Q: How do you get infected with malware? A: Social engineering

by Andy on October 19th, 2011 in Security Tips.

As the malware landscape evolves, it's helpful to understand how malware gets onto your machine. Knowing the bad guys' strategies gives you the edge while on-line and puts you in a stronger position to defend your data and PC against compromising threats.

We all know that we should install anti-malware software, keep it up to date and run regular scans, apply Windows and application security patches when they become available, use a firewall... well, I won't bore you - you know what to do. But what kind of attacks can we expect and where are they coming from?

It's good to have defences in place to keep your PC secure in the event of an attempted malware infection but having advance warning of the enemy's tactics can help you avoid getting into tricky situations in the first place.

The most common way malware gets onto your system is via the biggest security risk on any computer system - between the chair and the keyboard. According to Microsoft's recently published Security Intelligence Report, almost 45% of infections stem from the malware writer using various social engineering tactics to persuade the user to take some kind of action that results in the user running a malicious file, thereby infecting their own machine.

This means that the malware writer doesn't have to spend time thinking of complex and ingenious ways to infiltrate your machine – they just have to present you with a credible reason to install and run their program.

Compare this idea to a street crime: imagine if someone said they were conducting a survey called “Are Modern Wallets Too Heavy?” and asked to check how much your wallet weighs. Instead of seeing it for the risk that it is, you give them your wallet, PIN number and for good measure, your mobile phone, then punch yourself in the face and hail a taxi for them to make a getaway.

That's a pretty extreme illustration but the point is that you would recognise this as a potential threat and walk away. Most people are unlikely to intentionally install malware on their machine, but if the malware employs a social engineering technique to make it appear credible, you could find yourself in trouble.

A common technique is to prey upon user's fear. People can be easily persuaded if you frighten them. The media frequently reports on cyber-crime and as we mentioned before, we're all aware of the need for an anti-malware program. Bad guys have taken full advantage of this and unleashed hundreds of legitimate looking security applications, that scan your machine then present you with a lot of scary, non-existent infections then try to trick you into buying the software to remove the infection. The best way to avoid this is to use a reputable anti-malware application like Ad-Aware.

Another common tactic is to lure the user into installing an application that will allow them to watch a video, but predictably that application turns out to be malware. Big surprise, no? To a lot of people, it is.

If you are in doubt about an application you have downloaded, you can scan it with Ad-Aware but a cool trick is to upload the file to Virus Total which will give you information about which anti-malware companies detect the file. If you see a lot of hits, it's more than likely malware and you should delete it.

For more information, check the United States Computer Emergency Readiness Team (US-CERT) guide for avoiding social engineering attacks.