Why do people fall for Trojans?

Why do people fall for Trojans?

Summary: Out in the physical world, crime happens every day. People get robbed and have their pockets picked, and no one blames the victim. So why do the rules change when nontechnical PC users fall for a Trojan online?

SHARE:

The story of the Trojan Horse is one of the most enduring in human history. The original events took place thousands of years ago, and yet here in the 21st Century even little children know this classic tale. The Greeks built a giant wooden horse and filled it with the Bronze Age equivalent of Navy SEALs, and then fooled the Trojans into wheeling the gift horse inside their gates. After dark, the hidden army emerged and Troy was sacked.

Why has this tale been passed down for so many generations? Because it describes one of the core truths of human behavior: The world has never been short of liars and thieves, and they do their best to live undetected among honest people.

People get ripped off in the physical world all the time. You can get mugged on the street or have your pocket picked in the subway in any big city, anywhere in the world. If one of those unfortunate things happens to you, no one will tell you it’s your own damn fault.

And yet I hear that response regularly when people get fooled online by 21st Century Trojans. Anyone who would fall for that is lazy and stupid. They lack common sense. They should have their computing license revoked until they can pass an IQ test.

Here’s the trouble with that line of thinking. Modern computing is complicated. Even seemingly straightforward acts of online commerce involve many steps, with many trust decisions along the way. I thought about that today when I purchased and downloaded a new software package online.

What was remarkable about this process for me was how closely it paralleled the experience I’ve seen with malware in the wild every day.

The bad guys have done a thorough job of replicating this intricate experience, with the explicit goal of making a dishonest product look legit. That’s why they call the end product a Trojan.

Here, let me walk you through the process I went through today with a legitimate vendor and point out all the places where I had to call on my technical experience to make a decision.

I learned about the sale via social media.

That’s right, I clicked a shortened ow.ly link that I found on Twitter, from someone I sorta know and kinda trust. (I could just as easily have gotten the link from an e-mail or from an ad on a web page.) That tweet alerted me to a one-day sale by Adobe, which was offering the full version of Photoshop Lightroom 3 for $149, or half off the normal price.

The full link resolved to a long and very complicated URL that was more than 100 characters long. Here’s all I could see in the Chrome address bar.

When I did some comparison shopping using search engines to determine whether this was a good deal, I was exposed to all sorts of ads that ostensibly led to irresistible deals. In most cases, the link for the ad was heavily obscured, with hundreds and hundreds of characters. Clicking those links invariably redirected me between sites using scripts that ran faster than my eye could see.

Evaluating any of those URLs takes at least intermediate technical skill. Normal human beings aren’t trained to do that reliably. And that was just the start. See page 2 for the long list of decisions I still had to make.

Update: In the Talkback section, tdogg219 offers an excellent example of why URLs are so difficult to decipher:

Take a look at the link from Ed's images:

https: //store1.adobe.com/cfusion/...

The initial "store1" portion of it would tweak my interest as possible bad, but it's legitimate. suppose that the link was:

https: //store.adobe1.com/cfusion/...

Change one character and this is now a non-legitimate url. How on EARTH would you expect your mother/grandmother, etc. to notice this subtle change... This is why social engineering works and was the point behind the article. It is time to blame the criminals and look to a more comprehensive solution rather than assuming that everyone that falls prey is an idiot. My 2 cents.

I believe that was worth much more than 2 cents. Thanks, - Ed

Page 2: Can you tell real from fake? -->

<-- Previous page

The landing page had product logos and box shots and a convenient order form.

This part of any scam is incredibly easy to fake. Many sites that sell counterfeit or diverted software simply copy the original vendor’s web page—lock, stock, and JPEG. Look at the fake pages that I posted recently for Trojans masquerading as Google Chrome, Firefox, and Adobe Flash Player. They were pretty convincing.

When I did comparison shopping using search ads and web-based services, I found some legitimate sites and some that were borderline scams. Several legit sites were downright ugly, and telling the difference was not always easy.

The order page was encrypted.

