According to the recently released Microsoft Security Intelligence Report (2H2008), social engineering is taking the lead as the preferred method of network and end-user device malware infection. Since operating system vulnerabilities are slowly disappearing and more organizations are implementing basic network controls, the easiest way to a target system is via the end-user.
Fear, Trust, and Desire (FTD)
According to the Microsoft SIR, users fall prey to social engineering attacks because of three common modes of human behavior: fear, trust, and desire. As depicted in Figure 1, each of these behaviors is targeted by specially crafted attacks.
Fear is always a strong emotion, one often fed by media spin on Internet security, causing the average user to believe the end of civilization as we know it is at hand. So it’s easy to understand why some panic when malware-induced messages appear on their desktops, telling them their machines are infected. And the best—or only—way to remove the virus or worm, asserts the alert message, is by immediate purchase and download of the recommended AV software. An example is shown in Figure 2. Note the malware listed does not necessarily reside on the target system. It’s just for effect.
Another method to lure a user is the promise of a trial version of a for-fee product. These pages look authentic, as shown in Figure 3. However, the result is the same. The trial version displays a long list of bad stuff and prompts the user to purchase the full version to remove them. So not only is a Trojan or some other malware loaded, but the user actually pays for the honor of hosting it.
Playing on the fears of users seems to be working very well. Microsoft reports rogue security software is quickly becoming the Internet users’ biggest threat. Table 1 lists the Top 25 malware loaded in this way.
In the midst of fear and uncertainty, users are continuously looking for a safe haven. Thus the element of Trust. Without the belief there is safety on the Web, no one except hard core techies would ever use it. However, users often take trust too far, relying simply on the appearance of authenticity. So when a page comes up which looks like their bank’s site, assumptions are made, passwords entered, and transactions executed. In many cases, however, there is also the stealing of passwords, hi-jacking of sessions, or other revenue generating activity managed and controlled by an attacker.
Microsoft breaks trust down into different types. I’m focusing on two: trust in institutions and trust in employer networks. Again, bank sites seem to catalyze immediate trust. This is a user behavior characteristic is actively exploited by cybercriminals. Figure 3 is an example of a bogus bank site. Routing victims to sites like this is typically done via phishing or DNS redirection.
In some cases, redirection isn’t necessary. A Trojan installed on a user’s system can pop up a data entry window when an actual bank or other financial site is visited. As shown in Figure 4, the pop up is used to collect information of value to revenue-centric attackers.
In addition to trusting external sites, users tend to believe their employer’s networks are secure. After all, most organizations are at least talking-the-talk when it comes to protecting information assets. This often lulls employees into that proverbial false sense of security. So what not click on that link? My company will protect me…
Finally, there is what I call the I-want-what-I-want syndrome. Microsoft calls it Desire, but it means the same thing. When a user wants something bad enough, whether business related or not, he or she is going to download and install it. It doesn’t matter how much awareness training your organization has conducted. Attackers understand this, using various media to lure users and hook them, especially “free” music, videos, and software with something extra added to make it worth the attacker’s time and effort. Like a little rootkit with your free copy of X-Men?
What to do
The most important control has nothing to do with technology. Rather it is you understanding these issues exist when you design your control framework. It is understanding that human behavior is what it is. It is taking steps to reduce human behavior’s impact by implementing technical controls which help mitigate or eliminate organizational or individual breach opportunities caused by user “mistakes.”
For more information about building user behavior mitigation controls, take a look at the following:
- Indirect malware detection: Probability verses Certainty
- Human behavior is what it is
- Preventing data breaches isn’t just about stopping stuff coming in
- Free Web content filtering puts safer browsing within reach for everyone
- Improve Data Protection Processes with Content Discovery, Monitoring and Filtering