Malware Bait, Will We EVER Learn!

malware_infectedSocial engineering is by far the most common form of malware delivery and the sad truth is, despite untold warnings, people continue to fall for even the simplest of lures to click on that malicious link or open that malicious attachment.

Delivering malware via social engineering is popular among cyber-criminals because it’s simple, inexpensive, and effective. However, the success of social engineering attacks also relies on one major factor – they can NOT work without some sort of user interaction. So, the end result is entirely in the potential victim’s own hands.

I’m revisiting this topic because I just read through a report from researchers at the University of Cambridge and Southern Methodist University which goes into great detail about how a specific malware (worm) campaign was delivered via Instant Messaging utilizing a variety of lures, and the strategies used to achieve maximum infections rates. However, I’m not going to relate the minutiae here, just present a damning summary of the researchers’ findings:

  • Over 14 million distinct users clicked on all these lures over a two year period
  • 95% of users who clicked on the lures became infected with malware even though they were required to press OK on a Windows security warning pop-up in order to get infected.

*Check out the full paper here: Which Malware Lures Work Best? (PDF)

This particular malware propagated by compromising its victims’ instant messaging application and forwarding more lures (malicious links) to everyone in the list of contacts – and so on, and so on – quickly spreading the infection far and wide.

So, this type of careless clicking can result in serious consequences, not only affecting the user’s own system but potentially also those of friends, family, and acquaintances.

How do we protect users from themselves?

malware_userI honestly don’t know the answer. Myself and everyone here at DCT, as well as dozens of similar tech sites, are consistently and regularly warning users about the dangers of clicking on suspect links or opening attachments from unknown or unreliable sources, yet the practice apparently continues unabated.

The obvious answer is “education” but that just as obviously can’t be effectively achieved by tech sites alone. A big part of the problem is that novice and inexperienced users are most vulnerable yet are not the sort who typically visit tech blogs and and the like. How do we reach these people?

I wish I knew!

 

2 thoughts on “Malware Bait, Will We EVER Learn!”

  1. Hy.

    Sorry fort being a newbie, but van you explain how tout recognize malicious links, pages, … ?

    Thanks ?

    1. The problem is that it is now becoming very difficult to know who to trust ….many previously trustworthy sites now bundle malware with their downloads ..example: download.com owned by a major USA company, CBC.
      Shame upon them ,,but they are far from the only ones.
      Even AVG has got into bed with the purveyors of unwanted software(malware) by changing search and adding their own tool bars.
      I only download from a few trusted sites that have still not been “paid off” to included bundled malware.
      If unsure, use a sandbox ..slightly technical for a newbie bur watch a youtube vid. This will at least protect you until you find a few trusted download sites.
      I used sandboxie as my main protection ….http://www.sandboxie.com/
      I only use the free version ..it does have a buy ‘nag’ screen after one month of free use..but will still work normally.

Comments are closed.

Scroll to Top