See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/248493666

An overview of social engineering malware:

Trends, tactics, and implications

Article in Technology in Society · August 2010

DOI: 10.1016/j.techsoc.2010.07.001

CITATIONS READS

42 1,579

2 authors, including:

Indushobha N. Chengalur-Smith
University at Albany, The State University of New York
45 PUBLICATIONS 762 CITATIONS

SEE PROFILE

All content following this page was uploaded by Indushobha N. Chengalur-Smith on 19 February 2015.

The user has requested enhancement of the downloaded file. All in-text references underlined in blue are added to the original document
and are linked to publications on ResearchGate, letting you access and read them immediately.
 Technology in Society 32 (2010) 183–196

Contents lists available at ScienceDirect

Technology in Society
journal homepage: www.elsevier.com/locate/techsoc

An overview of social engineering malware: Trends, tactics,

and implications
Sherly Abraham a, *, InduShobha Chengalur-Smith b
a
College of Computing & Information, State University of New York, Albany, NY 12222, USA
b
BA 311, School of Business, State University of New York, Albany, NY 12222, USA

a b s t r a c t

Keywords: Social engineering continues to be an increasing attack vector for the propagation of
Backdoors malicious programs. For this article, we collected data on malware incidents and high-
Botnets lighted the prevalence and longevity of social engineering malware. We developed
E-mail
a framework that shows the steps social engineering malware executes to be successful. To
Fast flux
explain its pervasiveness and persistence, we discuss some common avenues through
Hijacking
Information security which such attacks occur. The attack vector is a combination of psychological and technical
Internet ploys, which includes luring a computer user to execute the malware, and combating any
Key loggers existing technical countermeasures. We describe some of the prevalent psychological
Malware ploys and technical countermeasures used by social engineering malware. We show how
Rootkits the techniques used by purveyors of such malware have evolved to circumvent existing
SMTP engine countermeasures. The implications of our analyses lead us to emphasize (1) the impor-
Social engineering tance for organizations to plan a comprehensive information security program, and (2) the
Social software
shared social responsibility required to combat social engineering malware.
Whaling
Ó 2010 Elsevier Ltd. All rights reserved.

1. Introduction attacks. Social engineering is defined as the use of social

disguises, cultural ploys, and psychological tricks to get
Information security is the protection of information computer users to assist hackers in their illegal intrusion or
from a wide range of threats in order to ensure business use of computer systems and networks [6]. Social engi-
continuity, minimize business risk, and maximize return of neering is one of the strongest weapons in the armory of
investments and business opportunities [1]. Identifying hackers and malicious code writers, as it is much easier to
and classifying threats to information systems is vital to trick someone into giving his or her password for a system
building defensive mechanisms [2–4]. As organizations than to spend the effort to hack in [7]. Despite the
become vigilant about protecting their networks by continued effort of organizations to improve user aware-
investing in better security technologies, attackers have ness about information security, social engineering mal-
focused their attention on exploiting the weakest link in ware has been successful in spreading across the Internet
security – end users. Human error is often a major cause of and infecting numerous computers. By 2007 social engi-
problems in technological implementations, and people are neering techniques became the number-one method used
generally considered the weakest link in an information by insiders to commit e-crimes [8], but unsuspecting users
security program [5]. remain the predominant conduit for the authors of mali-
A major threat to organizational information security is cious code. Given this susceptibility to social engineering
the rising number of incidents caused by social engineering techniques, our primary research objective is to identify
and describe social engineering malware trends and tactics.
For social engineering malware to be successful, it needs
* Corresponding author. Tel.: þ1 518 437 3812; fax: 518 437 3810.
E-mail address: [email protected] (S. Abraham). to be activated by the end user and run on the system

