Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels all but the most gullible, the scammer gets the most promising marks to self-select.”
This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from one such example:
“We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD.”
An article in The Economist on this subject quotes Basil Udotai, a former cybersecurity director of Nigeria’s National Security Adviser: “There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.” One motive for this might be “Nigeria’s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.”
Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve social engineering and require human involvement on the attacker’s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.
Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.
So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won’t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.
Hand-picked related articles:
Phishing—a technique grounded in social engineering—remains an effective way for attackers to trick people into giving up sensitive information. Potential victims can be contacted by email, fax, phone calls and SMS text messages. Below is an example of such a scam sent through SMS—a practice sometimes called smishing.
In this case, the recipient is requested to visit update.vtext02.net to update account information, supposedly so that he or she can continue using Verizon services.
The phone number of the SMS message’s sender was most likely spoofed.
The malicious domain vtext02.net appears to have been shut down by its registrar several hours after the phishing text message was received. When it was still active, the victim visiting the link on the SMS message would have seen the following page that mimicked the Verizon Wireless website:
All elements of this page were unclickable images with the exception of the form that prompted the victim for his or her Verizon account credentials. The “Sign In” button would submit the data to the phisher’s server-side confirm.php script. Here’s an excerpt from the page’s HTML code:
A similar incident was publicly described by another person about a month earlier. In that case, the sender was being directed to another malicious URL. The phishing SMS message stated “V.erizon.wireless.update. Please click on http:// verizon.vtext-1.com and proceed.” (Don’t go there.)
Mobile phone users are especially vulnerable to social engineering scams. One of the reasons for this, as pointed out by ESET’s Randy Abrams, is that “virtually none of the visual indicators that help even a moderately savvy novice computer user make informed decision are present on mobile devices.”
Russ Klanke documented the steps for reporting a suspicious SMS message to the GSMA Spam Reporting Service by sending a text to short code 7726 (SPAM).
Hand-picked related articles:
— Lenny Zeltser
Tactics that incorporate social engineering can be highly effective at bypassing security controls. Perhaps we are vulnerable to social engineering because of the traits and behaviors that allow us to quickly make decisions that sometimes turn out to be wrong. It’s important to study and understand such persuasion approaches, so we can adjust defenses appropriately. Yet, such research needs to be conducted in a responsible and ethical manner.
As a society, we’ve been fascinated with the ability of some people to persuade others through language. In the context of scams, such skills have been exhibited by con artists, who are able to persuade victims into taking actions against their own interests. I dislike the term “con artist,” because the reference to art seems to glorify the practice of defrauding people and organizations.
Similarly, social engineering, when employed to someone’s determent or without permission is a scam—not an opportunity to show off one’s persuasion prowess. Just because it’s possible to influence someone to give up sensitive data, grant access to a system or otherwise aid the social engineer’s objective doesn’t mean that the social engineer should take advantage of this vulnerability.
We’re all vulnerable to social engineering. Researching such practices in a responsible manner can help strengthen defenses against attacks that target humans through influence and persuasion. Yet, we should be careful not to forgo a sense of ethics when employing social engineering to test defenses. Remember, the difference between any security assessment and a malicious attack often merely amounts to permission.
I can imagine that there are some people out there who will be so intrigued by the illegible message that they will open the archive file and then, out of curiosity, run the .exe file.
Having covered the risks related to on-line social networking on several occasions, I’d like to outline my tips for using these services securely. In compiling this list, I tried to stay away from impractical recommendations, and did my best to base advice on actual occurrences, rather than theoretical threats:
While the tips above were focused on social networking services, standard Internet safety recommendations apply: Limit the reuse of passwords across sites; keep up with security practices; disable risky browser plugins that you rarely use (e.g., Java).
Like any of our actions that involve interacting with others, using social networking sites exposes us to risks of being scammed, infected or otherwise attacked. My hope is that the tips above provide practical recommendations that allow people and organizations to derive benefits from these communication mechanisms while keeping the risks at a manageable level.
