Social Engineering and the "Little Guy"

Here’s a concept that might inflate everyone’s ego a little, as well as (hopefully) making them a little more wary: It’s not just CxOs whose names and info are valuable. It’s yours and mine, too.

In Italy, trojan spammers are sending emails which appear to be from lawyers, threatening legal action if the recipient doesn’t clean up their allegedly-infected machine. Of course, this email includes a “helpful link” to a removal tool which is, in reality, a trojan. The most notable thing here is that the email includes actual lawyers’ names and contact information, which is causing significant problems for the lawyers whose names have been used.

We’ve also received reports from Italy indicating people are getting similar emails, but from people who appear to be angry business partners, rather than from lawyers.
Miscreants have also taken to heart the figures regarding the lack of security awareness in smaller businesses. Small companies may feel that they’re too insignificant to be targeted, but their machines may actually be just as valuable as someone in a Fortune 500 company. Small businesses’ bandwidth is often better than a home user’s, their employees’ name and contact info can be used in schemes like this, they might be more apt to be hurt by Denial of Service attacks or extortion attempts, while they’re less apt to have trained or dedicated security staff.

Really, everyone’s data has a useful place in the internet criminal’s arsenal. Doesn’t that just warm the cockles of your heart?

So what do we take away from all this? Regardless of how urgent an email appears to be, it pays to double-check links and attachments with the apparent sender if you’re not expecting it. And to keep yourself from being an “apparent sender”, consider very carefully what information you make available on the internet. Do you need to post your employees’ name and phone numbers publicly or would something more general be feasible?