Fighting ID Fraud

In today's fast paced world of IT where messaging systems are all about real-time information sharing and less about handwriting a letter to be sent via the post, many of us are looking to the internet for our relationships. The success of online dating sites is testament to people's modern day approach to falling in love. This Valentine's Day should be approached with caution especially when it comes to e-cards and other love related emails, tweets or private messages.

How many of you remember the chaos caused by the ILOVEYOU worm that spread in 2000? The basic premise of the attack was pretty simple, the payload of the virus was an active VBScript that had a number of functions. It was spread by an email with the words "ILOVEYOU" in the subject line and an attachment that was spoofed to look like a simple text file. I am sure for most, it was simple curiosity that caused them to open the email and then the attachment but the consequences were very telling in the context of social engineering.

By opening the attachement the VBScript, which ran on the user's machine, sent a copy of itself to all email addressess in the user's Windows Address Book. Strangely this worm was released in May of 2000, but I reckon the spread and damage could have been far greater if the organiser of the attack had chosen Valentine's Day (Feb 14th) when love was truly in the air. Having said that however the spread was huge with a reported 50 million infections within the first 10 days in the wild. Governments and corporations spent in the region of five and a half billion dollars cleaning up the clogged mail systems and rectifying the changes the worm made to the host systems. In all of the mayhem, there were a number of technical vulnerabilities that helped but there was one critical factor that assisted the worm's spread reach the numbers it did: Social Engineering!

Recent news about a spate of "romance" based social engineering scams has highlighted to me just how vulnerable some people are to this form of attack. True, it may not involve your identity being compromised, but some victims have handed over thousands in payments to these fraudsters claiming to be somebody that they are not. So here are some things to remember this Valentine's Day...

1) Be wary of any emails with suspicious attachments even if they are from a "friend"

2) Just like phishing, do NOT follow strange links in emails or messages

3) Don't be too quick to trust strangers online although social engineering fraudsters know their attacks may take time to get the full return

4) Never send money to someone you have never met, anybody can say they are anybody on the internet, a profile picture does not prove their identity

For more information on social engineering have a look at some of these resources...

The Art of Human Hacking

Social Engineering: The Basics - CSO Online

Manipulating the Source - SANS

A Means to Violate a Computer System - SANS