When all else fails, try honesty. That seems to be the philosophy behind a new malicious e-mail campaign reported by antivirus company Avira. It includes an attached file with explicit instructions for recipients to infect their own computers.
According to the Avira blog post by Lyle Frink, following the directions installs a banking Trojan that steals credentials and financial information. “They really want to be sure that the user ‘properly’ gets infected,” malware analyst Oscar Anduiza is quoted as saying. “These directions are pretty much exactly 180 degrees off from what computer users should actually do.”
This idea is crazy, right? So crazy it just might work.
The files are in German and the campaign was identified in Germany, but Avira believes it probably is being distributed in other languages as well. Recipients are told to agree to everything, clicking “agree” and “run” at every option. If Windows warns you of the danger, click “Download anyway.” To ensure proper infection, you should disable or antivirus and firewall.
What makes the perpetrators think something like this would work? Well, what have they got to lose? All phishing and social engineering is a gamble. It’s like dating: You are likely to get a lot of rejections before someone says “yes.” Some guys work at selecting the right girl to approach in an effort to reduce the percentage of rejections. Others focus on quantity, accepting a higher percentage of rejections in the hope of getting an overall larger number saying “yes.”
This phishing gambit apparently focuses on quantity over quality. It is low-risk for the perpetrators, especially as Avira describes the downloader and malware as “not especially sophisticated.” They aren’t putting much effort or resources into each attack.
I suspect that this example of social engineering—reverse psychology social engineering—reflects a larger risk that comes with an increasingly digital society. It’s a common joke or half-truth that oldsters (anyone over 30) must turn to kids for advice about digital devices. We are tempted to assume that these digital natives understand technology. But it ain’t necessarily so. Digital natives very often take technology for granted. They are good at interfaces, but often have little understanding of the technology behind them. This leads to poor security hygiene and a lack of discretion. They want functionality. They do not discern between what they can do and what they should do. This probably is the type who just might follow the instructions.
So the takeaway here—as always—is think before you click. Just because someone wants you to do something doesn’t mean you should do it. Even if he is being up-front and open with you.