Sutton University:Computers/Technical

Virus attacks exploit human nature with ‘social engineering’

Before we get started with this issue, we want to acknowledge that in the previous issue of tech tips we had planned on showing you more ways to increase the effectiveness of your website. However, as we have had a number of questions recently sent to the support desk about viruses, we thought we would sneak in this article out of sequence in order to help our members stay informed and protected. We promise to return to our discussion on websites in our next issue.

Social Engineering

Many of today’s computer viruses are using psychology to help them infect your computer. Regularly updating your anti-virus software is still an important part of helping keep you safe while computing, but a good dose of common sense can be even more beneficial. As example take a look at the 3 email messages below:

Bank Example:

“Dear Bank of Montreal member, we were informed that your card was used by another person or may possibly have been stolen. It may have happened if you had been shopping on-line, and someone gained access to your 'billing information' including your card number. To avoid and prevent any billing mistakes and to refund your credit card, it is strongly recommended to proceed by filling in the secure form on our site and applying for our Zero Liability program. This program is free and it will help us to investigate this accident."

Hot Gossip Example:

“In a startling turn of events, this season’s winner of American Idol appears to be in danger of losing her title. Senior producers of the idol series spoke with CNN’s Paula Zhon, saying “…all contestants have signed contractual agreements regarding their full disclosure of any criminal records… and this type of behavior definitely qualifies as a significant breach of contract…” To get the full story, please click here.”

Computer Support Example:

“Dear Sutton member, your email account has been temporarily suspended because of improper use. If you wish to restore your account, please access and return the attached file to support@sutton.com.”

Each of these actual messages had a seemingly legitimate email address (all of which were faked), and some even had the corresponding company logo and colors incorporated into the message formatting. However, each of these messages were not from the proclaimed senders and were in fact efforts to transmit viruses!

What each of these messages has in common is their use of ‘social engineering’ – they are constructed to look and sound authentic, and to either create concern or pique curiosity in the reader in order to prompt a reader to take a course of action that they shouldn’t. In the examples listed above, by clicking on the ‘secure form’, visiting the ‘company website’ or

Sutton University:Computers/Technical

opening up the attached file what the reader has just done is exposed their computer to a virus!

How to protect yourself from each example:

With the bank example – Whenever you get email requests for account information from your bank, credit card company, PayPal or other similar source you should always seek confirmation from the company that the email is in fact authentic. In this example, the email is using fear to get you to act, combined with an authentic sounding ‘protection plan’ in an effort to bolster the believability of the message. But no matter how believable a message may sound, an unsolicited request for this type of personal information should always be verified before responding to.

With the ‘hot gossip’ example – Whether it’s getting the latest details on a reality TV scandal or promised nude celebrity pictures, hot topics have always been a staple tool that virus creators have used for tempting people to visit a malicious site or open an infected attachment. As tempting as it may be to get the latest scoop, whenever you get these sorts of messages you should always ask yourself, “Is the promised payoff of opening this message really worth the risk of having to go to the manager and explain that you accidentally infected the office network while trying to have a peek at pictures of Brad Pitt’s bare backside?”

With the Sutton Support example - Internet or email service providers rarely request a password change via e-mail. And we will never ask you to send us any password information via e-mail or attached form. If you are being requested to confirm or change information, never use the link provided in the message.

These links are easy to fake – they may appear to be directing you to an authentic site, but may actually direct you somewhere else that may compromise your computer. Always request confirmation, especially before opening up an unexpected attachment.

In Summary:

Unless you are absolutely sure of a sender’s identity, never give out your personal information like your credit card details, usernames or passwords. If you have any doubts at all about the authenticity of the email then request confirmation. If you are not sure about the sender of a strange attachment then you should avoid opening these sorts of unsolicited email attachments. More likely than not they are infected with a virus.

Whenever in doubt, seek confirmation. The small amount of extra effort will save you a lot of headaches down the road.