The the most popular method for distributing malware for mobile devices has been grounded in social engineering. We haven’t seen many exploits pursuing vulnerabilities to infect mobile devices because it’s simpler and often more reliable to persuade the user to install a malicious program. Let’s take a look at how such attacks have occurred and why they’ve been so effective.
Malicious Apps that Look Legitimate
The most common social engineering approach employed by mobile device malware involves masquerading as a legitimate application. This technique, which spreads malware in the form of trojan programs, has been employed by malicious software on other platforms for a long time.
This has been a major issue on Android, which offers few barriers to listing a program on its various app marketplaces. For instance, Google removed over 50 malicious apps from Android Market in Spring 2011 that seemed turned out to be variants of the DroidDream trojan, but looked like legitimate applications and had names like Super Guitar Solo.
The persuasion mechanism of this approach to distributing malware is simple: Create or customize an app that a user might want to download and list it in the app store/marketplace. Then wait for victims to install the malicious program. Examples of trojan mobile apps for other platforms include malicious versions of Terdial for Windows Mobile and Mosquito for Symbian games.
Advice: Don’t install apps from untrusted developers. Relying on the app’s ratings may be insufficient, because many users might be enjoying the app’s features without realizing that it contains hidden functionality.
Illegitimate Sources of Mobile Apps
The efforts to persuade the victim to install GGTracker malware on Android began with an ad displayed within a legitimate app running on the phone. According to Lookout, the ad directed the person to a website that claimed to analyze the phone’s battery.
After clicking OK, the victim would be redirected to a page that looked like Android Market, which attempted to convince the user to install a “Battery Saver” app that turned out to be malicious.
By default, Android is usually configured to disallow the installation of applications that originate from a source other than Android Market. In anticipation of this, the malicious app advised the user that:
“Due to the power savings this application produces, its only available outside of the Android Marketplace. You might need to unblock the install by updating your Settings.”
Since Apple exercises a much tighter control over its App Store, it’s harder for the end-user to install an app that comes from another source. Moreover, all user-installed apps have to be signed by Apple. this is probably why we haven’t seen such incidents affecting iOS today. To install an unsigned and untrusted app, the iOS user would have to be running a jailbroken iPhone or iPad device. It may be possible for a malware developer to distribute an app outside of App Store using the iOS Developer Enterprise Program; however, Apple still exercises some control over the apps distributed in this “Ad-Hoc” manner.
Advice: Don’t enable support for installing apps from sources other than the phone’s manufacturer. If jailbreaking your mobile device, understand the risk involved in installing apps from potentially-untrusted third parties.
Installation Request from the Victim’s PC
In the case of ZeuS malware variants that target mobile devices, persuasion originates from the victim’s PC. When the person visits a banking site from an infected computer, he is prompted to “download an authentication or security component onto their mobile device in order to complete the login process” according to Trusteer. In one case, as reported by Kaspersky Lab, the message attempted to trick the victim into installing a fake version of the Trusteer Rapport app for Android.
Since the victim was under the impression that the request to install the program came from a bank (a trusted entity) and because the request was made in the name of security, the person was likely to drop his guard and install the malicious program on the phone.
Advice: Be cautious of requests to install a mobile device app, regardless of the venue through which the request arrives.
Wrapping it Up
As we’ve seen, authors and distributors of mobile device malware have been effective at using social engineering techniques to trick victims into installing malware. Though there are some steps people can take to avoid being manipulated in this manner, the reality is that withstanding well-crafted social engineering campaigns is incredible hard. This is especially applicable to mobile devices, where visual indicators that may help users understand the context of their actions are often lacking.
We all like knowing what other people are saying about us. That’s why vanity searches—searching the web for the mentions of one’s name—are so popular. Companies do it too by setting up alerts and RSS feeds to see what is being discussed about them on-line. Such “egosurfing” practices can also be used to target the individual or the company with a client-side or a social engineering attack.
