Social-engineering Hacking, a new tool for Hackers
You have every right to smell something fishy the next time you are asked to download a new software in order to fix a problem or watch a film.
In a post published on May 17 on its MSDN blog, Microsoft has revealed that one in fourteen programs downloaded to your computer “is later confirmed as malware.” This is happening in spite of a robust internet explorer which, according to the same post, blocks between two to five million attacks a day for IE8 and IE9 alone. The main reason for such a high proportion of malware among downloaded software is said to be user apathy; around five percent users do not heed to IE warnings and end up downloading malicious programs.
The situation today is hugely different from the conditions that defined the internet landscape a few years ago. Back then, it was relatively easy for hackers to infect your computer with bugs and because most people didn’t know how to patch up a problem of this kind, the bugs stayed in their machines anyway. It was possible because internet browsers of the time weren’t as secure as they are today; most popular browsers currently can identify and clear your system of many bugs automatically.
In the current scenario only a few hackers would be able to take on the security system of a major browser. For this reason, the hackers have devised a new strategy – break the weakest link in the chain to hack in, that is ‘humans’. Instead of attacking browsers, the hackers today concentrate on hacking people because they “have figured out that it’s not that hard to get users to download Trojans,” according to a founding partner of ISEC Partners, Alex Stamos.
This technique of fooling users into downloading malicious programs is called ‘social engineering’ and the spread of the Koobface virus on Facebook is a typical case of how the trick functions. In the case of Koobface virus, a Facebook user gets a message from a friend about a new video. The interested user often clicks on a link in the message which takes him/her to a website where they are asked to download a software in order to watch the video. More than often, a gullible user downloads the software, unaware that the software is actually a malicious program.
This is one of the most popular techniques used by social-engineering hackers but this isn’t the only one. Another technique involves popping up fake warnings, which appear to have originated from your OS, when you visit a website. Then you are tricked into downloading a new software to clean your system of the virus that, you are made into believing, has just contaminated your computer. Unsuspecting users often end up downloading Trojans. A particular feature of websites using this technique is that they often attract visitors by promising them that they have some interesting stuff about celebrities or the latest trend.
According to a manager at the Symantec Security Reponse, Joshua Talbot, “the attackers are very opportunistic, and they latch onto any event that might be used to lure people.” His company has found that that about 56 percent of all malicious attacks involve Trojans. The company came to this conclusion after following the fifty most popular malicious programmes through the course of a whole year.
Then there is another technique which is getting increasingly popular is called spearphishing. Spearphising involves first identifying your target and then creating a malicious program specifically for the target which he/she is very likely to open.
Aware of all these techniques, Microsoft has introduced a new firewall called the SmartScreen Filter Application Reputation (SFAR) in its latest version of IE. The SFAR acts as the first line of defence against Trojans.
The new IE9 warns the users whenever they are about to enter a website of questionable reputation. According to the programme manager for SmartScreen, Jeb Heber, his SFAR has blocked over 1.5 billion web and download attacks in the past two years. Haber also agrees that over secure browsers have forced hackers to concentrate on social-engineering hacking, which is harder to rein in. He says, “You’re just seeing an explosion in direct attacks on users with social engineering. We were really surprised by the volumes. The volumes have been crazy.”
Haber also says when SFAR warns users about a potentially harmful programme, which happens only a couple of times a year in case of a typical user, beware because there is 25 – 70 percent probability that the programme is malicious.