0160-791X/$ – see front matter Ó 2010 Elsevier Ltd. All rights reserved.
doi:10.1016/j.techsoc.2010.07.001
184 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

without interruption. But if the malware can be prevented incidents worldwide. These incidents are first verified by
from reaching users it will not be successful. Identifying the journal and then compiled to create a list of monthly
attack strategies is vital to developing countermeasures incidents. Based on this data, Virus Bulletin publishes an
that can be incorporated into preventive mechanisms like annual list of the top malware. The list for 2009 is shown in
e-mail filtering and end-user security training. Information Table 1.
on the behavior of the malware during propagation helps in By examining the descriptions of these malware, we
the creation of early warning systems [9]. Even if the discovered that all of them relied on social engineering to
malware bypasses the prevention stage and is executed by be activated and were spread mainly via e-mail. Additional
a user, if it can be detected on the machine and blocked information about these malware, available from Syman-
from performing its harmful routine, the effects of the tec’s Search Threat database, showed that malware
malware can be alleviated. discovered several years ago remain at the top of the 2009
When computer malware is activated, it makes various malware prevalence tables (see the last column in Table 1).
changes in the computer by opening backdoors that enable Thus, social engineering malware can be characterized by
it to spread to other machines. It also executes defensive its pervasiveness and persistence – two aspects that clearly
strategies in order to remain undetected. Identification of pose a challenge to organizations and users.
such defensive strategies is helpful in discovering malware We also wanted to track the prevalence of social engi-
in its early stages on end-user machines, and blocking it neering malware over the years. Using data from Virus
from being executed completely and propagating further. Bulletin’s monthly reports going back to 2000, we identified
Identifying it also aids in the development of heuristics malware that relied on social engineering. We noted that
analysis – a method of malware scanning that evaluates some have multiple variants, i.e., strains of the malware
patterns of behavior to discover anomalies [10]. Security that are created by borrowing code and altering it slightly.
researchers use this data to build behavioral models of The variants are generally denoted by a letter or letters
malware, and end users can receive alerts notifying them of following the virus family name; for example, Netsky.A,
unusual behavior on their machines. Netsky.B, and so on [12]. Rather than treating each variant
In order to provide guidelines for strengthening an as an independent malware, we grouped the different
organization’s defenses against social engineering mal- strains into a single malware family. Following this process
ware, we gathered data on such malware and analyzed we identified 56 malware families and documented the
their characteristics. The analysis allowed us to identify the monthly number of incidents reported by that malware.
strategies employed, both psychological and technical. This The reported number of security incidents using social
paper provides empirical evidence of the growing reach of engineering malware from 2000 to 2007 shows a definite
social engineering malware. The following section upward trend (see Fig. 1). We fit an exponential trend
describes our data collection process and summarizes model to this data, and it resulted in an R-square of 92%. The
trends in social engineering malware incidents. Next we analysis shows that social engineering malware is growing
present a framework for the propagation of social engi- explosively and will continue to pose a substantial security
neering malware and discuss some common avenues of hazard.
attack. This discussion is followed by an analysis of the In order to investigate the behavior and characteristics
psychological tactics used by the malware as well as of the malware in our dataset, we performed keyword
descriptions of some of the technical features that are searches on each malware using the information available
designed to help the malware counter existing security from malware dictionaries, encyclopedia, and blog postings
precautions. The paper concludes with a discussion of the of the major anti-virus vendors such as Symantec, Sophos,
implications of our findings as well as recommendations to and Trend Micron. By combining information on malware
mitigate the threat posed by social engineering malware. prevalence reports available from these sources, we created
a comprehensive description of malware incidents. This
2. Trends in social engineering malware process resulted in detailed information about the behavior
and technical characteristics of the malware. In certain
“Malware” is a general term used for viruses, worms, cases, we used listed aliases for the malware names to
trojan horses, etc. [11]. In order to succeed, social engi-
neering malware uses technological countermeasures and
psychological ploys. The malware is delivered through Table 1
various channels, and the malware has continually evolved Top Malware, 2009.
as the technology to thwart it has also evolved. Likewise, Position Name of Malware Date of Discovery
the psychological tactics used by hackers are also contin- 1 Netsky February 16, 2004
uously updated. 2 Mytob April 1, 2005
Rather than rely on anecdotal information, we sought to 3 Bagle January 18, 2004
explore the reach of social engineering malware empiri- 4 Agent May 19, 2008
5 Bifrose/Pakes July 21, 2005
cally. We drew from multiple data sources to develop
6 Small August 21, 2008
a dataset of social engineering malware incidents and their 7 Mywife/Nyxem September 21, 2005
characteristics. Our primary data source is an online jour- 8 Mydoom January 26, 2004
nal, Virus Bulletin, which provides independent advice on 9 Zafi September 14, 2004
developments in viruses and anti-virus products. This 10 LovGate March 27, 2003