The promise of revealing information about the person—offering either gossip or actionable intelligence—can act as a powerful lure. Consider what happens when you see a new mention of your name in Google on some web page or a discussion forum. “Cool,” you think to yourself, “I wonder what they are saying about me.” Then you click the link to go there.
Mass-Scale Vanity Search Attacks
Peter Tzor recently described an experience of encountering a fake anti-virus scam (MacDefender) when searching for his name in Google to locate an old photo from a conference. That malicious website aimed to attack as many people as possible, drawing in potential victims with black hat Search Engine Optimization (SEO) techniques. By clicking a link in Google search results, the person visited the website, which attempted to social-engineer him into installing malware.
Targeted Vanity Search Attacks
Knowing that many (most? all?) individuals and organizations conduct vanity web searches allows an attacker to target a particular entity, say the targeted company’s CEO. A commenter outlined this approach in response to my earlier post on Monitoring Social Media for Security References to Your Organization:
“All one would have to do is create the site with the key flags (CEO name, Company name, etc.) and watch the logs until Google does its indexing. Once indexed by Google, post the nastyware on the site and wait for the CEO to follow the alert they get.”
By noticing a new reference to the monitored or searched-for name, the person would likely visit the malicious website and be subjected to a client-side attack or a social engineering scam. I bet this technique can be no less effective than emailing the potential victim a malicious link or an attachment. (Why go to them when you can lure them to come to you?)
Should we give up the practice of vanity web searches? I know that won’t happen. But perhaps it’s worth exercising extra caution when visiting the websites that show up the next time you egosurf.
I read about Formspring in the New York Times, which described the site as a “fast-growing social network that lets people ask each other personal questions and then has others answer them.” Doesn’t this sound like a goldmine of information for attackers? Having briefly toured the Formspring site, I’ve come to appreciate the changing norms of Internet privacy and confirmed that we’re headed for troubled waters.
Teens and Privacy on the Internet
What personal details are considered private on the Internet is rapidly changing. We increasingly reveal information about our jobs, families and interests on social networking sites, photo galleries, blogs, and so on. This means that on-line scammers have an increasing wealth of information to use for social engineering and password-reset attacks.
The group that’s truly influencing societal norms regarding privacy on the Internet is teenagers. They are using various public forums to exchange uncensored free-form banter without considering the long-term repercussions of having their conversations archived and searchable forever. As these teens grow up and take on professional personae, more personal information will be available about them than about the current generations of professionals on the web.
Formspring’s Questions and Answers
Unlike professionally-focused Q&A sites, such as Quora, Formspring encourages its users to ask and answer deeply personal questions. When a new user signs up, he is presented with a list of questions to “seed” his profile, such as:
By default, the answers the person provides are public. The user can change the privacy settings, but I suspect many people don’t even think about this.
Formspring users can search the site for other people using the “Find Friends” feature, which supports searching by username, email and name.
According to The New York Times, “20 million people have signed up for the site and nearly two billion answers to questions have been posted through the Web site.” As far as I could tell by randomly sampling a few public profiles and reading the Q&A streams, many—if not most—of the users are teens.
How Formspring Data Could Be Misused
An attacker can use the “Find Friends” feature to locate profiles of targeted individuals, or might create a script to mine data in bulk. Furthermore, the attacker doesn’t need to be a registered Formspring user to view public profiles, if he knows the victim’s Formspring username.
The collected details could be used to target people using social engineering techniques. Moreover, many of the questions answered by users of Formspring are similar to those used for resetting forgotten passwords. Here are a few examples from various public profiles:
Implications for Information Security
When designing security systems, we are making assumptions regarding personal details and related data that is only known to the user. For instance, many applications provide a secondary login mechanism by asking the person for “private” details, such as his favorite color, flower or restaurant. However, privacy norms are changing rapidly. What was once private will soon be public. We need to anticipate this change and adjust our security mechanisms in anticipation of the increased transparency of people’s once-personal information.
