Beware the Insidious Invite, Part 2;
Social Engineering 101
In a totally integrated ecosystem, which the Internet has become, nothing occurs in a vacuum. I have to assume that the attack described in the previous post is happening far and wide.
1. There must be hundreds of thousands of religious, civic, and cultural groups in this country. It is a good guess, too, that these groups communicate within and without these organizations via email. Furthermore, it is only logical that one or more members of these groups maintain those email lists on their computers. If the people's computers on which these email lists are compromised, then so is that email list. That, I assume, was the first step in the attack previously described.
2. It is also only logical to assume that these groups here in the US will be engaged in a variety of social events between Thanksgiving and New Years. This fact is key to the success of the attack. In security circles, the exploitation of a common fact or facts relevant to the attack victims is known as "social engineering." A good definition of social engineering comes from security vendor, Imperva.
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
3. What I advise clients to do in order to avoid being duped into opening spam emails apparently sent from a known source is to ask themselves this: "Is it usual and customary for the sender to have sent the suspicious email?" The answer here might well be yes. The sender's email address in the attack discussed herein was a legitimate email address; although I suppose that the sender's email address could have been spoofed. Nonetheless, this is an insidious and clever example of social engineering.
4. My client whose experience brought all this to my attention, and who did open the spam email and click the object within the email, had no immediate signs of infection. Malware doesn't slow things down anymore. She has a new computer and high speed Internet. Everything seemed to work fine. Malware today is, however, very stealthy, and more often than not, deletes itself after doing whatever it is that it does. For the Consumer, there is very little defense against such an attack.
5. With web based email applications, simply opening the email can activate a script, a small embedded application within the email itself that can set off a destructive chain reaction. The advice CISA gives is thus:
If your email client allows scripting, then it is possible to get a virus by simply opening a message. It's best to limit what HTML is available in your email messages. The safest way to view email messages is in plain text.
4. Gmail; AOL; Yahoo; indeed all email that is opened and read within Google Chrome, Microsoft Bing, or any other web browser is HTML. That web email is not easily read as plain text. More to the point here is that an interactive email, like an invitation from punchbowl[.]com, or some other web based entity, must be read as HTML email to have its effect. All of the pretty pictures and other multimedia content must be displayed within the browser to get the complete experience. In the case of text only emails, that content that is not simply text, will arrive as one or more attachments to the text based email. To get the content of the e-invite when received within a text based email, each of those attachments must be opened.
5. I suppose if one receives an e-invite in the coming weeks, one could simply call the sender and ask if the invitation is real. My guess here is that no matter whether it is or is not a legitimate e-invite, few members will take the time to make that call. Also, I assume that dozens of members inundating that person or persons who manage the email list will not be happy with all the phone calls. All in all, this a pretty darn craftily built bit of social engineering.
6. When I peruse the IT security news these days, the overall outlook is pretty bleak. I stopped reporting on things like the attack on defense contractor Boeing because people cannot relate to such a real national security fiasco that an attack on Boeing could represent. Your flight might be delayed, however, because your airline cannot get needed parts for its aging fleet of Boeing 737s. And about antimalware software: Don't you think Boeing had all the security hardware and software money can buy?
7. Lastly, use a little common sense. If you think
that I have way overblown this issue, and have made a mountain out of a
molehill, then ask yourself this.
Do really think the crooks who
registered punchbowl[.]ru did so simply to harass one little old lady
from South LA County?
There are so many times I wish I could simply
unknow what it is that I know. I would probably be happier.
But I don't engage in those kinds of substances. Besides someone
must be standing by with the fire hose when the blaze begins to burn.
And my reward for this diligent service is best described by that great
Philosopher King, Groucho Marx.
"I
worked my way up from nothing to a state of extreme poverty."
The freakin government should hire me. But the government is too busy with issues of malware, hacking, and national security to worry about Consumers. But I think they do read my posts from time to time.
To be forewarned is to be forearmed.
Gerald Reiff