journal also serves as a repository of reported malware Source: Virus Bulletin (as of September 15, 2009).
 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196 185

computer system. At this point the malware is fully acti-

vated and proceeds to carry out a number of tasks, such as
altering security settings, opening backdoors, downloading
files, etc. The actions vary depending on the specific mal-
ware. In most cases, the malware also propagates further by
e-mailing itself to addresses on the infected users’ contact
list.
We now elaborate on the various steps the malware
undertakes, particularly focusing on the different attack
avenues, the tactics deployed, and the actions that are
taken by the malware in order to combat existing security
measures and continue to propagate.

3. Common infiltration channels

Fig. 1. Reported security incidents that used social engineering techniques.
Social engineering malware proliferates through
match the data across websites. For instance, the Troj/Dorf a variety of channels, including e-mail, social software,
worm listed by Sophos has multiple aliases, and Symantec websites, portable storage devices, and mobile devices.
refers to it as Trojan.Peacomm. By searching for all possible Below we discuss some of the common infiltration
alias names for each malware listed, we resolved any channels.
duplications or omissions.
Our analysis of the malware behavior showed some 3.1. E-mail
commonalities in steps malware takes to be successfully
activated. Using technical details for our sample of mal- E-mail is the most popular medium used by attackers to
ware, we created a master list of actions that malware deceive users, causing them to violate information security
undertakes to carry out its tasks. The malware’s actions policies inadvertently. The Radicati technology market
generally fell into four categories: (1) persuade a user to research group estimates that there were 1.2 billion e-mail
activate it, (2) subvert protective technologies, (3) accom- users in 2007, and this number is expected to rise to 1.6
plish its mission, and finally (4) propagate. Fig. 2 provides billion by 2011 [13]. E-mail worms are malicious programs
a framework that describes the steps that a social engi- that, upon execution on a machine, exploit the users’ e-mail
neering malware undertakes in order to infiltrate a system capabilities to further propagate the worm. The first use of
successfully. e-mail to propagate malicious code can be traced back to
It should be noted that not all social engineering mal- 1987 and the Christmas Tree trojan horse [14]. End users
ware sequentially follow the steps outlined in Fig. 2, but the received an e-mail message with an attachment that drew
figure does provide a general framework describing the a graphical Christmas tree when executed. Upon execution,
steps that lead to a successful infection by a social engi- the worm sent a copy of itself to everyone on the user’s
neering malware. The malware utilizes a number of address list. The worm was successful enough to bring
avenues, such as websites, social software, e-mail, etc. to down IBM’s network worldwide [15].
infect user machines. These approaches are combined with A prevalent trend in social engineering malware is
tactics that entice and trick users into opening an e-mail phishing, where users are led to believe they are interacting
attachment or clicking on a web link. This action by the user with a trusted site or entity and are tricked into providing
leads to the execution and activation of the malware on the sensitive information. The complexity of phishing attacks

Fig. 2. Steps taken by malware to infiltrate a system.

