• PC World
• »Security

The Human Security Hole

Danger level: High | Likelihood: High | Target: All

You can update Windows and each of your applications, and you can use security software to protect your PC, but one constantly exploited weakness can never be patched: human fallibility.

Online villains use an ever-changing array of tricks and traps to lure you in, and they're getting sneakier.

A recent eBay auction trap highlights the effectiveness of good social engineering. According to reports from US-CERT and Internet security companies, clever phishers were using a vulnerability in the eBay site to add auction links to eBay's pages. Those links brought unsuspecting users to a new site that would ask them for their eBay logins. You're no doubt suspicious of random e-mail messages that prompt you to click a link and enter your account information. But if you are prompted after clicking a link on a verifiable eBay page, you just might get caught with your guard down.

Your e-mail gets equal attention. Clever crooks steal or buy e-mail addresses, not to pelt you with spam, but to send out virus-laden messages that appear to originate from a genuine address--without ever infecting the supposed sender. Combined with a list of known e-mail addresses at a particular company, these spoofed e-mail messages allow for carefully crafted and targeted attacks that are far more successful than the net-cast-wide approach used to distribute most malware today. You're likelier to click on a Word document or an e-mail link that appears in a well-worded note from somebody@yourcompany.com.

Spoofed e-mail addresses are also useful in conjunction with such attacks as the recent one that took advantage of a new, zero-day exploit in Microsoft Word. To get hit, all you'd have to do is open a .doc attachment--and why wouldn't you open an e-mail from Bob down the hall?

Criminals know that if they can fool you with an e-mail or top-notch phishing site, they're well on their way to owning your computer. But there's a positive flip side: A well-informed user constitutes the best defense against any Internet attack. Stay educated, and stay safe.