- the user is given no time to consider the matter; payment must be made the day the user sees the message.
- the user is asked to pay a very small sum (in this case $1). This significantly increases the number of people who will pay. Few people will make the effort to try and get additional information if they are only asked for one dollar;
- deception is used to motivate the user to pay: in this case, the user is told that Internet access will be cut off unless payment is made;
- in order to minimize suspicion, the message appears to come from the ISP's administrators. The user is expected to think that it is the administrators which have written a program via which payment can be made in order to save users time and effort. Additionally, it would be logical for the ISP to know the user’s email address.
Figure 3. Credit card information dialog displayed by Trojan-Spy.Win32.Agent.ih
Of course, even when the user fills in all the fields and clicks on “Pay 1$” no money will be deducted. Instead, the credit card information is sent via email to the cybercriminals.
Social engineering methods are also often used independently of malicious programs, especially in phishing attacks (i.e. attacks targeting customers of banks that offer online banking services). Users receive emails supposedly sent by the bank. Such messages state that the customer's account has been blocked (this is, of course, untrue) and that the customer should follow the link in the message and enter his/ her account details in order to unblock the account. The link is specially designed to look exactly like the Internet address of the bank’s website. In reality, the link leads to a cyber criminal’s website. If account details are entered, the cyber criminal will then have access to the account.
However, cyber criminals aren’t only interested in credit card information. They are also interested in the email addresses which victim machines contain. How are these addresses stolen? Here, a crucial role is played by malicious programs which Kaspersky Lab classifies as SpamTools. These programs scan victim machines for email addresses, and the addresses harvested can be instantly filtered according to predefined criteria, e.g. the program can be configured to ignore addresses which clearly belong to antivirus companies. The harvested addresses are then sent to the author/ user of the malicious program.
There are other ways of planting Trojans on user computers, some of which are extremely brazen. There are cases where cyber criminals offered to pay website owners for loading malicious programs onto the machines of users who visited their websites. One example of this is the iframeDOLLARS.biz website: it offered webmasters a “partner program” that involved putting exploits on their websites so that malicious programs would be downloaded to the machines of those who viewed the sites. (Of course, this was done without the users’ knowledge). These “partners” were offered $61 per 1,000 infections.
Dealing in Stolen Goods
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.