A new research experiment conducted by New York-based Web security firm Trusteer found that even educated e-mail users click on links that can potentially lead to websites containing malware, Trusteer CEO Mickey Boodaei said.
The Trusteer experiment entailed sending e-mails that listed the social networking site LinkedIn as the sender to 100 friends and family members of Trustee researchers.
The e-mails contained a link that claimed to lead users to a new job alert, but instead directed them to an outside website – a common strategy used by attackers, Boodeai said. Within seven days, Trusteer found that 68 of the 100 subjects had followed the link.
The company posted a blog detailing the experiment on its website Wednesday, which states, “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer. Education is always recommended and can certainly help, but in this case education did not prevent the attack.”
Boodaei said attacks similar to the one staged by Trusteer are some of the biggest security threats enterprises face today, and that the security breach at marketing firm Epsilon, in which millions of client customer names and e-mail addresses were comprised, will likely result in the delivery of many malicious e-mails.
Trusteer customized the e-mails crafted for the experiment by creating a new identity on LinkedIn and gathering information about recipients’ LinkedIn connections and their connections’ profiles, the company said. Researchers used Gmail to create the fake LinkedIn e-mail account and included photos of victims’ connections downloaded from LinkedIn.
Since mail programs typically only display the name of the sender – not the sender’s full e-mail address – fooling recipients was simple, Boodaei said.
“It’s very easy to create a convincing e-mail and attack an employee’s desktop,” Boodaei said. “Since it is so easy to execute, I believe this will be the No. 1 attack vector in the next couple of years.”
The lesson learned from the experiment, Boodaei said, is that companies should concentrate on implementing technology that can prevent malware installation, not just educating employees about how to spot malicious e-mails.