186 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

has drastically increased over the years as more people occur [20]. The emergence of Web 2.0 is characterized by
have moved toward Internet banking and buying. Phishing a broad array of social software, including instant
attacks are initiated primarily via e-mails that direct users messaging, social networking websites, blogs, Wikipedia,
to fraudulent websites, which in turn collect credentials etc. These have caused a significant increase in the number
such as bank account numbers, social security numbers and of users involved in social software, and opened doors to
the like from end users [16]. The e-mail messages appear to new opportunities for knowledge exchange and socializing.
originate from a trusted source, such as a bank or govern- Malware authors see this population as potential targets
ment agency. The verbiage and language used in the e-mail encased in social networks, and so have extended their
are devised to appear professional and elegant, so many umbrella of attacks to these venues. As people increasingly
users never question the identity of the sender. However, share and release personal information on social
a closer look at the e-mail address might reveal that the networking sites, they become rich sources of information
sender’s e-mail address is different. for identity theft. Major social networking sites such as
Facebook and Twitter are targets of denial-of-service
3.2. Websites attacks that disrupt or slow services. For instance, some
Twitter users who were tricked into clicking on a link in
Websites are increasingly used to launch malware on a tweet were directed to a rogue site that attempted to
user computers. Google tracks websites with potential download malware [21]. The availability of personal infor-
malware, and the number of such websites has increased mation on social networking sites, such as MySpace and
by around 190,0000 since 2008 (see Google’s Safe LinkedIn, increases the vulnerability of the victims and the
Browsing malware list). Vulnerable websites are hacked success rate of phishing [22]. Not surprisingly, the number
into and malicious code installed, which redirects visitors of new phishing sites has significantly increased [23], with
to fake websites that closely resemble legitimate websites. Twitter users being the most recent victims [24].
Such camouflage attack techniques involve manipulating File-sharing websites are now increasingly used by
the appearance, content, and/or images on websites to Internet users to facilitate sharing large files, pictures, and
lure users to carry out actions such as clicking on a link or videos with family and friends. Malware authors often
opening an e-mail attachment. Malware have been known rename malware-infected files to resemble music or video
to query popular news sites like CNN to fetch current files in order to lure people to download and install the
news and send e-mail messages with keywords from malware. A variant of the Koobface worm spread through
news and sports events with malware attached [17]. Even Facebook, with users receiving messages from their friends
popular search engine websites are vulnerable, as exem- including a picture of their friend extracted from Facebook
plified by results of searches on the 2009 solar eclipse, [25]. The message had an embedded web link pointing to
which redirected users to malware-infiltrated websites a spoofed web page, and the user was prompted to install
[18]. a flash update resulting in the Koobface variant being
Another camouflage strategy includes manipulating installed on the user machine. Another malware, Worm
words in web addresses. Here legitimate websites are SD_BOT, spread rapidly through instant messaging services
altered by flipping a character, and the difference might not by sending messages from infected friends of the social
be easily recognized. For example, instead of a legitimate network users [26]. Once users click on malware-infected
website icecream.com users are provided with the address zip files, the worm opens backdoors, connects with other
iceccream.com. Another example is replacing the letter “o” Internet relay chat (IRC) sites, and downloads other mal-
with the number “0” and changing the font so that the web ware. Blog pages are also being heavily exploited to launch
address mimics the address of a legitimate website. As malware attacks. Popular and trusted blogging websites are
users become more aware of and suspicious of e-mail hacked into with fake blog posts that include web links
attachments and links, cyber criminals manipulate search with malware.
engine optimization results to peddle malware using fake
anti-virus software. 3.4. Portable storage drives
Drive-by-Pharming is an emerging attack concept that
infects user machines by asking users to simply view the Portage storage drives, such as CD-ROMs and USB flash
attackers’ malicious code, which could be placed on a web drives, are being used to introduce social engineering
page or embedded in an e-mail [19]. The malicious code malware on end-user computers. The use of portable
alters the address settings on the user’s home broadband storage media to spread malware is not a new avenue; it
router, which then gives the attacker control over the home can be traced back to the use of floppy drives. W32/Haka-
user’s Internet connection. This provides attackers with glan and Conficker are examples of malware that spread
personally identifiable information and credit card infor- through portable flash drives.
mation by redirecting users to fake websites.
4. Tactics
3.3. Social software
4.1. Psychological ploys
Attack tactics using social software as a medium is on
the rise. Social software includes various loosely connected Social engineering works by manipulating emotions
applications that enable individuals to communicate with such as fear, curiosity, excitement, empathy, and greed or
one another and track discussions across the Web as they through the exploitation of cognitive biases [27]. Despite
 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196 187

