Years ago, at a company I used to work for, a large group of employees, myself included, were the target of a spam email that had been deliberately sent through the corporate network and encouraged us to click on a link within the email.
The following day, we received another email with details of the spam ‘test mail’. The IT department had sent the email around as bait to see if those working for a security company – and supposedly aware of what is happening in the security world – would fall victim to the scam email and click on the link.
Although few people took the bait, it was still interesting – actually unnerving – to realize that working in the security industry does not really mean one “knows all, avoids all”. In reality, even those of us who have extensive knowledge of security and the threat landscape can fall victim to malicious social engineering schemes.
“Know Thy Enemy”
To be able to protect ourselves from similar scams, we need to be familiar with the various types of social engineering tactics that the bad guys use. Here are a few of the most common:
- Holiday / Love eCards. This is a classic type of spam sent out to random recipients in an effort to infect systems with malware.
- Delivery Notifications / Receipt. This type of spam email appears to come from your service provider. The email may have a receipt of a delivered item attached – usually a malicious file – or notice of a purchased item and a request for personal information, such as name, address and home phone number.
- The New Friend / Invitation. These invitations, including email notifications from social networking sites you may or may not be a member of, generally have links to phishing pages that imitate legitimate websites.
- IM Spam. Instant Messengers (IMs) have evolved from a stand-alone executables to web-based platforms. Meebo and Facebook’s IM are two examples. The ease with which communication is made possible through social networking sites makes IMs a target for scammers who infect messages from someone on your contact list or an outsider with links to malicious sites or infected pages.
- The “Viral Video”. A lot of video clips on YouTube and other online streaming sites are great entertainment material and can go viral within hours. Scammers take advantage of this by creating URLs that purportedly point to these ‘viral videos’ but actually redirect the user to a malware download site or expose their social network profile to spammers.
We are all at risk and, in turn, we can be a risk to others. We can only do so much to protect ourselves from others. The key, however, to protecting ourselves from our own actions is to have a better understanding of what the threats are, what tactics are used, and how to be vigilant. Education is important and even people with little technology or security knowledge should learn the basics and heed experts’ advice. As always, using a solid antivirus solution and a firewall is a must, too.