The Mind Games Cybercrooks Play

They're exploiting psychological vulnerabilities to gain access to your data

The subject line in an e-mail that hit thousands of in-boxes around the world last month reads, "lawsuit against you." In flawless legalese, the message warns recipients that they recently sent an unsolicited fax to the sender's office. Citing U.S. civil code, its prohibition on sending junk faxes, and an actual $11 million settlement by restaurant chain Hooters, the missive threatens a lawsuit over the alleged junk fax. "If you do not pay me $500 by the deadline for payment, I intend to sue you for violating the Telephone Consumer Protection Act," it reads. "If you force me to sue, I will not settle for less than $1,000." Details of the alleged lawsuit are contained in the e-mail's attached document.


In today's litigious -- and digital -- society, being notified of a lawsuit via e-mail might not seem too unusual, right? Gotcha! The e-mail is a scam that preys on deep-seated fears of being hauled into court. Its target: unlucky recipients who may indeed be among thousands of individuals and companies that send junk faxes. The attachment -- labeled lawsuit.exe -- contains a new variant of a computer worm called Bagle. When worried victims open the attachment, malicious code embedded in its text downloads onto their PCs and swiftly harvests all their e-mail addresses to send out even more spam. That second wave uses the victim's personal e-mail address to send malicious code disguised as, say, a pitch for a Paris Hilton sex video, to friends and associates. "This is one of the most innovative ideas used by spammers to target unsuspecting users," says Govind Rammurthy, chief executive of computer security firm MicroWorld Technologies Inc., which sent out a warning about the lawsuit.exe scam in March.

As Web-based scams proliferate, it's often psychological cunning, deployed on top of surreptitious code, that is the secret to cybercriminals' success. Like con men on the street devising new tricks, Internet fraudsters need a never-ending supply of ways to persuade victims to open an attachment, click on a link, or innocently enter personal data on a Web page. Bypassing mental barriers, rather than software firewalls, is the surest means, say analysts, to pickpocket personal identities and online bank accounts. "You can't install a software patch for a person's mind," says Barry C. Collin, chief executive of cybersecurity consulting firm Threat & Risk Associates.

In fact, hackers spend serious effort to research the psychological vulnerabilities of potential targets, according to data-security analysts. They watch news headlines for emotional or worrisome world events and often review the success of an attack by reading press releases and corporate warnings in order to tweak the next attack for greater effectiveness, says security firm Trend Micro Inc.'s (TMIC ) director of global education, David Perry. Analysts say "phishing" attacks often spike after a data security breach makes headlines. The reason: Customers are already anticipating a potential request to update account data and monitor their credit reports.

A scam involving Citibank (C ) earlier this year shows how far tricksters will go with their mind games. To build trust, it operates in two phases, say analysts. First, an e-mail purportedly from Citibank warns that customer accounts may have been compromised in a previous scam. But it doesn't ask for personal information. Instead, the scam requests an e-mail address, just in case the victim's account is found to be hacked. Later, a second message is sent out warning that, indeed, the account has been compromised. That message requests an update of the victim's financial details. "Trust was built in the first step. Then, in the second step, they asked for confidential information," explains MicroWorld's Rammurthy. He estimates that some 60% of victims who received the second e-mail provided personal and financial data.

Indeed, with overall returns from phishing attacks falling as people grow more wary of them, Web criminals are finding novel ways to persuade users to open documents or click links that download data-stealing software onto PCs. Instead of directly asking the user to enter personal data into a fake Web site, cybercriminals are embedding code into fake news articles or business-oriented "requests for proposals." When opened, they install a back door into the PC, then record and transmit the user's keystrokes -- including sensitive information such as names and passwords.

The upshot: Fewer people are coughing up personal info, but fraud losses continue to climb. A 2005 survey by Gartner Inc. found that just 2.5% of phish recipients responded with personal or financial information, down from 3% in 2004. But fraud losses connected to the theft of such information off the Web rose from $690 million in 2004 to $1.5 billion last year. "If I'm a scammer, I have to do something that will make you trust me," says John Pescatore, vice-president for Internet security at Gartner.


Law enforcement agents say the thinking behind cyberscams is not much more complex than age-old cons run by offline grifters. However, they add, it's clear cybercriminals are pooling their brainpower to devise new techniques. A DVD available in foreign black markets called Hacker's Handbook contains scores of tips on how to trick victims, according to Trend Micro's Perry. And former hacker Kevin Mitnick, who now runs his own security consulting firm, has hosted a two-day "social engineering" conference for clients that outlines hackers' techniques and includes a session entitled "Bugs in the Human Hardware."

It's not just the growing ranks of scam-wary Web surfers that have hackers seeking ever more clever techniques. They also have to hustle to stay ahead of an ever more crowded field of competitors. It's becoming easier than ever to get into cybercrime. On Mar. 24, security firm Sophos Inc. said that it had discovered a Russian Web site selling a kit called WebAttacker for less than $20. The software in the kit downloads a program that tries to turn off PC firewalls, then installs a keystroke-logger. Already, WebAttacker has been shot out via spam that promotes news stories about bird flu and the death of former Serbian President Slobodan Milosevic.

The upshot is that increasingly it's psychological cunning, not code-writing skills, that make for a successful hacker. "In order for the cybercrime business to continue, it is going to rely more and more on social engineering," says Ronald J. O'Brien, senior security analyst at Sophos.

By Brian Grow

    Before it's here, it's on the Bloomberg Terminal.