However, the only indication that the site was encrypted was the https in the address bar and a tiny padlock icon—gray in Internet Explorer 9, pale green in Google Chrome.

Although it’s possible to train a normal user to check certificates, it’s a hard concept to explain properly. Nontechnical users can easily be fooled by logos and big padlock graphics that promise security.

I had to click a download link to get my product.

Just like I would at a fake site.

When I tried to download the file, Google Chrome told me this type of file could harm my computer.

Oh dear. Why am I seeing this? I am 100% certain that I just purchased this product from Adobe. And yet Google wants me to be suspicious.

This is nearly an exact copy of the message I saw earlier today when I downloaded a Trojan that had very cleverly disguised itself as the latest version of Adobe Flash Player.

Why is the legitimate download from Adobe’s servers being flagged? What makes it different from the malware? Again, the average civilian using a PC or Mac has no way of making the correct trust decision based on the information shown here.

Installing the product required clicking yes to a series of consent boxes and license agreements.

By the time the average person gets to this point, where they’ve downloaded the software and clicked the Install button, it’s game over. If you believe the software you downloaded is valuable and legitimate, you are going to blow right through normal consent dialog boxes, which are pretty standard stuff. That’s true on a PC or a Mac.

The main difference on Windows occurs if you're installing an executable program that isn't digitally signed, which is the case with most malware. Like this:

Here, for contrast, is a signed installer. The color of the shield icon on the bottom is different, but to a nontechnical user it's just so much blah-blah-blah.

The first one just says the publisher can't be verified. The second one says this type of file "can potentially harm" my computer. it's not reasonable to expect a nontechnical PC user to understand the distinction between various prompts without training and regular reinforcement.

Yes, the people who visit tech sites like ZDNet and know how to field-strip a PC can spot the tiny signals that identify a fake site. But mere mortals can’t.

In other words, a reasonably determined crook with average social engineering can fool enough people, enough of the time, to make a lucrative dishonest living.

So what’s the solution?

More information, gathered from sources that can’t be easily faked, about software and its makers, presented in such a way that a nontechnical user is more likely to make the right decision.

That’s not a pipe dream. In fact, browser makers and some security software developers already have many of the elements in place to help normal people make better trust decisions.

I’ll discuss that in more detail in my next post.

Related posts:

Topics: Hardware, Browser, Enterprise Software, Malware, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

178 comments
Log in or register to join the discussion
  • RE: Why do people fall for Trojans?

    Great piece! I will be fun to see how the Ed Bott haters twist this one around.
    Bill4
    • RE: Why do people fall for Trojans?

      @Bill4 I'm normally one of the first to question Ed's conclusions or logic, especially regarding his opinions on things Apple. However, this piece is well thought out and logical, focusing on the underlying social engineering issue of phishing and trojans rather than his occasional chicken little Apple piece.
      Taking issue with a writer's, especially a tech writer, isn't flaming, it's engagement in conversation, debate. I never engage in ad hominem attack. I respect Ed as an experienced writer and informed tech person. That doesn't mean we have to agree on all things. It does mean that the conversation remain civil and respectful.
      dheady@...
      • RE: Why do people fall for Trojans?

        @dheady@... Samsung Galaxy Tab - Germany. Four words that should clarify that praising Apple is as foolish as condemning it.
        RyuDarragh
      • RE: Why do people fall for Trojans?

        @dheady@...

        I agree. Trojans can dupe any user on any operating system and, if they're updated enough to keep ahead of antivirus software and OS updates, they are almost impossible to beat via technical means. Knowledge is the only real defense.
        HappyXWindowsUser
    • RE: Why do people fall for Trojans?

      @Bill4 I'm not an Ed hater, but I don't agree with him. Comparing downloading a Trojan to getting mugged is not a good comparison.

      Comparing downloading a Trojan to playing a street-side Shell Game is...it is all about choice. Those who get scammed choose to do so.
      keitha73-23430377852780425463534611145075
      • Message has been deleted.

        i8thecat3
      • RE: Why do people fall for Trojans?

        @keitha73

        I quote: "Those who get scammed choose to do so."

