Social engineering is by far the most common form of malware delivery and the sad truth is, despite untold warnings, people continue to fall for even the simplest of lures to click on that malicious link or open that malicious attachment.
Delivering malware via social engineering is popular among cyber-criminals because it’s simple, inexpensive, and effective. However, the success of social engineering attacks also relies on one major factor – they can NOT work without some sort of user interaction. So, the end result is entirely in the potential victim’s own hands.
I’m revisiting this topic because I just read through a report from researchers at the University of Cambridge and Southern Methodist University which goes into great detail about how a specific malware (worm) campaign was delivered via Instant Messaging utilizing a variety of lures, and the strategies used to achieve maximum infections rates. However, I’m not going to relate the minutiae here, just present a damning summary of the researchers’ findings:
- Over 14 million distinct users clicked on all these lures over a two year period
- 95% of users who clicked on the lures became infected with malware even though they were required to press OK on a Windows security warning pop-up in order to get infected.
*Check out the full paper here: Which Malware Lures Work Best? (PDF)
This particular malware propagated by compromising its victims’ instant messaging application and forwarding more lures (malicious links) to everyone in the list of contacts – and so on, and so on – quickly spreading the infection far and wide.
So, this type of careless clicking can result in serious consequences, not only affecting the user’s own system but potentially also those of friends, family, and acquaintances.
How do we protect users from themselves?
I honestly don’t know the answer. Myself and everyone here at DCT, as well as dozens of similar tech sites, are consistently and regularly warning users about the dangers of clicking on suspect links or opening attachments from unknown or unreliable sources, yet the practice apparently continues unabated.
The obvious answer is “education” but that just as obviously can’t be effectively achieved by tech sites alone. A big part of the problem is that novice and inexperienced users are most vulnerable yet are not the sort who typically visit tech blogs and and the like. How do we reach these people?
I wish I knew!