Virus Propagation via Social Engineering

Malware will always be a security issue despite how much security engineers are looking into providing a better protection model. There will always exist security vulnerabilities to exploit as codes are written by humans. But above all, it’s because a human uses them that opens them up for the biggest flaws. Not only do people find it hard to follow security practices in patching their operating system and anti-malware to the latest version but they are very vulnerable to human exploits, many that lead to exploitation.

Malware propagators have found an ultimate tool to spread their malicious code by hacking the human operating system. Social engineering techniques are used to deceive people to download a piece of malware by influencing their cognitive behavior.

In this article, I will be discussing three social engineering techniques used by malware propagators which I’ve observed for the past two years – deceit by curiosity, deceit by fear and deceit by trust.

Deceit by Curiosity

Malware propagators use topical issues that the general population around the world are interested in (e.g. World Cup, death of Michael Jackson, secrets of MJ’s Neverland, death of Steve Job, etc) to lure them into downloading a piece of malware onto their computer. Using SEO (Search Engine Optimization) techniques, they push up their rogue web sites to the top searches, seducing users into visiting. These sites are usually hosting drive-by downloaded malware that gets downloaded to visitors’ computers by simply visiting the site.

A very effective medium used by virus propagators to infect the unwary is emails. Emails that promise latest news of these events but embedded in the hyperlinks or file attachments downloads is the malware that exploits the victims computer.

Deceit by Fear

Similar to deceit by the emotion of curiosity, deceit by fear leverages on a more specific type of events. Specifically on events that trigger the emotion of fear, such as the end of world in the year 2012, a huge asteroid that is on its way to destroy Earth, or the memorable Y2K worm that could possibly throw mankind back to the Stone Age. Even if you are tech savvy, you will be curious and fearful of the outbreak of the Conficker worm, Stuxnet – probably the first politically driven malware, and the current Duqu. In addition to its entertainment value, the emotion of fear provides incentive for users to learn more about the event. That fear can cause someone to take an action that can lead to their exploitation and infection.

Deceit by Trust

In addition from either emotion discussed, which the virus propagator is manipulating, users will be more vulnerable if it is sourced from someone he / she trusts (e.g. family and friends). Going back to the decade-old ILOVEYOU email worm that sends a love letter containing a computer worm to all friends of the victimized user, the recipient, curious about what their friends (a trusted person) have sent them, has a higher likelihood to fall into the trap set by the malware propagator.

This malware usually contains a payload that continues the cycle by performing the same action to its victim’s web-of-trust.

This technique has passed the test of time. Hyperlinks to rogue web sites and file attachments that contain malware are still seen to spread not only via emails and instant messaging, but also in the social network sites (e.g. Facebook, Twitter, MySpace, etc).

If malware propagators combine the use of deceiving users from their web-of-trust with any other of the two techniques discussed above, it will increase the likelihood of success.

Aside from infecting visitors’ computers with malware, it is a perfect platform for the malicious actors to phish credit card information from their victims. What better time to get emotional users to buy a limited edition Michael Jackson music CD or Apple product from a non-official web site?

Playing on these emotions, infecting their computer then following up with an “offer” that furthers the attack makes these especially malicious forms of social engineering.

Conclusion / Prevention

Again these techniques appear to be very successful even over a long period time. It is difficult to find a patch for this vulnerability since it involves so much of the human OS. Malware propagators simply have to tweak their methods a little, shifting their medium (e.g. from email to social network), or simply find a whole new event of interest and people are vulnerable all over again.

Still the general rules of prevention are…

  • Only get your source from trusted web sites – even then it is important to verify your sources as even major news and media sites have been compromised in the last year.
  • Always investigate where you are hyperlinking to – Normally hovering over a hyperlink will tell you where you will be going if you click.
  • Doubt whatever is on the Internet

Written by: Emil Tan, Team Lead, Edgis