The Art of Deception_ Controlling the Human Element of Security - Kevin D. Mitnick [48]
Much has been written about vandals and their viruses; books, software programs, and entire companies have been created to offer protection, and we won’t deal here with the defenses against their technical attacks. Our interest at the moment is less in the destructive acts of the vandal than in the more targeted efforts of his distant cousin, the social engineer.
It Came in the Email
You probably receive unsolicited emails every day that carry advertising messages or offer a free something-or-other that you neither need nor want. You know the kind. They promise investment advice, discounts on computers, televisions, cameras, vitamins, or travel, offers for credit cards you don’t need, a device that will let you receive pay television channels free, ways to improve your health or your sex life, and on and on.
But every once in a while an offer pops up in your electronic mailbox for something that catches your eye. Maybe it’s a free game, an offer of photos of your favorite star, a free calendar program, or inexpensive shareware that will protect your computer against viruses. Whatever the offer, the email directs you to download the file with the goodies that the message has convinced you to try.
Or maybe you receive a message with a subject line that reads “Don, I miss you,” or “Anna, why haven’t you written me,” or “Hi, Tim, here’s the sexy photo I promised you.” This couldn’t be junk advertising mail, you think, because it has your own name on it and sounds so personal. So you open the attachment to see the photo or read the message.
All of these actions—downloading software you learned about from an advertising email, clicking on a link that takes you to a site you haven’t heard of before, opening an attachment from someone you don’t really know—are invitations to trouble. Sure, most of the time what you get is exactly what you expected, or at worst something disappointing or offensive, but harmless. But sometimes what you get is the handiwork of a vandal.
Sending malicious code to your computer is only a small part of the attack. The attacker needs to persuade you to download the attachment for the attack to succeed.
The most damaging forms of malicious code—worms with names like Love Letter, SirCam, and Anna Kournikiva, to name a few—have all relied on social engineering techniques of deception and taking advantage of our desire to get something for nothing in order to be spread. The worm arrives as an attachment to an email that offers something tempting, such as confidential information, free pornography, or—a very clever ruse—a message saying that the attachment is the receipt for some expensive item you supposedly ordered. This last ploy leads you to open the attachment for fear your credit card has been charged for an item you didn’t order.
note
One type of program known in the computer underground as a RAT,or Remote Access Trojan, gives the attacker full access to your computer, just as if he were sitting at your keyboard!
It’s astounding how many people fall for these tricks; even after being told and told again about the dangers of opening email attachments, awareness of the danger fades over time, leaving each of us vulnerable.
Spotting Malicious Software
Another kind of malware—short for malicious software—puts a program onto your computer that operates without your knowledge or consent, or performs a task without your awareness. Malware may look innocent enough, may even be a Word document or PowerPoint presentation, or any program that has macro functionality, but it