Tuesday, June 12, 2012

Social Engineering Tricks to Hijack Your Account

Social engineering is the malicious art of using normal behavior patterns against a person, to trick them into clicking on a link or other damaging act. These patterns are known as cognitive bias, human bugs, what normally people normally do without much thought.

One of the most famous examples of social engineering was the "I love you" computer worm contained in email attachments in May 2000. An email with subject line "I LOVE YOU" had an attachment titled "LOVE-LETTER-FOR-YOU.text".

The email sender address was spoofed to appear to be sent by an acquaintance, but when people opened the attachment, a worm invaded their network and computers, replacing files with the virus file.

Here's the psychological attack vector: Everybody wants to be loved. Love seems so innocent and pure. People like love letters. Why not open this one and start feeling loved? Ah.....OOOPS.

Social engineering attacks often have a form, a common psychology, that signals something's wrong to the savvy computer user.

That form is along the lines of "Look who's been viewing your Facebook profile" or "OMG this is sickening, check out this weird video" or "LOL This photo of you is really funny" -- then there is a link for the unwary to click.

Social engineering attacks generally focus on something that is claimed to be insulting to you, or somehow refers to your sense of narcissism, security, or dignity.

Today I saw I had a Direct Message (DM) on Twitter from a former friend, Jeff, who I no longer feel friendly toward. So the fact that "he" sent me a DM was suspicious. The message sounded like the typical social engineering phrase: "Hey this user is saying very bad rumors about you...[URL shortener link]."

Notice the bad sentence construction. Note also how it's perfectly normal to feel resentment or concern about somebody spreading false stories, or "rumors", about yourself. This is the "cognitive bias" or "normal behavior pattern" that is being exploited.

Whoever is behind this attack is hoping I'll be angry and click on the link to see what's being said about me. The attacker has hijacked Jeff's Twitter account and is sending this message out to all his followers.

Instead of clicking on the link contained in the message, I just Googled the phrase "Hey this user is saying very bad rumors about you" and discovered that this is indeed a phishing exploit that takes you to a page that asks you to type in your Twitter password and user name, so they can hijack (hack) your account.

See Techie Buzz on "Hey User is Saying Very Bad Rumors About You".

If you want to be a safe and smart web user, take a few moments to learn about Social Engineering, the easy way for bad people to attack innocent victims online.

No comments: