Fisher Capital Management Investment Solutions: Trusteer: User education can’t protect against social engineering

http://fishercapitalmanagementinvestment.com/2011/04/fisher-capital-management-investment-solutions-trusteer-user-education-can%E2%80%99t-protect-against-social-engineering/http://www.thetechherald.com/article.php/201115/7066/Trusteer-User-education-can-t-protect-against-social-engineering
by Steve Ragan – Apr 15 2011, 03:40
An experiment by security firm Trusteer has shown that even the most educated user can be fooled by a Phishing attack. By using 100 well-informed participants on social/business portal LinkedIn, Trusteer sent out messages similar to the ones site users would see on a regular basis. Interestingly, almost 70 percent of the test group fell for the con.
Phishing attacks and other scams are constantly explained and cautioned against, and most security professionals can explain what to look for and how to avoid falling victim to these cons. Yet, there is always a victim. No matter how good the education, you can’t reach everyone… and, more worringly, some will simply ignore the advice.
Trusteer, in wanting to test the notion that education isn’t the total solution for avoiding Phishing and other scams (as well as looking to show how easy it is to fall victim) asked 100 people to take part in its experiment. All of them agreed. However, while they knew they would be part of a security test, none of them knew when the test would take place.
Trusteer created a new identity on the LinkedIn site and then used some basic data-mining techniques on the supposedly educated participants, its goal being to collect information on their connections along with any other personal information presented via the site.
Mickey Boodaei, Trusteer’s CEO explains: “We picked a population of 100 users – these are people we know – friends and family and estimated to be fairly educated about security…”
“Since LinkedIn sends an alert when one of your connections has a new job, we decided to use this update method to create a fraudulent email. For each one of our targets we crafted a fictitious new job alert,” he added. “We chose one of their LinkedIn connections, and announced that this person was now working for a company that directly competes with our victim’s company.”
The message came with a large linked button with which to view the friend’s new title, just as LinkedIn does on its regular communications. Included in the email was a photo of the friend alongside their name, again much as it appears on the proper site. By choosing to click the button, users were taken, not to LinkedIn, but to a dummy attack site.
“The website we used was innocuous, but it was a place holder for a potentially malicious website that places malware on the victim’s computer. We released this email to all 100 subjects on the same day – a Tuesday morning – and monitored who clicked the link and reached our landing page,” Boodaei said.
Within the first 24 hours, 41 participants had fallen for the scam. Within seven days, 68 people had clicked the button. If this had been a real attack, those numbers would have marked a high return on a criminal’s investment. In all, Trusteer spent about 17 hours on the study.
As for the other 32 people, Boodaei explained that, when approached: “Sixteen said they haven’t seen this email (it probably went into their spam folder). Seven said they usually don’t read LinkedIn updates. Nine said that the update was not interesting enough for them to click the link.”
The one thing we disagree with is the company’s statement issued at the end of the test, which says that the “solution to this problem must be based on technology and probably using more than one method.”
Technology, while helpful, will not prevent the problem of people falling prey to Phishing scams. Perhaps a better recommendation would have been to blend technology with basic education and awareness. Phishing scams work because they are able to bypass technology and take advantage of human nature.
As mentioned in the Trusteer write-up, the tools that organizations use to train their customers on Phishing scams are “not effective enough” to reach all of them, or convey the message in a way the majority will understand. Mixing education and technology might help, but technology alone will do no better than that which exists today.
The test performed by Trusteer is an interesting one. It would be nice to see a similar test where the participants are told it is a Phishing attack beforehand. Likewise, it would be interesting to see the test done to scale, where several hundred if not thousands of participants are targeted.
It’s frustrating to see people fall for basic Phishing scams, and it’s painful when major companies like RSA are victimized by them. However, there is no single answer when it comes to protecting against or preventing tricks against the human mind. The person who finally solves that riddle will be able to demand any ransom they want for the answer.