Home & Office

Curiosity not only kills the cat, it gets your network pwned

Anup Ghosh: We need to protect the network from the user and the user from him or herself. Take security decisions out of the hands of the user, make their mistakes irrelevant to your overall security footing.
Written by Ryan Naraine, Contributor

Guest editorial by Anup Ghosh

To quote the brilliant comedian Peter Cook, “Mawwiage…mawwiage is what bwings us togetha today.”  Unfortunately, for the security of your network, this particular wedding is not a joyous event.

You might not be aware that Prince William has announced plans to wed his long-time girlfriend, Kate Middleton. However, your users are in the know and many have likely been searching for the latest Kate news or pictures. Some want to get an early glimpse of her wedding dress, others might be more interested in her swimsuit preferences…either way, they are putting your network at risk. As was the case with another famous fairytale wedding, this one involves getting your users to take a bite from the poisoned apple.

Your adversaries are preying on the curiosity of your users, counting on the fact that your defenses are outdated, and using Blackhat SEO techniques in order to pwn your network. Welcome to the age of poisoned SEO, headline malware and the plague of Fake A/V -- feel free to replace Kate Middleton with any other trending news -- the results will be the same.

What is Fake A/V and Why Should I Care?

Fake A/V is a class of malware that actually claims to provide malware protection, and unlike other classes of exploits, it can spread without requiring a vulnerability on the user’s system. Fake A/V just needs to be scary enough to get the user to click a button (OK or Cancel both work, just in case you thought users were making poor decisions)…it relies on panic to get the user to run the software. If you’ve never seen Fake A/V in action, jump here.

As with most malware today, it doesn’t try to break down the castle walls, it asks the user to lower the bridge. A dialog box displaying a warning that the system is infected is often enough to get users to act – they click on the box which in turn downloads and runs the malware. Imagine for a moment how many of your users might fall victim to this scheme.

BlackHat SEO Techniques Put Fake A/V Sites On Top

Fake A/V has been particularly effective in exploiting BlackHat SEO techniques to target users searching on trending popular keywords. BlackHat SEOs take advantage of headline events to propagate what some are calling “headline malware.” Events such as the Royal Wedding, the Brett Favre scandal, the Gulf oil spill, etc. are used to drive search engines to return their Fake A/V image links and domains near the top of the results. This drives traffic to these infected sites, resulting in infections. As the user is often both the first line of defense and the weakest link in your network security, the adversaries simply prey on users’ fear and desire by exploiting search engine optimization to serve up their poisoned apples.

The Takeaway

Fake A/V is growing increasingly pervasive because of its use of BlackHat SEO and PT Barnum’s old saw — “There’s a sucker born every minute."  That sucker (er, umm, user) is unwittingly infecting your network. Because Fake A/V uses effective social engineering to get users to click through dialog boxes in order to run software from the browser, even patched systems won’t defend against this threat. While the current emphasis on patching and compliance is important, it does not address the threat of users to themselves and the network driven by many of today’s malware writers.

If you are counting on your users to make good security decisions— forget about it. If you are counting on Google or your Web gateway to catch current day infections or infectious sites, forget about it -- they can’t keep up with the rapid pace of malware evolution.

We should all know what to do –  stop trusting the user to make good security decisions. They aren’t security professionals – and despite our annual or semi-annual attempts at training them – they never will be. Given the sophistication, sheer volume and rapid evolution of malware, user training is not a realistic solution to keeping malware at bay. We need to introduce and embrace innovative new solutions – a new defense in depth –  that starts with a better model for protecting the user. We need to protect the network from the user and the user from him or herself. Take security decisions out of the hands of the user…make their mistakes irrelevant to your overall security footing.

Give them free reign over the Internet to support their business objectives without fear of what they do leading to your network being pwned.

* Anup Ghosh is founder and chief scientist at Invincea, Inc. He is also research professor and chief scientist in the Center for Secure Information Systems (CSIS) at George Mason University. In his career, he has served as principal investigator on contracts from DARPA, NSA, and NIST's Advanced Technology Program.

Editorial standards