return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Malware, phishing, cracking, and social engineering all point to increasing criminal profit ]

Malware, phishing, cracking, and social engineering all point to increasing criminal profit


Malware (malicious software), phishing, cracking, and social engineering, individually and in concert, increasingly point to the goal of criminal profit at the expense of ego and bragging rights. The target's experience of mere inconvenience and indirect loss is now direct loss -- and a lot of it -- along with indirect loss and inconvenience. The better attacks marry two or more of the approaches:

Trojan horses can be used to dupe computer users into running a bot program, which in turn can help launch denial of service attacks for financial gain.

The [Sobig] virus would load software onto users' computers in order to provide a means for bulk e-mailers to use the zombie machines to send out unsolicited messages without detection.

The target is often an avid partner in his or her own demise:

The major issue in Netsky's consistent prevalence is the fact that it rides on the seemingly irremediable human penchant for opening attachments in e-mail messages, even from unknown sources.

People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioral tendencies that can be exploited with careful manipulation. Many of the most damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking.

Analysts have been watching an unremitting shift "from the traditional goal of claiming fame and notoriety to the pursuit of profit and monetary rewards." Gartner believes that social engineering is a greater problem than hacking:

Criminals are using social engineering to take the identity of someone either for profit, or to gather further information on an enterprise. This is not only a violation of the business, but of someone's personal privacy.

Criminals are zeroing in on the nexus of need, hope and loneliness where the target is most vulnerable. be it targeting the unemployed with "an e-mail that purported to come from Credit Suisse bank advertising a job opportunity" or an updated mail-order bride scam in which a fictitious attractive Russian woman, Ms. Medvedeva, fleeces the lovelorn, literally leaving some waiting at the airport with roses.

One wonders if the scams are so good or the victims so obtuse.  One may wonder about the victim when they read that:

  • 70 percent of consumers will share information, such as their name, address, postal code, phone number, account number or give the answer to a security question to an unsolicited call or email.
  • 61 percent of consumers do not want to be forced to change passwords, a common procedure mandated to enhance security.
  • 57 percent of consumers do not want their accounts locked down after three failed attempts to provide identification verification information.

One can only imagine the collision of these targets with thoughtful spammers who have no intent to see anything:

All they want is to "phish" your credit card number. Messages now zip around the Internet purporting to come from trusted companies and asking you to "verify your account." The victim is taken to a Web site that looks genuine but is run by a fraud ring.

Clearly the weak links are both the users that willingly make one click too many, or surrender information that they should not, and the software vendors that produce faulty code that can be exploited for Trojan, spam and other attacks. 

Human nature will be slow to fix. One can only hope that the software takes less time.

Virus report points to profit-hungry hackers
By Dawn Kawamoto
November 3, 2004

Russian Gal Seeking Comrade? No, It's an Internet Scam
New York Times
November 3, 2004

Old scams pose the 'greatest security risk'
By Munir Kotadia
ZDNet Australia
November 1, 2004

Consumers, not technology, biggest cybersecurity problem
Dan Farber
Oct 27, 2004

The new face of cybercrime
By Phillip Hallam-Baker
Special to ZDNet
July 20, 2004

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

<<  |  May 2020  |  >>
view our rss feed