By

Social Networks & Social Engineering – What a Pair

When we started this service we knew that one of our main goals was to “get the word out” on how websites have been in the line of fire for cybercriminals. We published a report, “How Cybercriminals Use Your Website to Distribute their Malware”, but found not many people were interested in what we had to say. We blamed on it “head in the sand” mentality.

We looked to the Internet Marketing world to see how they do it. Some of them have actually sold thousands of e-books for as much as $27 a piece. They must know some secret that we didn’t.

Our studying introduced us to the works of some big name Internet Marketers (IMers). Names like Frank Kern, Jeff Walker, Brian Clark, Yanik Silver and many others all seemed to resonate one key strategy – build community. On of their favorite strategies is using social networks to build this community of loyal followers.

I shouldn’t say it’s one of their strategies, it’s one of their tactics. Their strategy is to always provide something of value. The social networks is just one way they suggest you use to distribute your valuable message.

Using social networks seemed like a great idea so I set out to explore this value distribution tactic. I did this with my ever present security guard on – that’s how I roll.

My exploration included sites like: Twitter, MySpace, Facebook, LinkedIn and FastPitch.

Over the next few weeks I’ll be revealing my findings and then suggest ways (tactics) you can protect your informational assets while taking advantage of social networks.

I titled this posting “Social Networks & Social Engineering – What a Pair” because many of the tactics of cybercriminals revolve around social engineering which is the art of deceiving others into clicking on a link that you think is safe.

As I write this, I’ve been bombarded with emails about people who received errors while trying to view your profile on Facebook. What happens is when someone clicks on your profile they get an error saying that they could find out the problem by installing the “Error Check System”. You’ll get notifications that “X” number of people have been getting errors while viewing your profile and this “application” will help you determine the cause.

If you Google “Error Check System” Facebook, at least one of the links takes you to an infectious website that will display a message telling you you’re infected with a virus and offers to scan your system. Of course, this is a social engineering attempt. If you agree to the scan, you’ll be downloading a virus. This has been a very popular tactic of cybercriminals lately. They have even started creating websites that offer reviews of anti-virus software – more social engineering, to earn your trust.

I thought the timing of this Facebook “Error Check System” scam was perfect for me to start this series.

Come on back and read the follow-ups.

If you’ve had any experiences with one of the social networking sites, post a comment and let us know.

By

Is the Internet worth it?

I know I’ll be accused of FUD (Fear, Uncertainty, Doubt) with this post but here goes.
The whole world knows the Internet is used for building businesses. Some businesses rely solely on the Internet – they simply wouldn’t exist without it.
However, with all the security threats, at some point you have to ask: Is it worth it?

On November 12, 2008 the 63rd Session of the International Telecommunications Union (ITU) Council met and discussed the current state of cybersecurity. The event concluded with the declaration that cyber-security is one of the most important challenges of our time. The ITU Secretary-General, Dr. Hamadoun Toure stated: “The costs associated with cyber threats and cyber-attacks are real and significant — not only in terms of lost revenue, breaches of sensitive data, cyber-attacks and network outages but also in terms of lives ruined by identity theft, debts run up on plundered credit cards or the online exploitation of children.”

While I might not totally agree with the severity he states, I do agree that the situation is bleak – and apparently only getting worse.

Hackers use any method available to achieve their goal – total domination of the Internet. Okay, that’s really extreme.

Think of your own specific situation. You undoubtedly have at least one anti-virus (AV) program installed on your working computers, right? (many of you have 3-4 different security programs installed)

How many times has it actually caught a virus? If your AV is set to scan once a day, how often has it detected a virus/worm/trojan during it’s scan? If ever, you have to

During the course of the past 2 months we’ve seen the following security issues:

  • Malware delivered by infectious Adobe Acrobat files (pdf)
  • “Common” websites delivering malware (i.e., www.mlb.com, www.businessweek.com, www.cbs.com)
  • 85% of malware being delivered by infectious websites
  • Numerous content management systems (CMS) and forums having various vulnerabilities
  • “Hacking” used in a multitude of political wars (website defacements, etc)
  • More intelligent malware (blocking of AV updates, disabling security software)

In addition to the above list, more malware has been delivered via social engineering. Social engineering is the “art” of using deception to get a user to intentionally install something which turns out to be malware (definition of trojan).

Back in October we saw the keyword “costumes” being abused by cybercriminals to get people to visit malicious websites promising to offer fantastic ideas on Halloween attire. Then in November we saw numerous emails be circulated that offered various food recipes for Thanksgiving many of which resulted in webpages that contained more than recipes. They offered recipes for infection (you can use that if you want).

Along with the holiday themed malware strategies, here in the US we were also going through a Presidential election which brought about an abundance of election themed malware attacks. Then we had the year-end holidays and New Year’s each with their own malware messages and accompanying websites.

Now with the Presidential Inauguration just completed we’ve seen numerous messages “flying” around the internet touting “Obama refuses to take oath”. When any of these links are followed, they lead the unsuspecting inquisitive reader to a website that delivers more than the message they were seeking. It also attempts to infect their computer with little pieces of code that are just the beginning of taking control of the infected PC.

All of this is actual, real world reality. I didn’t make this “stuff” up. I didn’t write these viruses/worms/trojans like some of you think.

Cyber crime is something we all have to deal with.

You’re in business to solve some real world problem. Whether you’re a plumber or a rocket scientist, you solve someone’s problem otherwise you wouldn’t be in business.

I selected computer security as my profession and I believe I do it well. I try to solve real world computer security problems. If you find my work offensive, you’re free to ignore it.

I don’t work in FUD. I just merely try to educate you so you know what you’re facing being online.

Please leave me your comments on this posting.

Thank you.