Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)
.pdfrelied on social engineering techniques of deception and taking advantage of our desire to get something for nothing in order to be spread. The worm arrives as an attachment to an email that offers something tempting, such as confidential information, free pornography, or - a very clever ruse - a message saying that the attachment is the receipt for some expensive item you supposedly ordered. This last ploy leads you to open the attachment for fear your credit card has been charged for an item you didn't order.
It's astounding how many people fall for these tricks; even after being told and told again about the dangers of opening email attachments, awareness of the danger fades over time, leaving each of us vulnerable.
Spotting Malicious Software
Another kind of malware - short for malicious software - puts a program onto your computer that operates without your knowledge or consent, or performs a task without your awareness. Malware may look innocent enough, may even be a Word document or PowerPoint presentation, or any program that has macro functionality, but it will secretly install an unauthorized program. For example, malware may be a version of the Trojan Horse talked about in Chapter 6. Once this software is installed on your machine, it can feed every keystroke you type back to the attacker, including all your passwords and credit card numbers.
There are two other types of malicious software you may find shocking. One can feed the attacker every word you speak within range of your computer microphone, even when you think the microphone is turned off. Worse, if you have a Web cam attached to your computer, an attacker using a variation of this technique may be able to capture everything that takes place in front of your terminal, even when you think the camera is off, day or night.
LINGO
MALWARE Slang for malicious software, a computer program, such as a virus, worm, or Trojan Horse, that performs damaging tasks.
MITNICK MESSAGE
Beware of geeks bearing gifts, otherwise your company might endure the same fate as the city of Troy. When in doubt, to avoid an infection, use protection.
A hacker with a malicious sense of humor might try to plant a little program designed to be wickedly annoying on your computer. For example, it might make your CD drive tray keep popping open, or the file you're working on keep minimizing. Or it might cause an audio file to play a scream at full volume in the middle of the night. None of these is much fun when you're trying to get sleep or get work done.., but at least they don't do any lasting damage.
MESSAGE FROM A FRIEND
The scenarios can get even worse, despite your precautions. Imagine: You've decided not to take any chances. You will no longer download any files except from secure sites that you know and trust, such as SecurityFocus.com or Amazon.com. You no longer click on links in email from unknown sources. You no longer open attachments in any email that you were not expecting. And you check your browser page to make sure there is a secure site symbol on every site you visit for e-commerce transactions or to exchange confidential information.
And then one day you get an email from a friend or business associate that carries an attachment. Couldn't be anything malicious if it comes from someone you know well, right? Especially since you would know who to blame if your computer data were damaged.
You open the attachment, and... BOOM! You just got hit with a worm or Trojan Horse. Why would someone you know do this to you? Because some things are not as they appear. You've read about this: the worm that gets onto someone's computer, and then emails itself to everyone in that person's address book. Each of those people gets an email from someone he knows and trusts, and each of those trusted emails contains the worm, which propagates itself like the ripples from a stone thrown into a still pond.
The reason this technique is so effective is that it follows the theory of killing two birds with one stone: The ability to propagate to other
unsuspecting victims, and the appearance that it originated from a trusted person.
MITNICK MESSAGE
Man has invented many wonderful things that have changed the world and our way of life. But for every good use of technology, whether a computer, telephone, or the Internet, someone will always find a way to abuse it for his or her own purposes.
It's a sad fact of life in the current state of technology that you may get an email from someone close to you and still have to wonder if it's safe to open.
VARIATIONS ON A THEME
In this era of the Internet, there is a kind of fraud that involves misdirecting you to a Web site that is not what you expected. This happens regularly, and it takes a variety of forms. This example, which is based on an actual scam perpetrated on the Internet, is representative.
Merry Christmas. . .
A retired insurance salesman named Edgar received an email one day from
PayPal, a company that offers a fast and convenient way of making online
payments. This kind of service is especially handy when a person in one part of the country (or the world, for that matter) is buying an item from
an individual he doesn't know. PayPal charges the purchaser's credit card
and transfers the money directly to the seller's account.
As a collector of antique glass jars Edgar did a lot of business through the on-line auction company eBay. He used PayPal often, sometimes several times a week. So Edgar was interested when he received an email in
the holiday season of 2001 that seemed to be from PayPal, offering him a reward for updating his PayPal account. The message read:
Season's Greetings Valued PayPal Customer;
As the New Year approaches and as we all get ready to move a year
ahead, PayPal would like to give you a $5 |
credit to your account! |
|
|
All you have to do to claim your $5 gift from us is |
update |
your |
|
information on our secure Pay Pal site by January 1st, |
2002. A year |
||
brings a lot of changes, by updating your |
information with us you will |
||
allow for us to continue providing you and our valued customer service with excellent service and in the meantime, keep our records straight!
To update your information now and to receive $5 in your PayPal account instantly,
click this link:
http://www, paypal -secure. com/cgi bin
Thank you for using PayPal.com and helping us grow to be the largest of our kind!
Sincerely wishing you a very "Merry Christmas and Happy New Year," PayPal Team
A Note about E.commerce Web Sites
You probably know people who are reluctant to buy goods on line, even from brand-name companies such as Amazon and eBay, or the Web sites of Old Navy, Target, or Nike. In a way, they're right to be suspicious. If your browser uses today's standard of 128-bit encryption, the information you send to any secure site goes out from your computer encrypted. This data could be unencrypted with a lot of effort, but probably is not breakable in a reasonable amount of time, except perhaps by the National Security Agency (and the NSA, so far 98 as we know, has not shown any interest in stealing credit card numbers of American citizens or trying to find out who is ordering sexy videotapes or kinky underwear).
