Valentine’s Day Malware
Human beings are often considered one of the weakest links in a security system, and this vulnerability is typified (and exploited) by the proliferation of Valentine’s Day malware (and their associated delivery mechanisms). The first article referenced below describes two recent attacks: one where an e-mail with a Valentine’s Day related subject line links to a malicious program (that remains undetected by many antivirus applications) and another scam that entails an e-greeting with a link to an American Greetings lookalike site. The site then asks users to install an application called “Adobe Flash Player”, which is actually a rootkit. Generally, attackers often steal data (for selling or identity theft) and use compromised machines to send spam, perform DDOS attacks, etc.
There is little that can be done to prevent these kinds of attacks from materializing since the e-mail (and internet) infrastructure is so open and flexible, but there are several controls for mitigating the threats. From a technical perspective, e-mail providers and other organizations can use e-mail filters to prevent the spread of malicious messages. Users can use virus-scanners (though many AV programs failed to detect these recent malware) and many browsers already include anti-phishing warnings. Training users to be wary of unsolicited e-mails and to verify legitimate urls among other safe computing practices is also important.
On a larger scale, it may be helpful to develop a more robust and trustworthy e-mail infrastructure. With authentication, message sender identities can be verified and this process may assist in the detection and capture of the perpetrators behind the attacks described above. There are several developing initiatives such as SenderID and DomainKeys, and there may be some synergies with the increasingly popular OpenID system, which can result in a trustworthy e-mail system.
Ultimately, the vulnerabilities of the human heart (security review up-and-coming…), particularly on Valentine’s day, and human curiosity/mistakes can only be controlled by training people to discern true messages (in the general case) and by helping them to find love in the right place (in the Valentine’s day case–and perhaps more generally). SDG
References:
http://www.securityfocus.com/brief/682
http://sunbeltblog.blogspot.com/2008/02/dangerous-new-fake-american-greetings.html
http://www.sophos.com/pressoffice/news/articles/2008/02/valentine.html