Now, why don’t you believe me? If I sent it to 5 million people in an email message many of them would believe it. Pierre-Marc wrote a blog entry this morning http://eset.com/threat-center/blog/?p=69 in which he described one of the latest scams going around. For those of us who work around security, we saw this abuse of e-greetings coming the first time we saw an e-greeting. There was never any question about it. Taxes are far less certain than e-greeting abuse. E-Greetings are the ultimate social engineering tool. Each time we send one we teach people to fall for social engineering attacks. I won’t open one without a sandbox or a virtual machine. I know the intent of the legitimate people sending them is good, but for most users it’s like teaching a kid to cross the street without looking. You can run across the street blindly and get away with it almost every time in a city with a population of 12 or so, but on the information super-highway you are going to become pavement.
I’m quite certain I won’t be able to talk all of you out of using e-greetings, but perhaps I can get you to think a bit more before opening them.
First off, if the greeting doesn’t say explicitly who it is from do not open it. If it isn’t it isn’t worth finding out. It’s like lighting a stick of dynamite while holding it in your hand. Maybe there’s only a fuse, but what are the odds that there’s no explosive? No exceptions. Period. End of story. It is too risky to allow exceptions.
Second, if the greeting says who it is from, it is best to check with that person and make sure they actually sent it to you. If it is a birthday greeting, but it is not your birthday… it is almost certainly a scam. Even if it is your birthday, we will almost certainly see targeted attacks that use names and related birthdays. With the amount of personal information lost by banks, schools, government bodies, and a variety of businesses, it is only a matter of time before the databases are compiled ad sold so as to enable highly targeted and automated attacks.
Always think before you click. Let me share the thought processes I used a few days ago when I received an e-greeting…
The message came in… “Your FluevOgram from Carol” was the subject. I know several people named Carol. One is my wife. I don’t know what a FluevOgram is. So, let’s Google it! Very few hits… and 2 of three relate to “Fluevog Shoes”. Guess what? Earlier that day I was talking to Carol about some shoes she wanted to buy. Now, this puts things in context. I opened the FluevOgram after establishing that there was a very high probability that it really came from who it claimed to and that there it was relevant. It also helped that the email announcing the FluevOgram had the text of the greeting, which mentioned two cats who I knew played a prominent role in the purchase of said shoes.
Thinking is the number one defensive security measure you can take!
Director of Technical Education
Author ESET Research, We Live Security