Yes, it’s a cheap trick and not even close to original. But the lesson here is that even obvious social engineering tricks can get people to click on a link. We can’t help ourselves. We love to click. Clicking on links and attachments that are accompanied by just the slightest bit of social engineering appears to be a basic human need. I expect it to show up in a revision of Maslow’s Hierarchy of Human Needs any day now—behind love, but certainly ahead of safety.
I do have a point to all this. Two actually. As we compiled the Security Trends to Watch in 2010, what occurred to me is that the people who most needed to read this information never will. At least not without some social engineering on my part. And since social engineering plays such a prominent role in future trends, it seemed appropriate. So I’ve decided to use this little trick to get people to...
The Security Response team has compiled the top security trends of 2009. We pulled data from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec to come up with the top trends for the year. While none of these trends will be a surprise to anyone even casually following the threat landscape, when compiled and summarized, it is clear that the breadth of security problems in the past year was pretty stunning.
For example:
• Toolkits and threat recycling have made malware easier to create than ever
• Polymorphic technology is being applied to make threats harder to catch
• Botnets, large and small, are used as the foundation of attacks making most attacks complex
• All major news events are used for social engineering
• Major brands are being appropriated by cybercriminals...
Many years ago I worked in the network router business. Back then, as a product manager, I wrote datasheets. Yeah, exciting stuff, but you have to start somewhere. There were these datasheets—the backs of them always contained what we called the "speeds and feeds," which included the different types of connections the router supported, the different protocols, and the performance numbers. If you knew nothing about routers and networking protocols it must have looked like just a bunch of incomprehensible numbers.
When I look through some versions of the Symantec Internet Security Threat Report I can’t help but think of those speeds and feeds I use to write. You could look at the data in the ISTR as just a bunch of numbers. Although, one of the things I like about the ISTR is how easy to read and accessible it is. So, my speeds and feeds analogy breaks down here. I think it is likely that some people do look at the report as a bunch of numbers and find it...
Computer viruses got their name because they spread just like biological viruses. There are other parallels as well; for instance, best practices. In the medical world they are called preventative measures, but really they are best practices. For instance, you should wash your hands in soap and water often. In the computer world, the equivalent is keeping your security software up to date and keeping your patches current. For computer users, if you follow this one best practice, your computer will stay healthy.
We wrote earlier about how the spammers are taking advantage of public concern about the swine flu. Now the malware writers have entered the game, too. Potential victims are going to get an email with a PDF attachment that promises to answer all questions about the much talked about swine flu. The attachment is named “Swine influenza frequently asked questions.pdf.” It is a real PDF file, and when opened it will show something like this:
Don’t you remember the group of mean girls that had it out for the Prom Queen? The only reason they were so mean to her was because she was popular. If she had been the runner-up, they never would have played all those mean tricks on her. Facebook is the same way. It’s currently the Prom Queen and all the mean girls are after her. Take the recent Koobface attack, for example. Yet another new variant of this threat has shown up on the site. That’s right—mean girls again. Don’t worry, if you’re a Symantec customer you’re protected. And Facebook will get things under control quickly.
Here another way the mean girls are out to get Facebook. Phishing attacks. We’ve been warning users about this since the Symantec Internet Security Threat Report, Vol. XIII. The...
Let’s get this straight right off the bat. I am not against love. In fact, I’m all for it. Been in love myself a few times. The thing is, love is such a strong emotion and such a basic need for people, (Maslow put it right in the middle of his hierarchy of needs) that seeking out love can make us do some things we really shouldn’t.
And it’s not just that time in the eighth grade when you got caught passing that love note and the teacher read it to the whole class. Malicious code writers know about Maslow and they use love as a tool of social engineering. And, it’s effective. In searching for love we get fooled, and when malware fools us, it gives new meaning to the phrase “love hurts.” In honor of these dishonorable lovers and in the spirit of Valentine’s Day, below is a short history on the use of love as a social engineering trick.
The place to start is of course LoveLetter. This is the one that introduced love as a...