        Leads me to believe you have missed the point of the article.

        Getting scammed isn't a choice, people get tricked; and Ed has just pointed out some of the ways that can happen.
        Just J-22513639993676671791495310609907
      • RE: Why do people fall for Trojans?

        @keitha73 ... No, they do not "choose to do so". They are simply newbies most of the time and those who are not yet aware of the dangers of the 'net (education).

        It's too bad you have to little empathy and no memory of your early days nor when youe ego burst.
        tom@...
    • Good article

      One thing that might significantly reduce the risks would be the repositories idea used in Gnu&Linux. That and the "Package Manager" idea. Some software never makes it into the repos and so is not available through the package manager which instantly creates questions as to how viable the software is.

      For odd little apps or games it would make some sense but i would be wary. For something like Flash Player or FireFox i would be extremely suspicious if told to install from some random site even if it appeared to look like the right website.

      Regards from
      Tom :)
      Tom6
      • RE: Why do people fall for Trojans?

        @Tom6
        Yes; I agree that is one way!

        @i8thecatIII:
        "Stupid people" and "bad part of town": I know of a few people who were mugged outside a police station! Just for your edification!!!
        eargasm
    • RE: Why do people fall for Trojans?

      @Bill4 While I understand that techies may wonder "Why do people fall for Trojans?" and the like, the rest of us are wondering, "Why can't Adobe, Macromedia and all the rest design software that does not interrupt me with so many demands for upgrades that I constantly have to choose between accepting upgrades that I don't really trust, and getting slowed down by the constant pinging requests?" Also, why would anyone think that problem (which as far as I can see is close to a root problem) is limited to one operating system?
      Ruthanne Williams Roussel
      • RE: Why do people fall for Trojans?

        @Ruthanne Williams Roussel

        mostly because that one operating system is the dominant one.

        Apple users, though their numbers are growing, are still a minority

        users of something other than Windows or Mac OSX are generally more technical users to begin with
        erik.soderquist
    • RE: Why do people fall for Trojans?

      @Bill4 Good indeed. Thanks Ed.
      SinfoCOMAR
    • cultural differences

      Hi <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy"><br>Actually in my culture if someone did get mugged we do tend to blame them for "flashing their cash". <br><br>If someone new appears and seems unaware of "being flashy" then people usually warn them or show them little tricks to avoid it. <br><br>If they continue to wear cameras around their necks or some similar stupidity then they are considered a fool and therefore fair game. <br><br>Regards from<br>Tom <img border="0" src="http://www.cnet.com/i/mb/emoticons/happy.gif" alt="happy">
      Tom6
      • RE: Why do people fall for Trojans?

        @Tom6 - So what you're saying is that just because a tourist has a camera around their neck and they keep it out so they can take photos more easily, they DESERVE to be mugged?

        I'm glad I don't live where you do, if I saw someone trying to rip off a tourist, I'd make sure that the criminal got a butt load of hurt (as an object lesson of course) *and* the tourist would get their stuff back.
        PollyProteus
    • Its a new world, for a long time now.

      Why do people fall for Trojans. Good question and easy answer.

      Greed combined with just the requisite blend of stupidity.

      I agree and totally understand what Ed's point is here, that the uneducated who casually walk into any scenario they don't understand or suspect, there is no simple or easy way for them to become aware that they are on the ?event horizon? of the whirlpool in the toilet bowl and if they dint back out quick they will go down the drain with the rest of the waste before they know what hit them.

      It?s a fact, and one thats relatively easily avoided, but not without some genuine education. I would have berated Ed a little about the fact that he would have done a far greater community service by posting a strongly worded EDucational post about how to avoid this kind of problem instead of an explanation as to the how?s and why?s people get sucked down this drain, but as Ed is posting on ZDNet, I seriously expect he is working from the premise that most ZDNet readers know the simple basics of how to avoid this mess, but in fact most ZDNet readers are probably at a loss as to how so many people get sucked into this Trojan nonsense. Because it is nonsense.

