You’re sitting at your computer checking your email, when you notice that you’ve got one from DHL. You open the message and read an official-looking message saying that they tried to deliver a package to you, but no one was available. Please open the attached file which contains a form they need to redeliver. Now maybe you’re waiting on a package and don’t remember whether it was DHL, UPS or FedEx; maybe you’re not waiting on a package and can’t figure out what they would be trying to deliver to you.
You get an email from your brother’s email address that says, “Check this out – it’s really funny!” It’s got an attachment. Well, your brother wouldn’t send you anything bad would he? (No seriously – would he? I probably don’t know your brother.)
In any case, you open up the attached .zip file, run the executable it contains and then… WHAM! You’re infected!! Suddenly you’ve got hundreds of porn pop-ups appearing on your machine. And you’ve got something that says it’s an anti-malware program that you don’t remember installing, coming up to tell you that it’s discovered 385 infections, and you need to run it to get rid of them.
Why did this happen?
In most cases, the reason this happened was because of a technique called Social Engineering. Social engineering is the act of manipulating people into performing actions or divulging confidential information – sometimes both.
Social Engineering relies, primarily, on two things: the basic trusting nature of most people, and fear.
In the first example, there was a little bit of both. You trusted that the email was actually from the company it said it was, and you were afraid something bad would happen (i.e. they wouldn’t deliver your package) if you didn’t do what they said.
In the second example, it was basically just trust. Why would you think that your brother would send you a virus? In fact, your next phone call or email is probably to your brother telling him that what he just sent you was infected. And when he tells you he didn’t send you anything, you don’t know what to make of it.
The previous examples are most prevalent on PCs running Windows XP or earlier. Why? Because they’re the most susceptible. Here’s why:
Microsoft and most security experts agree that the best way to run your computer is as a “Limited User”. In other words, a user account that doesn’t really have the privileges to install software, or do other things that could impact the entire machine.
But most users don’t want to run their machines as a Limited User, because… well, frankly, it’s a pain. This, of course, is only even relevant for folks using Windows NT, 2000 or XP. Anything earlier than that didn’t even have the option to run as a Limited User anyway. (If you’re using anything earlier than Windows XP, we should talk anyway.)
But if you run as an Administrative User, then anything you run is run as an Administrator, and Administrators are presumed to know better.
Windows Vista/7 and the UAC
Enter Windows Vista (and now Windows 7) and UAC (User Account Control). This allows the best of both. When you log into your PC, you’re using a Limted User account, and you run everything in that limited mode. When you want to install something, or try to do anything requiring upgraded permissions, everything freezes and goes a bit dark, and a window pops up asking whether you want to allow it. If you say yes, it temporarily places you in Administrative mode to affect the change. Then you go back to your Limited User account, and continue your work.
There are two problems:
- People get so used to seeing that “annoying box” that they click Allow without even really looking at it, or thinking about it.
- Some people get so sick of the box they actually turn off UAC. Also, some vertical-market applications tell you to disable it (which is usually a sign of bad programming, but be that as it may…)
Either of these behaviors will allow malicious code to run unimpeded on your machine, even with a more-secure operating system. Turning off UAC is actually worse, because you no longer even know there’s anything trying to get in. It makes it, effectively, Windows XP in Administrative mode.
Here are some rules of thumb that I use when dealing with email attachments:
- Don’t open them unless you have some reason to believe they are safe.
- Just because the “sender” is someone you know and trust, doesn’t mean it’s safe. They could have gotten infected themselves, and the virus could be sending itself to all their contacts. Some malware is even smart enough to scan the user’s contact list, choose two names and then send messages “from” one to another. So some third party may have been infected, and you get an email “from” someone you may know in common.
- In general, you can open attachments you’re expecting. If you’re waiting for me to send you a Service Contract proposal, and you get one from me, it’s probably okay.
- Even if you weren’t expecting it, per se, if you have contextual reasons to believe it’s really from the person it says it’s from, it may be okay. In other words, if the message part says, “Open this. It’s funny.” – that’s not okay. But if it says, “Hey Dave – This is that article you asked me to write for your blog. Tell me what you think.” – that’s probably fine.
- If you’re not sure, ask. Send an email back to the sender asking whether they really intended to send that file to you.