December 01, 2008
In a rather historic move, in November 2008 Apple began recommending antivirus for Mac to its users. The presumed straw that broke the camel's back - a new variant of OSX.RSPlug, a DNS changer Trojan that modifies the specified DNS servers on a victim's Mac, maliciously redirecting them to websites other than they expected.
Like many of today's threats, OSX.RSPlug relies on social engineering, effectively tricking you into infecting your own computer. The social engineering technique used by the Mac-targeting OSX.RSPlug trojan is all too common in the PC world as well - using email and forum spam to advertise a provocative sounding video which is actually a trojan in disguise. Those clicking the spam's link are presented with a message that they need to update their Quicktime of Flash, or install some video codec, in order to view the promised video. Of course, there isn't really a video - the "required" update is the Trojan. Those who accept the update are simply doing the attacker's bidding, installing the Trojan onto their own system.
Protecting against social engineering often requires a degree of savvy that is more instinct than technique. When discussing predictive CCTV, Alex Eckelberry, CEO of Sunbelt Software noted, "Trying to replace good, solid community policing with technology in this way is absurd." As Alex explained, when it comes to judging motive and intent, an experienced "beat cop" is far more capable of assessing a situation and making the correct determination. This is the case with cybercrime as well - an experienced user armed with the right information is generally best equipped to make the right decisions to protect themselves online.
While it's impossible to provide an exact "how-to-guide" for avoiding scams, understanding the following misconceptions should help up your knowledge quotient, which in turn should assist you in avoiding becoming the next victim of fraudulent link scams.
1. The link came from someone I know.
Email addresses can be easily faked (spoofed). And if the person's computer is infected, the infection - and not the person - could be sending the message from their computer. Don't determine the legitimacy of a link simply based on its coming from someone you know. If you receive a link from someone unexpectedly, assume it is malicious unless proven otherwise. Ask them if they intended to send it. You can also make judgement calls based on the wording of the email or IM - does it read like something the person you know might be expected to send?
2. The link was posted to a forum that I know and trust.
Anyone who runs a forum also runs a constant battle against spammers. Even the best forum host can have malicious links posted. Forum members whose computers are infected can also have malicious links embedded in any replies to posts that they may make. Don't assume a link is legitimate simply because it's posted in a forum you trust. Before following a link posted to a forum, ask the other members for their own experience with the link or send a message to the forum host asking them to check it out.
3. The link points to a video I really want to see.
When it comes to videos, stick to tried and true sites such as YouTube. Attackers commonly disguise trojans as "upgrades" to Flash or Quicktime or some other video codec. If you visit a site and it tells you that you need to update your video player, be suspicious. If you're able to view videos normally on other sites, assume that the site instructing you to update is a malicious website. If you still believe the update requirement is legitimate, visit the update site directly - don't accept the update from the website you are on. (For direct downloads, see Adobe Flash Updates | Quicktime Updates). Note that if you're a Firefox with NoScript user, you may be receiving the message legitimately because you need to temporarily allow the site(s) in question.
4. The link is from a breaking news alert from Google / CNN / MSNBC, etc.
Like email addresses, breaking news alerts can be easily spoofed. Remember, an email message is nothing but typed words. Anyone can compose an email that reads as if it is from Google, CNN, MSNBC, or any other reputable news outlet. If you receive a breaking news alert and the link points to a site that instructs you to install a viewer or some other software, assume the website is malicious until proven otherwise.
5. The link came from an official government / law enforcement agency.
Unless you have a pre-established email relationship with personnel from government or law enforcement, you'll almost certainly never receive any email from such an agency instructing you to do anything. After all, email can be easily faked and both the government and law enforcement would be anxious to correspond only in an officially acceptable and legally valid manner. In other words, if you get an IRS tax refund notice via email, consider it a scam. If there are lingering doubts, call your local branch of that agency for confirmation.
Remember, there is next to no authentication on the Web. This lack of authentication enables scammers to masquerade as pretty much anyone they choose. It's up to you to filter through the available clues and make the right determination. Because if you don't, the next victim could be you.
