Even the best of us fall prey!

Even the best of us fall prey!

The guile and the deceit of malware hit home recently! In separate incidents spaced by a couple of days, two of my self-ordained “security savvy” friends fell prey !

In the first instance, my friend got an e-mail at her work address (first red flag) from LinkedIn with an innocuous looking link that tempted her to click it to see what three of her contacts had been up to – the guile here being that the perpetrators were using a mechanism that LinkedIn users are accustomed to – periodic opt-in emails about their contacts whereabouts. Except that in this case the e-mail was not from LinkedIn but was a phishing attack. A click was all it took for the malware to install itself – likely through ActiveX or Javascript – and it mined all of my friend’s contacts in Facebook, Gmail, and [Outlook?] Address Book and sent individual invitations to the tune of 600 folks – including roofing contractors, maid services, hospital administrators … on LinkedIn inviting them to join her network. To top it all, she did not even realize that this had transpired for well over a week; it was only when she started getting random folks accepting her “invitations” that she surmised there was something spooky going on. Checking her “sent invitations” did not yield any results. She had to delve into her “Trash” to see the spate of invitations purportedly from her to all and sundry. The malware had conveniently remembered to delete all the sent invitations so that it would be harder to find unless the user went into the trash folder – talk about not leaving any loose ends!

Apart from the obvious violation of privacy and sense of outrage that she felt, her aura of impregnability built by years in the steeped security business took a drubbing too! The lesson here is that even for the best of us, the sophistication and evolution of malware needs to be treated with respect and we need to be on guard all the time – as the saying goes “guilty until proven innocent” and we need to apply this to every facet of our online world.

Next time I will delve into the specifics of the second incident!

Everyone's Tags:

Labels:

security

Comments

by on

Hey what's up Ashwin!! =]

I got a similar story to share. Recently I posted my car for sale on Craigslist. What was I thinking, I know. But was it really this bad?

I immediately got one email which had the name different from the email address. The reply-to was also different and had 2 names as well, one name, one the email in parentheses. Anyways, I knew this was bad immediately so of course skipped it. But the next day's email came as quite a surprise. A new person with a good story. They want it really bad and are willing to meet me downtown in a public place, but first they need to check their insurance. Their computer isn't working and all they have is their smartphone. So they can't get a insurance quote, so would I be so kind to click on this link to get an insurance quote for them, LMAO!! Yeah, right, AS IF!! =P

Anyways, malware is becoming more and more like social engineering these days. VERY scary times indeed... Junos Pulse FTW!! </shameless plug> =D