1. Sutton University:
Computers/Technical
Virus attacks exploit human nature with ‘social engineering’
Before we get started with this issue, we want to acknowledge that in the previous issue of
tech tips we had planned on showing you more ways to increase the effectiveness of your
website. However, as we have had a number of questions recently sent to the support desk
about viruses, we thought we would sneak in this article out of sequence in order to help our
members stay informed and protected. We promise to return to our discussion on websites
in our next issue.
Social Engineering
Many of today’s computer viruses are using psychology to help them infect your computer.
Regularly updating your anti-virus software is still an important part of helping keep you safe
while computing, but a good dose of common sense can be even more beneficial. As
example take a look at the 3 email messages below:
Bank Example:
“Dear Bank of Montreal member, we were informed that your card was used by
another person or may possibly have been stolen. It may have happened if you had
been shopping on-line, and someone gained access to your 'billing information'
including your card number. To avoid and prevent any billing mistakes and to refund
your credit card, it is strongly recommended to proceed by filling in the secure form
on our site and applying for our Zero Liability program. This program is free and it
will help us to investigate this accident."
Hot Gossip Example:
“In a startling turn of events, this season’s winner of American Idol appears to be in
danger of losing her title. Senior producers of the idol series spoke with CNN’s Paula
Zhon, saying “…all contestants have signed contractual agreements regarding their
full disclosure of any criminal records… and this type of behavior definitely qualifies
as a significant breach of contract…” To get the full story, please click here.”
Computer Support Example:
“Dear Sutton member, your email account has been temporarily suspended because
of improper use. If you wish to restore your account, please access and return the
attached file to support@sutton.com.”
Each of these actual messages had a seemingly legitimate email address (all of which were
faked), and some even had the corresponding company logo and colors incorporated into
the message formatting. However, each of these messages were not from the proclaimed
senders and were in fact efforts to transmit viruses!
What each of these messages has in common is their use of ‘social engineering’ – they are
constructed to look and sound authentic, and to either create concern or pique curiosity in
the reader in order to prompt a reader to take a course of action that they shouldn’t. In the
examples listed above, by clicking on the ‘secure form’, visiting the ‘company website’ or
opening up the attached file what the reader has just done is exposed their computer to a
virus!

2. Sutton University:
Computers/Technical
How to protect yourself from each example:
With the bank example – Whenever you get email requests for account information from
your bank, credit card company, PayPal or other similar source you should always seek
confirmation from the company that the email is in fact authentic. In this example, the email
is using fear to get you to act, combined with an authentic sounding ‘protection plan’ in an
effort to bolster the believability of the message. But no matter how believable a message
may sound, an unsolicited request for this type of personal information should always be
verified before responding to.
With the ‘hot gossip’ example – Whether it’s getting the latest details on a reality TV
scandal or promised nude celebrity pictures, hot topics have always been a staple tool that
virus creators have used for tempting people to visit a malicious site or open an infected
attachment.
As tempting as it may be to get the latest scoop, whenever you get these sorts of messages
you should always ask yourself, “Is the promised payoff of opening this message really
worth the risk of having to go to the manager and explain that you accidentally infected the
office network while trying to have a peek at pictures of Brad Pitt’s bare backside?”
With the Sutton Support example - Internet or email service providers rarely request a
password change via e-mail. And we will never ask you to send us any password
information via e-mail or attached form. If you are being requested to confirm or change
information, never use the link provided in the message.
These links are easy to fake – they may appear to be directing you to an authentic site, but
may actually direct you somewhere else that may compromise your computer. Always
request confirmation, especially before opening up an unexpected attachment.
In Summary:
Unless you are absolutely sure of a sender’s identity, never give out your personal
information like your credit card details, usernames or passwords. If you have any doubts at
all about the authenticity of the email then request confirmation.
If you are not sure about the sender of a strange attachment then you should avoid opening
these sorts of unsolicited email attachments. More likely than not they are infected with a
virus.
Whenever in doubt, seek confirmation. The small amount of extra effort will save you a lot of
headaches down the road.