t your heart that was owned, it was your computer.
The success of the social engineering utilized in LoveLetter soon led to widespread imitation. Malicious code writers knew a good thing when they saw it, and they soon upped the ante. In February 2002 the Walcard worm came complete with multiple expressions of love. At that time, mass mailer worms added variable subject lines to help evade detection. Walcard victims would have seen one of following subject lines:
"Somebody Loves You"
"Romance from Afar"
"Love at first sight"
"...when sleepers wake and yet still dream..."
"Be Mine ?!"
"From Me To You"
"Thy eternal summer shall not fade"
"I can express no kinder sign of love, than this kind kiss"
"Poetry is an echo, asking a shadow to dance"
"O, beauty, till now I never knew thee!"
Throw in some bad poem signed by the person the email appeared to come from, you might have started swooning, which meant you were sure to click on the ValentineCard.exe attachment. And that’s when the bad guys had you.
Even Mydoom, not a name that inspires romance, went the love route with a variant in 2005. Though grammatically challenged, it was effective. A sample subject line: “Honey, our love do.” Sadly, some of us were desperate enough for love to fall for that one.
Love eventually turned to lust as the bad guys began to use the lure of pictures of naked celebrities such as Anna Kournikova. But, let’s stick to the subject of love.
Over time, mass mailer attacks became spam attacks and text became graphics. But still, love remained. Nobody used love as often or as successfully as the Storm (Peacomm) Trojan. Storm first arrived on the scene in January 2007. Its social engineering was topical, leveraging news of a storm that at the time was hitting Europe. However, the following month was February and Valentine’s Day soon became Storm’s preferred topic.
It must have worked. Storm returned to using love in April of 2007 and was back strong for Valentine’s Day in 2008. Symantec’s Silas Barnes wrote about it here.
So what’s happening for this Valentine’s Day? Do the bad guys think we’ve learned our lesson and can’t be fooled again? Nope. They realize that we are still fools for love. Dylan Morss has written about the increase in Valentines Day related subject lines we are seeing in spam—take a look at his blog articles here, and also here. Peter Coogan has pointed out in this article that Waledac is using social engineering this Valentine’s Day season that is almost identical to what Storm has done in the past.
Human nature can’t change, and the bad guys know it. So, be careful out there this Valentine’s Day. You could get more than a broken heart.