Malware

SPOTLIGHT ON SECURITY

IE Gets Top Props for Thwarting Socially Engineered Malware

Using social engineering to distribute malware is a favorite of hackers. That’s because it unloads the burden of infecting a computer onto its operator. By duping an Internet innocent into making just one errant click, an online bandit can inflict a world of hurt.

Socially engineered malware attacks attempt to deceive a user into downloading malicious software, typically through a link to an infected website.

Since browsers play a key role in many SEM attacks, browser makers have built protections into their products to thwart them. The best protections against those attacks are built into Microsoft’s Internet Explorer, according to NSS Labs.

NSS does annual analyses of the effectiveness of browsers against phishing and SEM attacks. However, in this latest analysis, NSS Research Director Randy Abrams compared the firm’s previous analyses over time, from 2009 to 2013.

“The compilation shows that Microsoft improved their product earlier than others and has been at the top a lot longer,” Abrams told TechNewsworld.

Most Phishing Fails

NSS scores are based on the ability of a browser to block phishing and SEM attacks. In its analysis for 2013, Internet Explorer blocked 89 percent of all phishing and SEM attacks; Google Chrome, 76 percent; Safari, 53 percent; and Firefox, 52 percent.

The effectiveness of browsers against particular attacks varies. Internet Explorer beats all comers at foiling SEM attacks, but Chrome is better at foiling phishing attacks. Both Safari and Firefox are good at blocking phishing, but provide only negligible protection against SEM attacks, according to Abrams’ research.

SEM effectiveness is more important to most users than anti-phishing protection, he argued.

“Most phishing attacks do not work,” Abrams said. “If you get a phishing mail from Chase bank and you use Wells Fargo, you’re not going to be a victim.”

Both phishing and SEM use social engineering, he noted in his browser research analyses.

“By definition, these are social problems, and technology has rarely solved a social problem. Technology can help to mitigate problems, but education is paramount,” Abrams wrote.

“For users who are adept at identifying social engineering attacks, the browser adds little additional security; however, most users are not aware of the dynamics of social engineering and will fall prey to SEM even when they are able to identify many types of phishing attacks,” he explained. “Proper education provides the best protection against most social engineering attacks.”

HealthCare.spam

Spammers rarely miss an opportunity to take advantage of a high-profile news story to spread their scams, but they don’t seem too enthusiastic about piling on the woes experienced by HealthCare.gov.

However, there has been a bump of late in Medicare supplemental insurance spam. “We’re definitely seeing a rise in the number of spam and honeypot reports where the word Medicare is involved,” Mark Stemm, principal software engineer at Cloudmark, told TechNewsWorld.

“It does seem to be going up at about the same time as the exchanges for the Affordable Care Act have been opening up,” he added. “It seems suspiciously timed.”

Most of the spam message is an image, Stemm said. Clicking on the image will take a person to a website selling supplemental Medicare insurance.

Timing Coincidence

However, the increase in Medicare spam may be purely coincidental. October is a big month for healthcare plan enrollments, so it’s a good time to push medical spam.

“As soon as open enrollment rolls around, we see every year Medicare spam go from nothing to tons for about 60 days,” Chet Wisniewski, a security advisor with Sophos, told TechNewsWorld.

However, very little spam mentioning Obamacare, HealthCare.com or the Affordable Care Act has turned up in Sophos’ spam traps.

“I saw a couple of hundred messages out of billions, and those messages might have been false positives,” Wisniewski noted.

“The spammers are probably spending their time trying to hack HealthCare.gov,” he quipped.

Part of the problem for spammers may be figuring out a way to monetize an Obamacare campaign. That’s not the case with Medicare junk mail, which allows spammers to collect a fee every time a policy is sold to someone who was referred to an insurer through their spam.

“It’s like a lamp to a moth for spammers,” Wisniewski said.

Breach Diary

  • Oct. 28. U.S. Attorney for New Jersey charges Lauri Love, 28, with breaching thousands of computers in the United States, including the computer networks of federal agencies, to steal massive quantities of confidential data. Love was arrested Oct. 25 by UK law enforcement authorities in connection with an ongoing investigation.
  • Oct. 28. Allina Health, of Minneapolis, notifies more than 3,000 patients that personal and health information maintained by the organization has been viewed by a certified medical assistant at one of its clinics without authorization to do so.
  • Oct. 29. Adobe reports breach of its systems that occurred Oct. 3 was larger than it originally believed, affecting more than 38 million customer accounts.
  • Oct. 29. UK Information Commissioner’s Office fines North East Lincolnshire Council Pounds 80,000 (US$127,568) after it lost an unencrypted USB stick containing sensitive data about children with special needs.
  • Oct. 30. Swedish newspaper Dagens Nyheter reports 3 million patients may have had personal medical information compromised by intruders who broke into a medical log system used by hospitals and general practices in Stockholm and the island of Gotland.
  • Oct. 30. Two security researchers explain at RSA Europe session how, by creating a phony social media profile of a hot chick, they persuaded a government employee to lend them a laptop containing confidential information.
  • Oct. 30. FIDO Alliance, an industry consortium working on a universal online authentication framework, announces it has broken the 50-member mark.

Upcoming Security Events

  • Nov. 5. The State of DDoS: What Can You Do About the Threat? 11 a.m. ET. Webinar by Arbor Networks. Free with registration.
  • Nov. 6. FedCyber.com Government-Industry Security Summit. Crystal Gateway Marriott, 1700 Jefferson Davis Highway, Arlington, Va. Registration: government, free; academic, US$100; industry, $599.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Nov. 20. SC Congress Chicago 2013. 8:30 a.m.-7 p.m. CT. Chicago. Full Day Pass: $250.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. “The Art of Exploiting Injection Flaws,” $1,800 by Oct. 24; $2,000 by Dec. 6; $2,300 thereafter. “The Black Art of Malware Analysis,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter. “CNSS-4016-I Risk Analysis Course,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.
  • Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels