A person may be using a genuine operating system, applications and of course a world class antivirus software – all of them purchased for few thousands of rupees or hundreds of dollars and nothing for free. But still he is not 100% safe in the wild west of Internet today. Because it is not just virus, trojan or any such malware – it is social engineering.

With the robust and genuine software and hardware security applications the cost of computing is going too high. The vendors are no more struck in pleasing their consumers with just the usability features. They have tightened the technology and even releasing numerous updates though they seem overwhelming to their customers. In this kind of situation, finding out new vulnerabilities in software and them trying to exploit them with viruses and trojans are not viable for the hackers. It is here where they figured a new strategy – exploiting the weakest link of a sturdy technical security system. Guess who? The human of course… It can be the administrator of the PC or a corporate network. Even luring a small employee of a corporate network into downloading something infects the network.

Kevin Metnick, a security consultant, mentions in his CSEPS Course Workbook that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

Social engineering explained
The concept of Social Engineering is to directly trick the user of the computer to download malware or to reveal sensitive information under the auspice that they are doing something perfectly innocent. The task is too simple and many fall out for it for the lack of awareness on the scams being played on.

With a world class antivirus that gets 1st rank in all AV-tests and a best team releasing realtime AV definitions everyday or a robust firewall from the industry leader, is simply not helping the administrator of the computer. Because it is himself who is infecting the PC. The job of the attacker is to simply lure him to do it. However, it may not be downloading malware that the attacker wants every time. He may just lure the user into giving away some sensitive information. It ranges from SSN to credit card number.

The hacker hijacks a genuine domain or creates a genuine-looking one by himself. It is a part of website spoofing. Once the user enters the domain they are either lured into providing their personal details or download something. Selling scareware is also a part of social engineering. In fact Google reported that 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

Why your antivirus can’t keep up?
Each hacker holds a number of domains under him. If one is identified and taken down, the other goes up. The malware mutation used here is also rapid. Though you have the latest version of antivirus called Internet security suite, it may be too late before the vendor identifies and releases a fresh virus definition. Microsoft has gathered information about few billions of downloads over the past two years, and roughly 1 out of every 14 program downloads are later identified as malware. In few cases, just clicking on the background of the malicious site will initiate a download.

Anti social engineering: Should it be from your computer and AV or You?
You computer security is only as robust as your security awareness. Any computer, be it running on Windows XP, Vista or Windows 7, the software will not allow any data to enter your system unless you permit it by initiating its download. And if somebody tries upload any corruptive data to your system, it wouldn’t work because you never initiated it in the first place.

The popular browsers today are designed not to download blindly anything, even if it is initiated by the user himself. The browser does its job perfectly by alerting the user with details of the initiated download. (You might remember the classic pop up of the browser with a OK and Cancel options on it.)

But the hacker is clever enough to give a set of instructions including a message saying “You will receive a warning about this control. Ignore the warning and click OK”. The user unaware of the situation clicks OK and downloads the malware. The PC is now infected under the full authorization of its administrator.

In other situation, the user might get an email saying its from his bank (email spoofing from the hacker) informing that he has withdrew a huge amount from his account and a link to site what looks like his banking website. The scared user is now tricked into typing his account details and the password. In the next few hours, the account gets emptied by the hacker.

Most of the social engineering techniques run in the same way. Agreed that genuine antivirus is required to protect your PC, but it is not designed to tackle situations like this.

Here are few tips that help you help from preventing social engineering to some extent:

  • The awareness of the user is the key here. Keep yourself updated on the online scams.
  • Avoid using administrator privileged account for PC, unless for updating the security patches.
  • Beware of unknown websites and emails that prompt you for personal information.

Most of the people fall victim for social engineering tactics either out of stupidity or greed. And unfortunately, we don’t have patches or hot-fixes for either of them. The person should also have a proper mindset to deal with social engineering tactics. A mature person is less likely to get enticed and fall for online scams.