Effective social engineering scares
Introduction
Malicious programs do increasingly rely on social engineering techniques to be able to propagate and successfully execute. Gone are the days when a tempting file name in an email sufficed. In this security article we shall examine variants of one of the more successful social engineering schemes.
A scareware example
A typical example of scareware is the malicious program which Norman detects by the name W32/DotTorrent.
This uses a social engineering technique which utilizes the fact that many uses of the BitTorrent technology is seen as dubious and even illegal.
A computer infected by DotTorrent will display a message like:
Click image to enlarge
Some elements of the message are clickable and show more information about the alleged illegal actions that the user has performed.
In the image above the "Files detected" listing is empty as there were no bittorrent files present on the computer where the malware was executed. If such files had been present, they would have been listed, and made the warning's legitimity even more likely.
When exiting the warning window, another warning is displayed:
Click image to enlarge
To solve this matter outside the courts, the user is encouraged to pay a "small" fee...
This is not meant as an analysis of the malware in question. It is just meant to point to type of scam intended to trick users to pay money for nothing.
The social engineering scheme
A long time ago (in computer years) it was sufficient to send an email with an attachment named LOVE-LETTER-FOR-YOU.TXT.vbs (the VBS/LoveLetter.A virus) to trick an enormous number of users to opening the attachment with subsequent infection.
As the computer users have been more educated (and used to malware distributed as email attachments) more clever techniques are required in order to trick the users into performing actions which result infection.
Common for several of these techniques are that they use elements of personalization. Spear phishing - the term used for phishing attempts aimed at targeted individuals - is another example.
The example above however, does not require any particular investigation of potential targets. It relies on the fact that many users are participating in BitTorrent networks to download and exchange (multi)media information. Much attention has been focused on the legality of these networks and downloads. Warnings as the one shown in the example, will therefore most likely trick many - BitTorrent users and other - to perform the actions the malware writer wants.
A similar example is malware that uses many people's concern that certain behavior should be publicly noted. Scareware that threatens about publishing information regarding surfing on pornographic web sites, illustrates this.
Scaring people about the presence of child pornography on their computer is another example. To have child pornography is illegal in many countries, and even though a person knows that he did not download such, there is always a potential danger that someone else used his computer (for example by hacking into it remotely) and placed illegal material there.
The technique used by the malware creators can be summed up in the three words Fear, Uncertainty, Doubt (FOD).
Whenever a person gets "hit" by something that causes FOD, he may often stop thinking clearly and instead react instinctively by trying to protect himself. This is exactly what the creator of the malware intended.
What to do?
The counter-measures against this are quite simple: Take a breath, stop and think!
Investigate the claims that the malware makes, like:
- Are the alleged files actually present on your computer? If so, are they really illegal?
- Is it likely that the copyright owner would use software to get into touch with those who infringe owners' rights?
- Do the authorities in your country use this type of software to investigate criminal activity?
In short: Use common sense and do not let fear (unjustified or not) trick you into being a victim of malware.