Computers, Networks and Theft
by Yury Mashevsky - Virus Analyst, Kaspersky Lab - Friday, 20 October 2006.
Spy programs arrive on victim machines in a number of ways: when the user visits a malicious website, via email, via online chat, via message boards, via instant messaging programs etc. In most cases, social engineering methods are used in addition to malicious programs so that users behave as cyber criminals want them to. One example is one of the variants of Trojan-PSW.Win32.LdPinch, a common Trojan that steals passwords to instant messaging applications, mailboxes, FTP resources and other information. After making its way onto the computer, the malicious program sends messages such as

"Take a look at this

< link to malicious program >

Great stuff :-)

Most recipients click on the link and launch the Trojan. This is due to the fact that most people trust messages sent by ICQ, and donít doubt that the link was sent by a friend. And this is how the Trojan spreads - after infecting your friendís computer, the Trojan will send itself on to all addresses in your friendís contact list, and at the same time will be delivering stolen data to its author.

One particular cause for concern is that nowadays even inexperienced virus writers can write such programs and use them in combination with social engineering methods. Below is an example: a program written by someone who is not very proficient in English Ė Trojan-Spy.Win32.Agent.ih. When launched, the Trojan causes the dialogue window shown below to be displayed

Figure 2. Dialog window displayed by Trojan-Spy.Win32.Agent.ih

The user is asked to pay just $1 for Internet services - a classic case of social engineering:
  • the user is given no time to consider the matter; payment must be made the day the user sees the message.
  • the user is asked to pay a very small sum (in this case $1). This significantly increases the number of people who will pay. Few people will make the effort to try and get additional information if they are only asked for one dollar;
  • deception is used to motivate the user to pay: in this case, the user is told that Internet access will be cut off unless payment is made;
  • in order to minimize suspicion, the message appears to come from the ISP's administrators. The user is expected to think that it is the administrators which have written a program via which payment can be made in order to save users time and effort. Additionally, it would be logical for the ISP to know the userís email address.
The first thing that the program does is leave the user with no choice but to enter his/ her credit card data. As no other option is available, an obedient user will click on ďPay credit cardĒ. The dialog box shown below in Figure 3 will then be displayed:

Figure 3. Credit card information dialog displayed by Trojan-Spy.Win32.Agent.ih

Of course, even when the user fills in all the fields and clicks on ďPay 1$Ē no money will be deducted. Instead, the credit card information is sent via email to the cybercriminals.

Social engineering methods are also often used independently of malicious programs, especially in phishing attacks (i.e. attacks targeting customers of banks that offer online banking services). Users receive emails supposedly sent by the bank. Such messages state that the customer's account has been blocked (this is, of course, untrue) and that the customer should follow the link in the message and enter his/ her account details in order to unblock the account. The link is specially designed to look exactly like the Internet address of the bankís website. In reality, the link leads to a cyber criminalís website. If account details are entered, the cyber criminal will then have access to the account.


Most IT pros have seen potentially embarrassing information about their colleagues

More than three-quarters of IT professionals have seen and kept secret potentially embarrassing information about their colleagues, according to new research conducted by AlienVault.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th