Can opening a file on a found USB stick lead to identity theft?
Monday, September 28th 2009 @ 12:00 AM (not yet rated)
Background
My initial experiment continues with the purpose of measuring what percentage of people who pick up a found USB drive will put their computers at risk by trying to see what's on them. However, while I'm doing that, I can also test some other interesting scenarios.
Most of you know enough not to click on links in email SPAM by now. When you see a suspicious email message, you tend to disregard it, and any links in the message. Sometimes they look pretty real, but you may even know enough not to click on a link that looks like "www.paypa1.com" (where the letter "L" is replaced with a number "1" because they look similar - or identical - in some fonts.)
But if an attacker just wants to get you to visit their infected or phishing/imposter website, they could use something like a Honey Stick with a website "redirect" that loads the web page as soon as you open a file. It just needs a file that refreshes itself, and takes you to the URL when you open it.
Trying to Measure Susceptibility of the Public
In the latest version of the Honey Sticks I deploy, I take the user to a fake web site - one they've never seen before - when they open one of the files. They have no reason to trust this site. They should just abandon it. But what they see is a "Login Page" with the user name and password fields pre-filled. The password is even "starred" out so it looks like it's been entered into a real password field for the website. Then there's a "Login" button and a "Forgot my password" link. It all looks real, but just takes you to another page with no real information on it, if you click either of these links.
What's the point of this? Just to demonstrate that our curiosity can get the better of us - even when we know we might be putting ourselves at risk.
Note that I don't collect any personal information or ask for anything to be filled in. It's already filled into the user name and password fields! All I want to know is if people will click on the "Login" button or "Forgot my password" links to satisfy their curiosity. With every click on this unknown website, the user is risking having malware downloaded. Of course, I don't use any software for this experiment on the Honey Sticks or on the website - just basic HTML. Nothing else. It's all safe for anyone who visits. I just get a chance to test decisions anonymously.
Interesting Results
So, what's the result? Of the first two devices that I deployed in Ottawa that redirect to this website, both of them were used. Firstly, that raises the percentage of people I've measured making risky decisions to something still higher than the 65% I had previously measured. But in both cases, the user chose to try to log in - to see what was inside the website that was protected with a password - once they saw that the password was already pre-filled.
What You Should Do to Avoid Being a Victim
So, please use this example as a lesson that you could be putting your computer and network at risk - or you could be taken to what looks like a real shopping site that has "fantastic deals" where you might be tempted to enter personal information like a credit card number. Because you didn't actually enter the URL - the file on the device did - you may not realize it's not the real, trusted site. This is just one way you can be putting yourself at risk from using unauthorized devices.
NOTE: The same thing can happen if you follow links to unknown sites from a simple Google search. You can check out sites using the McAfee SiteAdvisor or Google SafeBrowsing plugins for your browser, to check the reputation of a website before you go there.
| | Is your security awareness training just a set of old Powerpoint slides that you pull out once a year and present at an all-hands meeting? You can now provide much more effective security awareness training for your staff, for much less cost than you think. Contact me if you'd like to discuss how you can create a culture of security through a variety of live programs, and modern e-Learning techniques.
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 
|