up-to-date technical security protection, it only takes one a program that will decrypt the files. In another type,
gullible user to circumvent security controls. As mentioned a trojan arrives as e-mail attachments containing messages
earlier, persuading a user to activate malware is the first about critical updates for Microsoft Outlook [31]. A cunning
step in social engineering attacks. Some persuasive tactics feature of this e-mail is the existence of legitimate web
that beguile users are described below. links for information on Contact Us, Privacy Statement,
Trademarks, and Terms of Use – except that the location of
4.1.1. Curiosity, empathy, and excitement the update to be downloaded is not legitimate. Users who
Intriguing and curiosity-exploiting subject lines are do not pay careful attention click on the link and
used by malware authors to capture the attention of users unknowingly install the trojan on their machines.
and lure them to open malicious e-mail attachments or
web links. The Storm worm, discovered in January 2007, is 4.1.3. Greed
a good example of an e-mail worm that caused major havoc Malware authors are tuned in to people’s weakness for
worldwide [28]. The worm took its toll during a devastating free things. A lot of Internet users are deceived into opening
winter storm in Europe when thousands of users interested e-mail attachments or websites with the false hope of
in obtaining information on the storm were tricked into receiving something free. While browsing a website, users
opening the e-mail attachment and infecting their may be presented with pop-ups offering free screen savers,
computers. To bypass the users’ e-mail filters, instead of an movie tickets, or coupons with clickable links that result in
e-mail attachment users were given a compromised web malware being installed on their computers. Free offers are
link that resulted in a trojan being installed on their often released during major holidays, such as free greeting
computer. Timely techniques are used to exploit search cards and screens savers that are seasonal. In December
results related to major events and seasons. For instance, 2008, Panda Labs discovered a worm that sent users’ e-
following the 2008 presidential elections, malware authors mails with the subject line “Merry Christmas” and free
deceived numerous users into opening attachments that coupons to McDonalds. Opening them resulted in malware
purported to include President Obama’s acceptance speech. that infected the user’s computer. Fig. 3 shows a screen shot
Social engineering takes advantage of people’s abiding of an e-mail received at a U.S. university, which tells users
interest in celebrities. For example, a mass mailing with an of their eligibility for a tax refund. This e-mail was sent
attachment named AnnaKournikova.jpg.vbs contained during the tax filing season, so it is likely that many end
a worm that would e-mail itself to contacts from the users users were deceived into following the web link and
Outlook address book [29]. The devastation that resulted compromising their personal information.
from this virus was felt worldwide in 2001. MacAfee ranks
the names of riskiest celebrities to search for on the Internet; 4.2. Targeted attacks
in 2009 Bradd Pitt was succeeded by Jessica Biel as the most
dangerous celebrity to search for on the Internet. The Attackers are now increasing the sophistication of their
ranking indicates the likelihood of people getting infected attack strategies by researching their target base and
with malware by searching for information on the celebrity. devising tactics that are tailored to certain user groups. The
Twitter and Facebook accounts of famous celebrities have attackers invest time and resources to gather personality
been hacked into to create fake posts to video clips or traits and other information about groups of individuals,
websites that result in malware being installed on the then devise e-mails and websites that deceive the target
computers of friends or followers of the celebrity. groups. Some examples of user groups targeted by social
engineering attackers are described below.
4.1.2. Fear
A recent application of social engineering is the emer- 4.2.1. College students
gence of scareware, where the intent is to frighten users Social engineering malware targets college students
through the use of fake pop-up warnings of disk corruption, with e-mail messages that offer scholarships, student
fraud alerts, etc. As the number of malware attacks has loans, free books, etc. Attackers harvest e-mail addresses
increased over the years, organizations and service from college directories, chat rooms, and networking sites
providers try to educate users to be vigilant about installing or guess e-mail addresses based on first and last names,
security patches and anti-virus software. This has increased and send out e-mails that appear to come from legitimate
user awareness to the need for security, and promotes the and trust worthy sources.
idea that the Internet is not a safe place to surf. To exploit
this belief, users are presented with fake pop-ups telling 4.2.2. Corporate executives
them their machine is infected with a virus and needs to be “Whaling” is an emerging type of targeted social engi-
cleaned or patched. The pop-up directs users to click on neering attack technique aimed at executives – i.e., the “big
a malicious link or executable program. Users are prompted whales” in corporations. Attackers utilize publicly available
to click on the offered software solution which, at the very information from company websites to send e-mail
least, results in the purchase of unnecessary software, and messages camouflaged to appear that they have originated
at worst could result in malware being installed on their from the Better Business Bureau alerting them of
machine [30]. a complaint against the corporation that needs to be
Another extension of this strategy, known as Ransom- immediately addressed [32]. The e-mail contains malicious
ware, is a malware that encrypts documents (Word, PDF, e-mail attachments or web links that lure executives to
Excel) on a user’s computer, then charges a license fee for click, which then installs malware.
188 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

