May 17 2012

Social Viruses Can Snag Tech Types Who Should Know Better

Malware thrives on social engineering, not just computer engineering.

When the average person thinks of a technology writer, worker, analyst or consultant, they assume that the person is an all-knowing authority on all things tech-related — from knowing how to get the printer working again to setting up the wireless router to being an expert at avoiding computer viruses.

This assumption — that only nontechnical people fall for malware scams — is dead wrong, of course.

Cisco’s Jason Lackey noted the potency of social engineering in malware schemes, writing in the company’s blog:

Social engineering is the practice of using guile, deception and misdirection to cause a victim to take action to help facilitate or enable an exploit, and is thus the only hacking technique that predates information technology. It is also one of the biggest threats we face in the industry today.

Mark P. McDonald, an analyst for Gartner, proved the validity of Lackey’s statement when he recently shared how he fell victim to a social media malware scheme.

The day before yesterday (May 8, 2012) 55,000 Twitter account information was hacked and a social virus was launched. It was a simple direct twitter message sent randomly from one of the people who I follow on Twitter:

Hey some person is saying horrible things about you… tinyurl.com/#######

Naturally, this piqued my interest. I wanted to find out what others were saying. I followed the link and it kicked into a dead end. Then, I was asked to log into Twitter again. That should have sent off warning lights, as I was already logged into Twitter, and the log-in screen I was taken to was a different color than the traditional Twitter blue.

In the desire to find out what others were saying, I barreled ahead and proved that I was really a bit of a twit [UK term for less than intelligent person]. The hook was set, the virus spread, and I was there, dangling at the end of the line.

The observation is that, if this were a traditional technically-oriented virus, I probably would have caught on much sooner. You know, the type of virus that copies your director and then sends out phishing emails to all your friends. That type of brut force virus would have caused a lot of people to take quick notice, including me who would have received a barrage of emails from my associates who were infected earlier.

But this was a social virus, one that was engineered to be driven, not by technology; but by our basic human and social behaviors.

The important thing to learn from this is that malware can hit anyone, anywhere. And the big, bad wolf often comes dressed in sheep’s clothing. IT folks, don’t assume that you’re immune just because you know the difference between a gigabit and a gigabyte.

Have you had a nasty bout with socially engineered malware in the past?