MyDoom: Don t do the right thing
2/7/2004The MyDoom computer virus, which hit Jan. 26, made history partly because it relied on “social engineering.”
MyDoom spread faster than any other virus in Internet history, and at one point had infected 1 in every 12 pieces of email. Several other recent viruses have relied on social engineering tactics. More and more spam e-mails, unsolicited junk mail, are doing the same.
Social engineering is the term virus makers use for a bag of tricks that exploit common social instincts - like the desire to be safe and do the right thing. The virus s spread depends on the actions of the computer user.
MyDoom spread in e-mail attachments, some of which carried social engineering subject lines like “Server Report”' or “Mail Delivery System.” Computer users naturally conclude that an e-mail had bounced or some other problem occurred. Their response: “Better open that attachment and get the details.”
Those who did got MyDoom, and allowed their computers to become unwitting accomplices in spreading the virus.
Some virus makers send spam that purports to be from Microsoft or a well-known maker of antivirus software. They copy the company s logo and web site graphics, so that everything looks legitimate. The message encourages you to click on a link to download the latest security patches or anti-virus tools.
Others offer links to software to speed downloads of big music files or improve a computer s performance. One of the oldest social engineering ploys is a fake link to download free pornography.
Instead, of course, you download trouble, such as a program that takes over your computer and enlists it in an attack intended to overload some company s computer system.
Con artists also use social engineering in identify-theft scams.
One common scheme involves a message supposedly sent by your bank, credit card company, or company that provides your Internet access. It asks for updated personal information, and offers fill-in-the-blanks spaces. You re supposed to keyboard in stuff like your name, address, phone number, credit card number, Social Security number, and maybe bank account numbers.
Click send, and the information goes straight to the crooks, who will start charging things to your card.
People on a computer network might get an e-mail from the System Administrator. It asks you to e-mail your password and user ID for some critical repairs on the network servers. In reality, the e-mail goes to a hacker, who will use the information to break into the computer network - and maybe send forged e-mails from your account.
One fact often is lost in the entire hullabaloo as a new computer virus spreads, or e-mail scam unfolds:
You are the first line of defense against computer viruses and spam e-mail con games.
Be wary about opening e-mail files, unless you expect them. If you re not sure, ask the sender. Just say no to all email requests for passwords, user IDs, credit card numbers, and other personal information until you can verify the request.