By Jordy Berson, Group product manager, ZoneAlarm products
Social engineering is a cruel hacking technique that plays on our naivete, behavioral patterns, curiosity and general humanness. A few examples:
- HACKER SEND US: An e-mail on Valentine's Day with subject, "Someone wants to kiss you!"
WE: Must know who. The woman I spilled my cinnamon dolce latte on at Starbucks? The guy at 7-eleven who bought M&Ms while I bought Reese's Pieces?
RESULT: Click the Web link from the e-mail, go to the Web site, malware secretly downloads to our PR to spy on us.
HACKER CONTACTS US: Our lost uncle from Britain whom we never knew died (sad) and left us $50,000 (sadness fading a bit). We just need to send in $1000 for handling to get the money.
WE: Send in the $1000 and wait by the mailbox like Linus in the pumpkin patch.
RESULT: The $50,000 (and The Great Pumpkin) never arrives
These scams piss me off more than any other because they take people's dignitiy along with the prize they're after. What pisses me off even more is that hackers around the world are bringing in comfortable six-figure incomes purely by plundering us workers! (See related article that my buddy Frank sent around the office:) http://voices.washingtonpost.com/securityfix/2009/03/obscene_profits_fuel_rogue_ant.html?wprss=securityfix
The best way to protect yourself from these online parasites, may they all be caught and jailed, is to use the same street smarts online that you use in the real world. Be suspicious! Don't respond to offers that are too good to be true or seem weird in the least without checking them out first. Never click a Web link from a strange e-mail. Use updated security software to protect yourself. Keep all of your computer programs, browser plug-ins, and your operating system up-to-date at all times.
But it's not always easy! Even the best of us can be tricked because hackers make use of the same processes we've come to use and trust online in order to trap us. I was talking with my fellow blogger James this week about this because a journalist had asked us to consider: What if hackers took advantage of e-mail viral marketing to attack us and our friends? For example, Web sites such as Yelp! and LinkedIn among many others will go into our address book to invite our friends to participate in their services (with our permission). For example:
TRUSTED WEB SITE: Offers to e-mail our address book of friends on our behalf and invite them to use Yelp, Facebook, etc.
WE: Trust them.
RESULT: No harm done. We and our friends have special moments together online through our increased connectedness.
Now we've been trained to trust this technique. So it's ripe for the taking as far as hackers are concerned. A hacker could attack the legitimate Web site we trust; could spoof the Web site we trust (we think it's the legitimate site, but it's a malicious site made to look just like the legitimate site); or could create a brand-new site from scratch. In any case, this same technique could e-mail our friends on our behalf. Our friends get an e-mail from us so they trust it (social engineering), follow the Web link, and KABLAM! Spyware downloads to our friends' computers.
This puts extra stress on our relationships.
Then James brought up a similar scenario that's even more dangerous.
TAX PREP SOFTWARE: Offers to automatically gather our tax info from Fidelity, eTrade, etc. We just need to give it our username and password to each financial site.
WE: Hate taxes, and will do anything to make it go faster and easier.
RESULT: We are sad (if we owe), happy (if we get a refund), but no harm done.
But it's easy to see how the above could have an unhappy ending. I have no doubt the tax prep companies such as Turbo Tax do a great job of ensuring security. And I've yet to hear of any vulnerabilities in this area. But the fact that hackers are highly motivated by their six-figure incomes and the fact that no security is 100% secure makes me think things could go very wrong here. Imagine just handing over the keys to your financial information to a hacker because they've stepped in between you and a trusted Web site or have spoofed a Web site you trust.
The lesson: Think before you give the away the keys to any of your information. Consider the cost/benefit to these types of automated features. Certainly make sure the entity you're trusting is deserving of your trust and is who it says it is. This is not to say you should abstain from these automated features. The risk as of now and as far as I know, is small to nil of getting hacked in this way. We'll see what the future brings.