      In the final analysis, what we really really need is some media outlets out there, like popular television magazine programs, some newspapers and whatever other media outlets that have a broad viewership or readership to get the message out there. I work in a professional field where the issue of internet scams raises its ugly head from time to time, and I am almost left breathless and ashamed that so many people in the human race in this day and age can allow themselves to be sucked into this crap. I have seen evidence, as an absolute fact that even the victims of these schemes can become criminals almost without their own knowledge because they allow sheer stupidity and greed to suck them into an activity which has criminal ramifications.

      All we need is for someone, somewhere with a very loud voice to get the message out there far above and beyond the halfassed way we have been doing things up to now. And the message is "if it?s too good to be true it?s not true, nobody does something for nothing, buyer beware, and finally; someone who has a legitimate deal to offer you will try to make the deal with you as quick, easy and painless as possible, they will NEVER EVER steer you through a complex maze you can get lost in because it interferes with their ability to close the good deal and make their legitimate money".

      Someone who has a loud voice needs to tell the world, WAKE UP. Why would someone want you to take money from their hands for no rational reason. Why would you not at least USE the internet to investigate questionable matters when you are already on the computer getting the questionable offer or message??

      People do love to believe they have found the fountain of youth or discovered the road to easy riches, yet they seem to all too quickly forget that if that discovery is coming by way of internet, its absolutely incomprehensible to understand how YOU got this special deal or info when multiple hundreds of millions around the world didn?t?

      We do live in a new world, but it?s a new world that?s been around for a fairly long time now and quite frankly, its time someone woke the sleepy human race up to the very very simple realities of internet security, but so far nobody seems too interested in actually saying it in the very very strong language that?s needed to get through the common mans head.
      Cayble
      • RE: Why do people fall for Trojans?

        @Cayble "Greed combined with just the requisite blend of stupidity."

        Not stupidity, but ignorance. There is a difference.

        As Ed pointed out, the way information is displayed makes it difficult for the non-technical person to make correct trust decisions.

        What if you don't know that a part of town might be bad, or even moderately bad? Do you know everything about your car to prevent you from being scammed from the unscrupulous mechanic, or do you trust them to give you good advice?

        The type of scams on the Internet is evolving and makes it hard for the non-techies to evolve with it while living there lives doing the stuff that they are supposed to.
        pazmanpro
      • Yes, perhaps worded a bit too strong...

        @pazmanpro
        Agreed that its ignorance more often then stupidity. I actually allude to that fact in my post as I said what we need is some very strongly worded education out there about internet security. Obviously education often has little to no impact on those who insist on being stupid, so yes, I agree that ignorance is the correct word in the vast majority of cases.

        Its a classic case I guess of when you know the warning signs like the back of your hand it simply appears to be stupid that so many would get caught up in as many of these Trojan scams as they do.

        And admittedly, some of the tricker methods used can be fairly convincing. Its those who decide to take a trip to what appears to be a very sketchy corner of the internet to save a couple bucks on a bit of software, or think its common place for some program to jump on your hard drive all on its own and analyze it for viruses. Sometimes it just seems that people should be considering if there is something that may not be quite right.
        Cayble
  • RE: Why do people fall for Trojans?

    @Nate_K But you also have to know WHAT to look for, and it ISN'T obvious. The language and icons are NOT well chosen (and to be charitable these messages aren't easy to phrase - but I'm sure we can do better than this).

    If you don't "live and breath" computers (and you USE a computer FOR your actual passion/job) then why would you notice the colour of the shield. I mean who the heck thought a shield was a good icon (after wouldn't the presence of a shield suggest some kind of protection rather than risk?!). Why not a face? Happy meaning everything looks fine, scared meaning this looks very worrying, and pensive meaning this might be a problem. This would be FAR easier to understand.

    This isn't a question of "IQ", this is knowing what to look for and the clues being too subtle, and ambiguous.

    Blaming users IS the wrong approach most of the time (now sure, you go download some pirated software you really are to blame when you get yourself infected).
    Jeremy-UK
    • RE: Why do people fall for Trojans?

      @Jeremy-UK I wholeheartedly agree!!! 8;)
      arthur_rogers90@...