If you found this useful, take a look at my other posts related to social networking
On-line scammers use various venues to social-engineer their victims into compliance. Email has been the most popular platform for such interactions. Scammers have also been known to chat with their victims using “traditional” instant messaging networks, such as Yahoo! Messenger and Google Talk. As people increasingly turn to social networking sites for their interactions, so do the scammers.
How might scammers use automated chat bots to social engineer users on social networking sites? How might we prepare to deal with smart chat bots?
Non-Automated Scam Chats on Social Networks
With low-cost labor available throughout the world, scammers can employ humans for chatting with victims while keeping their costs relatively low. One example of this was documented by Rakesh Agrawal, who described the classic “I’m stuck in London scam” that was conducted via Facebook chat. The scammer used a compromised Facebook account in an attempt to solicit emergency funds from the victim’s friend. Here’s an excerpt from the chat transcript:
Matt: hi. whats up?
Rakesh: Hi Matt. Everything OK?
Matt: well,im really stuck here in london. i had to visit a resort here in london and i got robbed at the hotel im staying
The scammer was using Matt’s Facebook account and, as far as I can tell, was a human being. However, such interactions could have easily been automated using a chat bot.
Automating Scam Interactions Using Chat Bots
The idea of chat bots is an old one, dating back to early implementations of ELIZA. According to Wikipedia, its most famous implementation was DOCTOR, which simulated human-like interactions with a psychotherapist. A scammer could use similar software to automate the bot’s chat interactions with victims. Though I haven’t witnessed an elaborate level of engagement by bots on social networking sites, attackers are starting to automate some aspects of Facebook chats.
For instance, a SANS Internet Storm Center reader reported receiving a Facebook chat message from a friend that started with “Hey [Name] you got a second?”. When the person responded, the bot replied with “I can’t score higher than 600 on the quiz, do you think you can?” and provided a link to a suspicious site. (Update: For a transcript of a similar chat and more thoughts on chat bots, take a look at Chat Bots, Rise of the Cyborgs by Rik Ferguson.)
Along these lines, Chester Wisniewski outlined a network worm that was spreading on Facebook by using chat to distribute malicious links.
Perhaps more interestingly, here’s an example of an AOL Instant Messenger bot that is a bit more advanced in its chatting abilities. This was reported on a discussion forum:
friend: what ya up to
victim: not much
victim: i got minecraft!
friend: you have to see this best buy is giving away giftcards still for a couple of days
victim: i live in germany
friend: if you hurry you can still get one i just signed up for mine its awesome look at this hxxp://bestuygiveaway.co.tv
The bot seems to be using a compromised AOL Instant Messenger account of the victim’s friend to social-engineer the person into visiting bestuygiveaway.co.tv.
It’s relatively easy to create a chat bot that is much more intelligent than the examples I’ve shown here. One of many ways to accomplish this is to use Pandorabots, which is an experimental (non-malicious) free chat bot hosting service.
A bot can easily tap into the Facebook chat platform, because Facebook supports commonly-used Jabber/XMPP protocol. To see how quickly someone can create a simple Facebook chat bot, take a look at the instructions published by Abhinav Singh.
How to Prepare for Dealing with Smarter Chat Bots
Though I haven’t seen particularly smart chat bots trolling social networks yet, I think it’s only a matter of time before scammers invest into more intelligent bots that are hard to distinguish from humans. With this in mind, it might be worth educating end-users that attackers may be able to use compromised social network accounts for malicious chats. Also, perhaps some day we will have tools that:
Intelligent chat bots on social networks aren’t an issue at the moment, as far as I know. However, I will be surprised if attackers won’t move in this direction as we spend more time chatting with friends on social networking sites.
This note is part of a 4-post series that reflects on malware-related activities on on-line social networks and considers their implications. Other posts are: