Real-World Social Engineering to Spread Malware Online
Wednesday February 4, 2009 at 7:26 am CST
Posted by Lokesh Kumar
An innovative social-engineering technique in which the virtual world meets the real world was described recently by SANS analyst Lenny Zeltser. The original post can be found here.
Apparently, yellow fliers were placed on vehicles in a parking lot, and the fliers claimed that the vehicles were in violation of parking regulations. The fliers further stateed that the owner could visit a certain website to get more information and pictures about the offense.
Upon visiting this website, the innocent victims were requested to download a toolbar [PictureSearchToolbar.exe], which claimed to let them search for more pictures of their vehicles. However, what this toolbar really does is download malicious files from the Internet; those files in turn downloaded more malware.
Here’s a screenshot of the website:
McAfee detects the original toolbar [PictureSearchToolbar.exe] as Vundo.dldr!1231E9AC from DAT Version 5516 onward, while the dropped and downloaded files are already detected as Vundo Trojan.
February 4th, 2009 at 08:54
Highly effective yes. But can this method really be used to generate a large number of victims before it is shut down. The fact that it requires physical interaction which reduces the anonymity of the perpetrator is also going to reduce the number of times we see this happening.
Perhaps a more effective and more profitable crime would be issuing fake parking tickets and then allowing people to pay them online at a reduced rate. Say $20. If people though they were saving $50 on a parking fine they will probably be less eager to question the ticket.
February 4th, 2009 at 14:34
[...] virus, identified as the Vundo Trojan virus was originally posted on McAfee’s Avert Labs Blog earlier this [...]
February 5th, 2009 at 08:15
[...] website was a malware drop. Lenny Zeltser (SANS Institute) explains how the scam worked. Later on, McAfee’s Avert Labs Blog identified the Trojan as [...]
February 5th, 2009 at 08:33
[...] for some, both the original file and the subsequent download were already identified on McAfee’s security software as [...]
February 5th, 2009 at 11:05
It’s pretty scary to see virus attacks moving from online to offline – however, it’ll be interesting to see if existing surveillance technology will therefore make tracking down perpetrators easier. After all, harder to work with anonymous proxies and zombie machines in the offline world – unless, of course, these people are being recruited by supposed “work from home” internet business schemes. 2c.
February 5th, 2009 at 15:29
[...] Computer Security Research – McAfee Avert Labs Blog [...]
March 8th, 2009 at 04:12
[...] Dit nepprogramma bleek een zogenaamde dropper, die nóg meer malware kan binnenloodsen. Ook McAfee maakt melding van de ‘parkeerboninfectie’. Autobezitters in Grand Forks, North Dakota zijn dus [...]