Understanding Social Engineering

Each month in Lavasoft News, we bring you updates on the latest specific threats to your online security, so you can be aware of them, and how to stay safe. At the heart of many of these malicious ploys is one underlying concept: social engineering. Deceptive social engineering tactics are interwoven throughout the Web, as you shop, bank, and socialize online. Keep reading to learn how to recognize these attacks and avoid them.

What is Social Engineering?

You may have heard the phrase ‘social engineering’ before, but what exactly is it? Social engineering is when a scammer - rather than using technical hacking techniques - manipulates, tricks or deceives people into performing certain actions or divulging personal information.1

Social engineers take advantage of human behavior to pull off their scams – with the aimed end result of infecting a user with malware, and stealing personal information or money.

Social engineering attacks are becoming more complex and increasingly prevalent, according to security experts. “The nature of malware infections has changed during the past years. A long time ago, malware and viruses were spread in much less sophisticated ways. Now, malware authors constantly invent new intellectual ways to manipulate people and compromise their machines,” says Albin Bodahl, a malware analyst at the Malware Labs at Lavasoft.

And these types of attacks are on the rise. “Lavasoft Malware Labs has seen a major increase in obfuscated downloads which make use of social engineering tricks. The target has moved from the actual computer to full focus on users,” Bodahl says.

What Methods Do Attackers Use?

Social engineering attacks aimed at home computer users often take advantage of basic human emotions to manipulate and persuade people to fall for their ploys – including curiosity, fear, and empathy. Let’s take a look at some common methods of exploitation based on these emotions:

  • Curiosity.Exploiting a person’s curiosity might involve sending an e-mail that purportedly contains a link to watch a video about the latest sensational news story. The link, however, will lead to a malicious site aimed at installing malware or stealing private information.
  • Fear.One tactic cyber thieves use to instill fear and persuade a person to act in a certain way is by sending phishing e-mails, supposedly from a victim’s bank. Using the claim that his or her account has been breached, the message will push the user to click a certain link to validate the account. Again, the link will lead to a malicious site aimed at compromising the person’s computer, or stealing sensitive information.
  • Empathy.To take advantage of a person’s empathetic feelings towards others, hackers have been known to impersonate victims’ friends on networking sites, claiming to urgently need money. In another prime example, recent social engineering scams have also been seen in the wake of the earthquakes in Haiti, with con artists attempting to profit from the feeling of good will that follows such events to target users with donation scams.

While the above tactics are common ploys, it’s important to keep in mind that there are many other methods used by scammers; we can expect almost limitless variations on tried and true attacks that have been found to be successful in the past.

All of these tactics, however, involve an interactive choice by the computer users – meaning that, armed with the right knowledge, you can effectively choose to not be the victim.

What Can You Do To Avoid Becoming A Victim?

Protecting your PC with trusted security software is an effective first step to help keep you safe from social engineering attacks. But, you also need to be aware of social engineering tactics, and employ a healthy dose of skepticism when online.

“The most important thing for users to do is to use common sense while surfing the web,” Bodahl says.

For more information, the United States Computer Emergency Readiness Team (US-CERT) has compiled additional helpful guidelines to avoid being a victim in its Cyber Security Tip on social engineering attacks.

1http://en.wikipedia.org/wiki/Social_engineering_%28security%29

Home
BY THE NUMBERS
Phishing attacks – a type of social engineering – continue to climb. Unique phishing reports submitted to the Anti-Phishing Working Group in the third quarter of 2009 reached an all-time high of 40,621.
Source: Anti-Phishing Working Group
TIPS & TACTICS
This month’s tip comes to us from a reader like you! Keep your eyes open when downloading new programs - find out why.
WHAT PEOPLE ARE SAYING
“The nature of malware infections has changed during the past years. A long time ago, malware and viruses were spread in much less sophisticated ways. Now, malware authors constantly invent new intellectual ways to manipulate people and compromise their machines.
- Albin Bodahl, Lavasoft Malware Labs
FOLLOW US
Find us on
Facebook
Contact us on
LinkedIn
Follow us on
Twitter
Watch us on
YouTube
TELL A FRIEND
Pass on the news, tips and offers in this issue - e-mail Lavasoft News to a friend.
Lavasoft Newsletter

Lavasoft AB Odinsgatan 10, 411 03 Gothenburg, Sweden | www.lavasoft.com | editor@lavasoft.com

Add lavasoft@member.lavasoft.com to your address book to ensure we reach your inbox.

You have received this message because you have registered to get information about Lavasoft and its products. If you would like to update your details or would like to unsubscribe, please click here.

For information on Lavasoft‘s Privacy Policy, please click here.

PLEASE DO NOT REPLY TO THIS MESSAGE. If you require Technical Support, please check the Lavasoft Support Center for information.

Copyright © 2009 Lavasoft AB. All rights reserved.