I was browsing my google reader feed today and came across this frightening little link: New way of social engineering on IRC

From that headline it might sound like some sort of vague web 3.0 social networking thing. Until you realize that social engineering is actually a hacker euphemism that’s been around since before there was a web 1.0. It basically means lying, what security experts call exploiting a vulnerability between the chair and the keyboard. Why spend the time and effort hacking into a system to plant a virus, when you can just sweet talk some idiot who works there into installing it for you? A lot of the biggest “hacker” attacks of the past few years have actually been social engineering attack, scammers with quick tongues exploiting the credulous rather than computer code.

And here we have a new way of automating it.

That’s something that’s proven tough to do reliably, so far. The problem is that before a computer program can convince some chump to do a scammer’s evil bidding, it has to convince them that it is not, in fact, a computer program at all. Technology isn’t quite there yet.

So what’s a smart scammer to do? Well, how about mostly removing the computer from the equation?

The general attack principle works with any chat system
that allows the exchange of private messages. It is based
on the traditional man-in-the-middle concept. Every instance
of the attack involves two human users and a bot
in the middle. Both users believe that they are talking to
the bot, but in reality, their messages are forwarded back
and forth as shown in the following example:
bot →Alice: Hi
Alice →bot: hello
bot →Carl: hello
Carl→ bot: hi there, how are you?
bot →Alice: hi there, how are you?
Alice →bot: . . .
The bot looks perfectly human to both users because the
entire conversation is reflected off the bot in the middle.
Furthermore, as all messages pass through it, the bot can
eavesdrop on the communication, and it can influence the
conversation by dropping, inserting, or modifying messages.
We assert that if links (or questions) are inserted
into such a conversation, they will seem to originate from
a human user. Hence, the click (or response) probability

In the test case, this method resulted in click through of up to 76 percemt. Amazingly, most of the people who were duped clicked what could have been a malicious link several times, some of them trying it in different browsers.

This expirement was mostly run on IRC. A token effort was made at doing it on Facebook too, but the researchers didn’t go very far with it because of “ethical concerns”

I can see why. In the IRC environment, the biggest challenge was keeping the dupes’ genders straight, something the researchers accomplished with a routine that broke apart user names and analyzed them. On Facebook, in most cases, that information would be there on the profile page for a scammer to use, no analytical trickery needed, along with a wealth of other data that could potentially fine tune the algorithm for better results. How about matching up two people who like the same sports team, for example, or the same bands, and feeding them prompts to get them talking about those subjects. That’d sort of be the social engineering equivalent of the packet injection attacks hackers use to crack weak WiFi encryption schemes.

Given the potential power of this method on a platform like Facebook, where readily available personal data could create a spam bot of unrivaled sophistication, and given the amount of spam already present on Facebook, I wouldn’t be surprised if something of this sort didn’t start showing up soon. So when your new friend suddenly develops a taste for showing you links to viagra ads, just remember you were forewarned.