MAY 9, 2014
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
Notes from the (Russian) Underground

Security for Home Users
Taking the Bait: A Closer Look at Social Engineering

Security for Business
Virtual Patching: A Necessity amid Zero-Days



Security for Home Users

Taking the Bait: A Closer Look at Social Engineering

What makes social engineering a true threat is the fact that it is difficult to spot a social engineering attack at first glance.”



At first glance, the tax season and the recent Heartbleed vulnerability don’t seem to have anything in common. But past incidents prove otherwise, as they were both recently used as social engineering bait.

Social Engineering at a Glance

Social engineering is the act of tricking people into doing something they don’t want to do like giving out confidential information. To perform acts of social engineering, cybercriminals use different topics as “lure” or “bait” to draw potential victims to their malicious schemes.

Two examples of such bait are the Heartbleed bug and the just-finished U.S./Canada tax season, which were recently used as spam subjects. The emails contained instructions for recipients to click embedded links or download attachments to address concerns related to the given topics—protecting their computers against the bug or filing their taxes. In the said cases though, following the instructions only led victims to suspicious sites or downloaded malware onto their computers.

Dangers Brought on by Social Engineering

What makes social engineering a true threat is the fact that it is difficult to spot a social engineering attack at first glance.

Cybercriminals will do and use anything just to lure potential victims in. No topic is too sacred or too trivial when it comes to being served as social engineering bait. We have seen schemes that used tragedies, celebrity deaths, and current events, all in order to gain as many victims as possible. Even worse though, these schemes can pop up almost immediately, making it hard to differentiate what’s real from what’s not.

Identifying Red Flags

Cybercriminals view any online activity as an opportunity to get more victims. You can stay protected from social engineering schemes though by keeping these key safety practices in mind:

  • Scrutinize promos and deals. Cybercriminals often use sales and promos to “hook” victims. If offers sound too good to be true, they probably are.

  • Don’t rely on social media and emails for updates on current events. Visit reputable news sites to get accurate and safe updates. Even if you receive an email from a reputable news source, it’s still best to avoid clicking embedded links and instead directly visit your bookmarked sites.

  • Be wary of downloading email attachments, especially those from unknown or unverified sources. These can be malware in disguise.

Copyright ©2014 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.

www.trendmicro.com

  CONNECT WITH US ON: