The story of the Trojan Horse is one of the most enduring in human history. The original events took place thousands of years ago, and yet here in the 21st Century even little children know this classic tale. The Greeks built a giant wooden horse and filled it with the Bronze Age equivalent of Navy SEALs, and then fooled the Trojans into wheeling the gift horse inside their gates. After dark, the hidden army emerged and Troy was sacked.
Why has this tale been passed down for so many generations? Because it describes one of the core truths of human behavior: The world has never been short of liars and thieves, and they do their best to live undetected among honest people.
People get ripped off in the physical world all the time. You can get mugged on the street or have your pocket picked in the subway in any big city, anywhere in the world. If one of those unfortunate things happens to you, no one will tell you it’s your own damn fault.
And yet I hear that response regularly when people get fooled online by 21st Century Trojans. Anyone who would fall for that is lazy and stupid. They lack common sense. They should have their computing license revoked until they can pass an IQ test.
Here’s the trouble with that line of thinking. Modern computing is complicated. Even seemingly straightforward acts of online commerce involve many steps, with many trust decisions along the way. I thought about that today when I purchased and downloaded a new software package online.
What was remarkable about this process for me was how closely it paralleled the experience I’ve seen with malware in the wild every day.
The bad guys have done a thorough job of replicating this intricate experience, with the explicit goal of making a dishonest product look legit. That’s why they call the end product a Trojan.
Here, let me walk you through the process I went through today with a legitimate vendor and point out all the places where I had to call on my technical experience to make a decision.
I learned about the sale via social media.
That’s right, I clicked a shortened ow.ly link that I found on Twitter, from someone I sorta know and kinda trust. (I could just as easily have gotten the link from an e-mail or from an ad on a web page.) That tweet alerted me to a one-day sale by Adobe, which was offering the full version of Photoshop Lightroom 3 for $149, or half off the normal price.
The full link resolved to a long and very complicated URL that was more than 100 characters long. Here’s all I could see in the Chrome address bar.
When I did some comparison shopping using search engines to determine whether this was a good deal, I was exposed to all sorts of ads that ostensibly led to irresistible deals. In most cases, the link for the ad was heavily obscured, with hundreds and hundreds of characters. Clicking those links invariably redirected me between sites using scripts that ran faster than my eye could see.
Evaluating any of those URLs takes at least intermediate technical skill. Normal human beings aren’t trained to do that reliably. And that was just the start. See page 2 for the long list of decisions I still had to make.
Update: In the Talkback section, tdogg219 offers an excellent example of why URLs are so difficult to decipher:
Take a look at the link from Ed’s images:
https: //store1.adobe.com/cfusion/…
The initial “store1″ portion of it would tweak my interest as possible bad, but it’s legitimate. suppose that the link was:
https: //store.adobe1.com/cfusion/…
Change one character and this is now a non-legitimate url. How on EARTH would you expect your mother/grandmother, etc. to notice this subtle change… This is why social engineering works and was the point behind the article. It is time to blame the criminals and look to a more comprehensive solution rather than assuming that everyone that falls prey is an idiot. My 2 cents.
I believe that was worth much more than 2 cents. Thanks, - Ed