These encrypted files could actually be broken by anyone with the time and resources. But really, what fool would go to all that effort to steal one credit card number when many e-commerce companies make the mistake of storing all their customer financial information unencrypted in their databases? Worse, a number of e-commerce companies that use a particular SQL database software badly compound the problem: They have never changed the default system administrator password for the program. When they took the software out of the box, the password was "null," and it's still "null" today. So the contents of the database are available to anyone on the Internet who decides to try to connect to the database server. These sites are under attack all the time and information does get stolen, without anyone being the wiser,
On the other hand, the same people who won't buy on the Internet because they're afraid of having their credit card information stolen
have no problem buying with that same credit card in a brick-and- mortar store, or paying for lunch, dinner, or drinks with the card
even in a back-street bar or restaurant they wouldn't take their mother to. Credit card receipts get stolen from these places all the time, or fished out of trash bins in the back alley. And any unscrupulous clerk or waiter can jot down your name and card info, or use a gadget readily available on the Internet, a card-swiping device that stores data from any credit card passed through it, for later retrieval.
There are some hazards to shopping on line, but it's probably as safe as shopping in a bricks-and-mortar store. And the credit card companies offer you the same protection when using your card on line--if any fraudulent charges get made to the account, you're only responsible for the first $50.
So in my opinion, fear of shopping online is just another misplaced worry.
Edgar didn't notice any of the several tell-tale signs that something was wrong with this email (for example, the semicolon after the greeting line, and the garbled text about "our valued customer service with excellent service"). He clicked on the link, entered the information requested - name, address, phone number, and credit card information - and sat. back to wait for the five-dollar credit to show up on his next credit-card bill. What showed up instead was a list of charges for items he never purchased.
Analyzing the Con
Edgar had been taken in by a commonplace Internet scam. It's a scam that comes in a variety of forms. One of them (detailed in Chapter 9) involves a decoy login screen created by the attacker that looks identical to the real thing. The difference is that the phony screen doesn't give access to the computer system that the user is trying to reach, but instead feeds his username and password to the hacker.
Edgar had been taken in by a scam in which the crooks had registered a Web site with the name "paypal-secure.com"- which sounds as if it should have been a secure page on the legitimate PayPal site, but it isn't. When he entered information on that site, the attackers got just what they wanted.
MITNICK MESSAGE
While not foolproof (no security is), whenever visiting a site that requests information you consider private, always ensure that the connection is authenticated and encrypted. And even more important, do not automatically click Yes in any dialog box that may indicate a security issue, such as an invalid, expired, or revoked digital certificate.
VARIATIONS ON THE VARIATION
How many other ways are there to deceive computer users into going to a bogus Web site where they provide confidential information? I don't suppose anyone has a valid, accurate answer, but "lots and lots" will serve the purpose.
The Missing Link
One trick pops up regularly: Sending out an email that offers a tempting reason to visit a site, and provides a link for going directly to it. Except that the link doesn't take you to the site you think you're going to, because the link actually only resembles a link for that site. Here's another exampie that has actually been used on the Internet, again involving misuse of the name PayPal:
www. PayPai. com
At a quick glance, this looks as if it says PayPal. Even if the victim notices, he may think it's just a slight defect in the text that makes the "I" of Pal look like an "i." And who would notice at a glance that:
www. PayPal. com
uses the number 1 instead of a lowercase letter L? There are enough people who accept misspellings and other misdirection to make this gambit continually popular with credit card bandits. When people go to the phony site, it looks like the site they expected to go to, and they blithely enter their credit card information. To set up one of these scares, an attacker only needs to register the phony domain name, send out his emails, and wait for suckers to show up, ready to be cheated.
In mid-2002, I received an email, apparently part of a mass mailing that was marked as being from "Ebay@ebay.com." The message is shown in Figure 8.1.
Figure 8.1. The link in this or any other email should be used with caution.
-----------------------------------------------------------------------------------------
-------------------------
msg: Dear eBay User,
It has become very noticeable that another party has
been corrupting your eBay account and has violated our User Agreement policy listed:
4. Bidding and Buying
You are obligated to complete the transaction with the
seller if you purchase an item through one of our fixed price formats or are the highest bidder as described below. If you are the highest bidder at the end of an auction (meeting the applicable minimum bid or reserve requirements) and your bid is accepted by the seller, you are obligated to complete the transaction with the seller, or the transaction is prohibited by law or by this Agreement.
You received this notice from eBay because it has come
to our attention that your current account has caused interruptions with other eBay members and eBay requires immediate verification for your account. Please verify your account or the account may become disabled. Click Here To Verify Your Account - http://error ebay.tripod.com
Designated trademarks and brands are the property of
their respective owners, eBay and the eBay logo are trademarks of eBay Inc.
-----------------------------------------------------------------------------------------
----------------------------
Victims who clicked on the link went to a Web page that looked very much like an eBay page. In fact, the page was well designed, with an authentic eBay logo, and "Browse," "Sell" and other navigation links that, if clicked, took the visitor to the actual eBay site. There was also a security logo in the bottom right corner. To deter the savvy victim, the designer had even used HTML encryption to mask where the userprovided information was being sent.