Fig. 3. Example of a timely technique.

4.2.3. Countries, religious groups, and sects 4.3. Technical tactics

Attackers have moved their bases to geographical
regions across the globe that have less stringent laws By analyzing the technical descriptions compiled from
governing the mass mailings referred to as “spam.” By our malware sample, we identified two major activities
infecting computers in these countries, attackers can use that malware perform once they are activated: (1) they
machines there to send out spam and malware to combat existing protection mechanisms, and (2) they
millions of machines worldwide. Due to a lack of continue to execute by opening backdoors and/or installing
detection and remedy tools, the computers remain key loggers. Given that activities vary from malware to
infected for long periods of time and are used to spread malware, this is not a comprehensive list, but the discus-
malware. Embassies and government organizations in sion below provides a general understanding of technical
countries such as India, South Korea, and Malta have countermeasures that such malware are designed to
been targeted with social engineering malware [33]. thwart.
Recently several Tibetan computers in the office of the
Dalai Lama were infiltrated with malware. The hacker 4.3.1. Combating existing protection mechanisms
network Ghostnet has been identified as the root of Whitman [2] is one of the first authors to bring Sun Tzu’s
these targeted attacks of government systems [33]. The theory of “knowing the enemy” into the context of infor-
fundamental attack vector in spreading the Ghostnet mation security. Several research studies use game theory
network is social engineering. E-mails that appear to describe and model the interactions between organiza-
legitimate and relevant are sent to the target groups tions and attackers (e.g., [35]). Akin to an arms race, the
with a trojan known as Ghost Rat as an attachment. security community constantly plays catch-up with mali-
Once installed by the user, the trojan takes full control of cious code authors who continually evolve their malware
the computer, monitoring, downloading and even oper- to combat existing protection mechanisms. Anti-virus
ating video and audio devices attached to the computer products are one of the most widely used security tools.
to capture conversations and relay them to the hacker The annual CSI/FBI survey [36] reports that 97% of organi-
network [34]. zations have deployed anti-virus software, which works by
 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196 189

