McAfee exposes the psychology used by online criminals

July 25, 2007

Cybercriminals are employing ever more cunning techniques such as assuming trustworthy identities, engaging in friendly banter and targeting human emotions such as fear, insecurity and greed. The study reveals how cybercriminals are increasingly combining stealth code with calculating mind games to manipulate our behavior and persuade us to open attachments, click on a link or enter personal information so they can pickpocket our personal information and online bank accounts. 1

Indeed in the past few weeks there has been an influx of malware trying to lure users to click on file attachments or to fill out personal information by enticing them with hot topics such as Harry Potter, the Apple iPhone, and The Simpsons Movie. Criminals posing as employers on online recruitment sites and contacting job seekers to request additional personal information have also been popular techniques in the past.

The study describes a case in which e-mails were sent to thousands of inboxes around the world with the subject line "legal action against you". In flawless legalese, the message warned recipients that they recently sent an unsolicited fax to the sender's office. Citing US civil code, its prohibition on sending junk faxes and an actual $11 million settlement by restaurant chain Hooters, the missive threatens a lawsuit over the alleged junk fax. "If you don't pay me $500 by the deadline for payment, I intend to sue you for violating the Telephone Consumer Protection Act," it reads. "If you force me to sue, I will not settle for less than $1,000." Details of the alleged lawsuit are contained in the email's attached document. The attachment – labeled lawsuit.exe – contained a new variant of a computer worm.2

The latest target for identity thieves? Social networking sites such as facebook and myspace. With all of the personal information that they provide, these sites can make Spear Phishing attempts all the easier. Even information that might seem benign may be useful to a criminal. For example, these sites often reveal the names of family members and pets - names which are often chosen by people as their passwords.

In fact, a recent study has shown that 41 percent of Facebook users reveal sensitive personal data to a stranger. Of those who respond, 84 percent listed their full date of birth, 78 percent named their current address, and 72 percent reveal one or more of their email addresses.

A copy of the report from McAfee titled "Mind Games Report: How cybercriminals are exploiting psychological vulnerabilities to gain your money and information" can be downloaded here. Alternatively you can download it directly from McAfee's web site however at this time of writing it will ask you to register an account.

If you wish to test your skills at identifying phishing attempts, McAfee has set up a phishing quiz in which you get to point out the fake web sites from the authentic ones. Although some of the attempts are easy to point out (Hint: check the URL), it shows the level of sophistication that these attempts are achieving.

1. "McAfee Inc. exposes the psychological warfare used by cybercriminals", AME Info, Jun. 26, 2007

2. "Mind Games Report: How cybercriminals are exploiting psychological vulnerabilities to gain your money and information", McAfee Avert Labs Technical White Papers, McAfee, Jun. 2007, p.3