Social Engineering Yourself A BotNet

Not too long ago the announcement about an Internet Sponsorship Law, SOPA, basically caused the Internet to blow up with people voting, supporting, and showing how much they disliked this proposed bill. The way the “Internet Community” came together is a lesson in mass influence itself, but we are going to focus on a different aspect of this drama.

The hacktivist group Anonymous reared its head in this debate to show it’s disdain for any law that would censor or prohibit the use of the Internet, and they do so using a form of social engineering.

One of the less influence based forms of social engineering involves drawing people to a website that is either loaded with malicious software/code or has downloads that are dangerous or infected. Apparently, Anonymous used this form of social engineering to create, in essence, one of the world’s largest botnets full of unsuspecting participants.

How?
Anonymous used its legions of faithful supporters to spread shortened links that drew interested parties to certain links. Since a user can’t possibly know what to expect when they load a URL, Anonymous capitalized on this to create it’s botnet.

As users went to the list of URL’s, their browsers were hijacked and then some code was executed. Once executed it causes the users browser to make a massive amount of requests to the targets websites (in this case DOJ and FBI). When you get hundreds or thousands or even more people hitting these malicious URL’s so much traffic is sent that it DDoS’ the sites in question.

What are the implications of this type of attack? This form of social engineering is pretty malicious. Even simple curiosity can make the site visitor an unwilling participant in an act that could be considered terrorism. This, of course, is a very serious matter as traffic from home or work users becomes inundated with this malicious traffic.

In the age of shortened URL’s, this kind of a story just makes it ever more clear that the user needs to take responsibility before clicking a link. These types of attacks are how people’s computers get hacked and how accounts are compromised. Now, it’s how massive botnets are created.

Posted in Social Engineering

Be on the Lookout for Phishing Emails

Posted on: February 2, 2012 in Industry Issues by Chris Williams

If you keep up with tech news, you might have seen the story recently about a new technology standard developed by Microsoft, Yahoo, Google, and Facebook to cut down on spam emails and phishing attempts. It’s an exciting new technology that will help protect users by increasing checks and reporting on sent emails.

However, even with stricter standards for spam filtering, the occasional phishing email might still find its way to your inbox. Phishing emails are standard emails from people trying to convince you to give them information like passwords, usernames, credit card numbers, social security numbers, or other secure data. Every email user needs to know how to spot phishing emails so they can be deleted.

Here are five easy things to look for that you can use to spot phishing emails before you respond with sensitive information.

Emails from companies or people asking for information they should already have, such as accounts and passwords – a company will never ask you for your password.

Emails asking for personal identity information –  your date of birth, bank account information, social security number, or other personal information. There’s no reason to ever give personal information via email.

Emails with weird formatting, spelling mistakes, or bad grammar – most phishing attempts come from overseas, so they often contain mistakes a native English speaker wouldn’t make. Others are hurriedly prepared, so they may contain mistakes as well.

Links or attachments you didn’t request – never click on a link in an email, or open an attachment, if you didn’t request for a link or attachment to be sent to you.

Unknown senders or strange domain names – if the domain name of the sender looks strange, or the sender is unknown to you, learn more about the sender or company before you take action. If it looks strange, delete or report the email.

Here’s an example of a phishing email:

For more information on spotting a phishing email, check Microsoft’s support page. If you’re a Google user and receive phishing emails, you can learn how to report them to Google here.

Remember the first step is staying vigilant. Don’t provide personal or sensitive information through email if you can avoid it, especially to people you don’t know.

...don't forget to leave a comment... thanks.

9 Reasons to Enforce Web Security within the Organization

Considering the wide range of malicious content threatening your users, implementing strong web security within the organization is a crucial part of any defense-in-depth strategy. Web security doesn’t have to mean blocking your users’ access to the Internet, but it does mean protecting them from the types of threats they will encounter every day. Here’s a rundown of the top nine threats that are there to help you understand the importance of strong web security. Some of these are threats to your users; others are threats to their productivity. All are things web security can help you protect against.

1.Compromised sites hosting malware
Every day you can read about sites that have been compromised by attackers. Hacked sites hosting malware are a common way to spread the damage to hundreds or thousands of others very quickly. Strong web security can protect your users by blocking access to compromised sites, and by scanning any downloads for malware.

2.Cross-site scripting attacks
Cross-site scripting can steal credentials, direct users to sites specifically hosting malware, and worse. Web security can detect when an XSS is attempted and protect users from the effects.

3.Typo-squatters
It’s common for people to register domains that are either misspelled, or simple one-offs from other sites to try to get traffic from users’ typos. Sometimes these sites simply have aggressive sales content; other times they are set up to look like the real site to fool users. Either way, web security can prevent this all too common mistake from doing damage.

4.Phishing sites
Phishing emails almost always include links to sites, where the real damage can be done. Web security can block access to these phishing sites.

5.Adult content
The last thing you need is an HR issue to deal with because someone clicked the wrong link in some search results. Web security can enforce the acceptable use policy, preventing both the intentional and accidental violations from occurring.

6.Controversial content
Adult content is not the only risk; political and religious sites may not be appropriate for users to access while at work and web security can ensure that Internet access is business appropriate.

7.Time sinks
If you have ever surfed the web, you have probably experienced the time loss that comes from a planned 30 second check-in that becomes a 30 minute catch up with what else is going on. “Just one more click…” can cost your company hours of lost productivity. Web security doesn’t have to block all personal Internet access; it can permit that within reasonable time limits.

8.Bandwidth hogs
One Internet audio stream may seem like it uses an insignificant amount of bandwidth, but with everyone streaming music, your pipe can quickly become clogged. Web security can monitor and identify the major bandwidth users, or block access to streaming media completely to save that bandwidth for important things, like customer orders.

9.Copyright violations
If a user downloads a pirated movie from your network, you could face liability. Web security can block access to these download sites, and block torrents and peer-to-peer sharing so you don’t worry about C&D letters or lawsuits.

With strong web security protection technology in place, you protect your users, your infrastructure, your data and, ultimately, your company. Look at web security as a critical component of your information security strategy.

This post was provided by Casper Manes on behalf of GFI Software Ltd.