IE 11 is not supported. For an optimal experience visit our site on another browser.

How Hackers Use Trending Topics Against You

As July makes its way into August, the 2012 Summer Olympics in London will spend a couple of weeks at center stage. Much of the live action will happen as Americans are at work, and millions of fans will be following the Games online.
/ Source: SecurityNewsDaily

As July makes its way into August, the 2012 Summer Olympics in London will spend a couple of weeks at center stage. Much of the live action will happen as Americans are at work, and millions of fans will be following the Games online.

A recent survey by SpectorSoft Corporation of Vero Beach, Fla., a maker of computer and mobile-device monitoring and recording software, found that 40 percent of employees plan to follow the Olympics from their workplace computers. Plenty more will be checking out the results on whatever Internet-connected device they have handy.

Needless to say, the Olympics will be a huge Web event. And that means while athletes are competing for gold, cybercriminals will also be hard at work, using social engineering to spread spam and malware.

Follow the crowd

Big events like the Olympics, presidential elections and the NCAA basketball championships are prime time for cybercriminals because of the scope of interest, drawing the attention of even people who are only casual observers of sports or politics.

But these events only happen periodically, and we know the bad guys don't take a year, or four, off. Instead, online criminals depend on current events and trending topics in order to develop the next wave of social-engineered attacks.

"In the past, we have seen [criminals] leverage the death of a celebrity or a popular event like Black Friday to send phishing emails on that topic, or use black-hat SEO [search engine optimization] techniques and even purchase keywords so their malicious site appears high on search results," explained Brendan Ziolo, VP of marketing at Kindsight, a digital-security company based in Mountain View, Calif.

"Because the user is anxious to see this news or get the latest specials," Ziolo said, "they click on the links without thinking and become infected."

[ 10 Tips for Staying Safe on Twitter ]

Big investment

You would think that after a while, we would become a lot more immune to, or at least more aware of, social-engineered attacks, but the opposite appears to be true.

According to Ziolo and Kindsight's Q2 Malware Report, email that drives users to a malicious website, which then infects visitors with malware via a drive-by download, was the most common attack method in April, May and June of this year.

"The main infection method continues to be email messages luring victims to websites running a variety of exploit kits," Ziolo said. "The victim would typically receive an email message from a business or the government informing them of an issue with their account. This would contain a reasonable-looking link to a website.

"The website would actually host an exploit kit such as Blackhole. This would probe their system and attempt to infect it," Ziolo said.

The use of trending topics to socially engineer an attack needs be successful from the criminal's point of view.

Social-engineering tricks require a lot of time and effort, said Costin Raiu, director of global research and analysis at Kaspersky Lab in Moscow.

"What is standard at the moment is this," Raiu said. "We have automatic bots that scan sites such as Google Trends, Google News and Twitter trends, looking for the topics people like to talk about. Then the bad guys will generate Web pages on the fly on those particular topics and add exploit code into the pages."

Search engine optimization — the use of key words and phrases — are used on the sites to push them to the top of a search.

"They are always using the freshest news," Raiu added, echoing Ziolo's point on the overall effectiveness of this type of attack.

Hook, line and sinker

In addition to Web searches to lure victims, cybercriminals turn to spear phishing — baiting using individually targeted emails.

Spear phishing is almost a personalized trending-topic attack. The bad guys research information about you online and then tailor the email to suit your personal interests.

Even security experts aren't exempt from being targeted by well-done fake emails or websites. Raiu said he received a spear-phishing mail based on his travel plans.

"I got an email that said, ‘Here is the boarding pass for your upcoming flight to print out.' I was micro-seconds away from mindlessly clicking on that link until I realized that I hadn't checked in," he said. "So I looked for a few more details in the email and noticed it didn't mention the flight or the airline." 

The timing, Raiu added, was an interesting coincidence and very good work by the cybercriminals to target him as he was traveling.

Know your enemy

So what are the bad guys looking for?

"They want data and intellectual property," said Scott Greaux, product manager at PhishMe, a Chantilly, Va.-based software company which has developed a spear-phishing-awareness tool.

"Many attacks are initiated by state-sponsored organizations who wish to make products better, faster and cheaper," Greaux said. "They have found that stealing intellectual property and improving on others' work is much cheaper than investing in R&D."

Raiu added that attackers are also looking for financial gain, sometimes looking specifically for financial data but also creating malware that sets up click fraud in pay-per-click advertising setups.

Sadly, it is often difficult for the average user to know whether he or she is clicking on a socially-engineered site until it is too late.

"Google is getting much better at finding fraud," Raiu said.

But the better bet is to avoid clicking on lesser-known sites when possible, and to not click on the links in an email.

During an event like the Olympics, many media websites will post an article or a reminder about social-engineering scams and to be safe. It is advice that should be used all the time.

After all, the bad guys aren't going to spend the next four years training for the next Olympics. They'll be back at work the next day, exploiting the latest tragedy or celebrity event.