I just got hit with my very first instant-message attack, the Oscarbold/Doyorg Trojan. I'm sure I'll see more. One thing I found interesting about the experience was the way that the attack circumvents our normal mental security defenses.
I just got hit with my very first instant-message attack, the Oscarbold/Doyorg Trojan. One thing I found interesting about the experience was the way that the attack circumvents our normal mental security defenses.
Like most of you, I pride myself on having developed a fairly good ear for phishing and other forms of e-mail attacks. I follow some common-sense rules:
- Nobody at Washington Mutual, eBay or PayPal really wants to have my login and password information. I don't even do business with WaMu, and I hardly ever use eBay or Paypal.
- If I get an e-mail seeking valuable information like a credit-card number or Social Security number, the first thing I ask myself is whether I was expecting this e-mail. Is it coming from a company I actually do business with? Did I just do a transaction with these guys recently? Does it make sense they'd be e-mailing me now? If the e-mail is expected, I check the URL carefully to see if it matches the legitimate URL I know.
So far, no e-mail message has ever passed the previous test. I rarely get e-mail purporting to be from a company I actually do business with seeking my Social Security number or credit number. And when I do get such a message, it turns out the URL in the message is obviously fraudulent.
- In addition to those tests, I rely quite a bit on writing style to determine whether a message is legitimate. When Microsoft sends a security alert, it doesn't read like it was written by a 17-year-old from Eastern Europe with only a rudimentary grasp of English.
You should also rely on technical security barriers, of course, including anti-virus, anti-spyware, anti-spam, and firewall software and hardware. But don't disregard the importance of the security wetware between your ears.
But the Oscarbold/Doyorg Trojan almost got through my defenses anyway.
The attack came to me in the form of an AOL IM message that appeared to come from a co-worker. "i thought youd wanna see this," is what the message said, and the word "this" was a hyperlink to an external site.
This guy usually sends me valuable stuff. And the message seemed legit. So I clicked the link. And was sent to a page in my Firefox browser that said the Web page was sending me a file — did I want to download it, or open it right away? I spoke the words of the immortal Lt. Uhura: "Sorry, neither," and I clicked "cancel."
And avoided a major pain in the neck.
If I'd been running different software, I'd be cleaning the mess off my computer right now. One of my colleagues is. Like me, he runs the Firefox browser, so we can't blame this one on Internet Explorer. The difference between his set-up and mine: he runs the America Online instant message client, and I run the GAIM IM client. GAIM saved me.
Lessons learned: Think about giving up public instant-messaging networks like AOL's. Instead, use a private network for business instant messaging. If you must use a public network, avoid the standard client if you can; use a multi-purpose client like GAIM (the one I use) or Trillian.
More importantly: We have to start using our mental security defenses on IM messages now. With e-mail, we can be careful of messages that seem to come from illiterate people. In IM, it's trickier because people often write IMs in haste, and neglect to proofread, capitalize, correct spelling and use proper punctuation. So the usage errors in the earlier IM wouldn't have clued me in even if I were on the lookout for them.
One clue that I'll watch for in future IMs: Hyperlinks in the message, like this. Nobody I know sends hyperlinks like that, we all just send links as plain text, like this: http://www.securitypipeline.com/.
This was my first personal encounter with an instant message infection. I'm sure I'll be seeing more.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.