When malware creators use social engineering techniques, they can lure an unwary user into launching an infected file or opening a link to an infected website. Many email worms and other types of malware use these methods.
The cybercriminal will aim to attract the user’s attention to the link or infected file – and then get the user to click on it. Examples of this type of attack include:
The LoveLetter worm that overloaded many companies’ email servers in 2000. Victims received an email that invited them to open the attached love letter. When they opened the attached file, the worm copied itself to all of the contacts in the victim’s address book. This worm is still regarded as one of the most devastating – in terms of the financial damage that it inflicted.
The Mydoom email worm – which appeared on the Internet in January 2004 – used texts that imitated technical messages issued by the mail server.
The Swen worm passed itself off as a message that had been sent from Microsoft. It claimed that the attachment was a patch that would remove Windows vulnerabilities. It’s hardly surprising that many people took the claim seriously and tried to install the bogus ‘patch’ – even though it was really a worm.
Malware link delivery channels
Links to infected sites can be sent via email, ICQ, and other IM systems – or even via IRC Internet chat rooms. Mobile viruses are often delivered by SMS message.
Whichever delivery method is used, the message will usually contain eye-catching or intriguing words that encourage the unsuspecting user to click on the link. This method of penetrating a system can allow the malware to bypass the mail server’s antivirus filters.
Peer-to-Peer (P2P) network attacks
P2P networks are also used to distribute malware. A worm or a Trojan virus will appear on the P2P network, but will be named in a way that’s likely to attract attention and get users to download and launch the file – for example:
AIM & AOL Password Hacker.exe
Microsoft CD Key Generator.exe
Play Station emulator crack.exe
Ensuring victims don’t report the malware infection
In some cases, the malware creators and distributors take steps that reduce the likelihood of victims reporting an infection:
Victims may respond to a fake offer of a free utility or a guide that promises:
Free Internet or mobile communications access
The chance to download a credit card number generator
A method to increase the victim’s online account balance… or other illegal benefits
In these cases, when the download turns out to be a Trojan virus, the victim will be keen to avoid disclosing their own illegal intentions. Hence, the victim will probably not report the infection to any law enforcement agencies.
Another example of this technique was the Trojan virus that was sent to email addresses that were taken from a recruitment website. People that had registered on the site received fake job offers – but the offers included a Trojan virus. The attack mainly targeted corporate email addresses – and the cybercriminals knew that the staff that received the Trojan would not want to tell their employers that they had been infected while they were looking for alternative employment.
Unusual social engineering methods
In some cases, cybercriminals have used complex methods to complete their cyberattacks, including:
When one bank’s customers received a fake email that claimed to be from the bank – asking the customer to confirm their access codes – the method of confirmation was not via the usual email / Internet routes. Instead, the customer was asked to print out the form in the email, then fill in their details and fax the form to the cybercriminal’s telephone number.
In Japan, cybercriminals used a home-delivery service to distribute CDs that were infected with Trojan spyware. The disks were delivered to the clients of a Japanese bank. The clients’ addresses had previously been stolen from the bank’s database.