Social engineering is a strategy for obtaining information people wouldn’t normally divulge, or prompting an action people normally wouldn’t perform, by preying on their natural curiosity and/or willingness to trust.Perpetrators of scams and other malicious individuals combine social engineering with email in a number of ways.
Phishing Email
Phishing emails are crafted to look as if they’ve been sent from a legitimate organization. These emails attempt to fool you into visiting a Not genuine web site to either download
malware (viruses and other software intended to compromise your computer) or reveal sensitive personal information.The perpetrators of phishing scams carefully craft the Not genuine web site to look like the real thing.For instance, an email can be crafted to look like it is from a major bank. It might have an alarming subject line,
such as “Problem with Your Account.” The body of the message will claim there is a problem with your bank account and that,in order to validate your account, you must click a link included in the email and complete an online form.The email is sent as spam to tens of thousands of recipients. Some, perhaps many, recipients are customers of the institution. Believing the email to be real, some of these recipients will click the link in the email without noticing that it takes them to a web address that only resembles the address of the real institution. If the email is sent and viewed as HTML, the visible link may be the URL of the institution, but the actual link information coded in the HTML will take the user to the bogus site. For example yourbank.com/accounts/ or itcare.co.kr/data/yourbank/index.html:)
The Not genuine(Bogus) site will look astonishingly like the real thing, and will present an online form asking for information like your account number, your address, your online banking username and password all the information an attacker needs to steal your identity and raid your bank account.
Awareness and what to look for
Bogus communications purporting to be from banks, credit card companies, and other financial institutions have been widely employed in phishing scams, as have emails from online auction and retail services. Carefully examine any email from your banks and other financial institutions.
Most have instituted policies against asking for personal or account information in emails, so you should regard any email making such a request with extreme skepticism.
Phishing emails have also been disguised in a number of other ways. Some of the most common phishing emails include the following:
- Fake communications from online payment and auction services, or from internet service providers .These emails claim there is a “problem” with your account and request that you access a (bogus) web page to provide personal and account information.
- Fake accusation of violating Patriot Act ,This email purports to be from the Federal Deposit Insurance Corporation (FDIC). It says that the FDIC is refusing to ensure your account because of “suspected violations of the USA Patriot Act.” It requests you provide information through an online form to “verify your identity.” It’s really an attempt to steal your identity.
- Fake communications from an IT Department ,These emails will attempt to ferret passwords and other information phishers can use to penetrate your organization’s networks and computers.
Trojan Horse Email
Trojan horse email offers the promise of something you might be interested in an attachment containing a joke, a photograph, or a patch for a software vulnerability. When opened, however, the attachment may do any or all of the following:
- create a security vulnerability on your computer
- open a secret “backdoor” to allow an attacker future access to your computer
- install software that logs your keystrokes and sends the logs to an attacker,
allowing the attacker to ferret out your passwords and other important information
- install software that monitors your online transactions and activities
- provide an attacker access to your filesturn your computer into a “bot” an attacker can use to send spam,launch denial-of-service attacks, or spread the virus to other computers
Awareness and what to look for
Trojan horse emails have come in a variety of packages over the years. One of the most notorious was the “Love Bug” virus, attached to an email with the subject line “I LoveYou” and which asked the recipient to view the attached “love letter.”
Other Trojan horse emails have included the following:
- email posing as virtual postcard
- email masquerading as security bulletin from a software vendor requesting the recipient apply an attached “patch”
- email with the subject line “funny” encouraging the recipient to view the attached “joke”
- email claiming to be from an antivirus vendor encouraging the recipient to install the attached “virus sweeper” free of charge