looking for signatures of known threats. However, if the

signature file of a malware has not yet been discovered,
anti-virus software cannot detect or subdue it.
To avoid being detected by spam filters, attackers now
send out malware-infested e-mail messages with images
instead of text in the body of the e-mail message. The
images are included as clickable links that lead to malware
that infects the machine. Similarly, to circumvent highly
secure and monitored networks, some social engineering
malware avoid sending e-mails to certain domain names.
For example, MyDoom.AE is a social engineering malware
that reaches inboxes as an attachment but avoids sending
e-mails to certain strings. Some of the strings include gov,
syma, mil, usenet, unix, tanford.e, utgers.ed, and web-
master [12]. An analysis of the strings shows that they are
e-mail domains of government agencies, educational
organizations, and anti-virus vendors. By avoiding these
domains, the malware hopes to remain undetected longer.
DNS (Domain Name Server) addresses include charac-
ters (e.g., www.education.edu) so humans can more easily
remember them; however, these DNS addresses are actu-
ally translated further to IP addresses for computers to
relay the messages. Hence if an IP address is entered in the
address space of a browser, the computer will complete the
communication. Users are sometimes presented with IP
addresses as clickable links that hide the real domain
address of a fraudulent website. The examples below
describe the interactions between attack strategies and
Fig. 4. Output of displaydns command highlighting the fast flux technique.
protective technologies.

4.3.2. Fast-Flux
One technique used to prevent malicious e-mail addresses for the domain, and the TTL value was only 172 s.
messages and web links from being viewed by end users is We ran the command at different time intervals and
to block the IP address of the e-mail and website domains obtained 19 different IP addresses for the domain. This
[6]. This technique, known as blacklisting, is used in an attack strategy serves as an excellent example of the
organization to prevent traffic from malicious domains constant evolution of malicious activities to combat
from reaching the organization’s network. preventive mechanisms.
In order to combat this protection mechanism,
attackers use a technique known as fast flux. This tech- 4.3.3. Deactivating security tools
nique rapidly modifies the IP addresses of the domains Social engineering malware have also succeeded in
names involved in malicious activities making it difficult disabling anti-virus software applications and blocking
to detect [37]. Consequently, it poses a challenge for attempts to go to Microsoft’s website for patches.
preventive technologies that rely on blocking IP MyDoom.B exhibited the characteristic of null routing the
addresses. The Storm worm is one of the first e-mail DNS entries on the local machine to security websites. On
worms to utilize fast flux. To improve response times to a Windows machine the hostnames to IP address mappings
domain name queries, the DNS stores IP addresses in its are stored in a folder called the Hosts file. This file is loaded
local cache. The time-to-live (TTL) value determines how into the memory of the computer during startup. The Hosts
long the corresponding record is cached on the server. If file also blocks access to malicious websites as, prior to
the TTL value is very low the domain name will be connecting to a website, the file is verified to resolve the
refreshed very often. Fast flux changes the IP address of hostname to the IP address. Malware counteract this
the domain name rapidly by making the TTL very low mechanism by including null entries to hostnames of anti-
(e.g., 180 s). Thus, each time the DNS record for the virus vendors and Microsoft websites. Some malware
domain is refreshed, a new IP address is obtained. overwrite the local machine’s Hosts file that is used for DNS
During a six-month period in 2007 alone, there were resolutions. Fig. 5 provides a screen shot from an analysis of
over 40,000 domains with more than 150,000 fast flux IP the modified hosts file on a MyDoom.B infected computer
addresses [38]. Fig. 4 shows a partial screen shot of a DNS [39]. A close look at the list shows that the addresses belong
name resolution for the fast flux domain name to anti-virus vendors and Windows updates. If the anti-
rroyalcasino.com, a blacklisted domain. We used the virus application is disabled, it is difficult to detect the
Windows command Ipconfig/displaydns to display existence of malware on the machine. This defensive
the contents of the DNS resolver cache after pinging the strategy helps the malware live for a longer period on user
domain www.rroyalcasino.com. There were 12 different IP computers.
190 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

Fig. 5. Disabling protection mechanisms [39].

4.3.4. Own SMTP engine SMTP engine to propagate. The worm verifies the domain
SMTP (Simple Mail Transfer Protocol) is the standard for name of the target e-mail addresses and obtains the SMTP
sending e-mail messages across the Internet. The protocol server’s IP address for that domain from the local DNS
works by sending requests to a remote server by using server. MyDoom goes one step further by using the backup
queries and responses. The message uses a relay server that SMTP server addresses instead of the primary server IP
delivers the message to the destination e-mail server. An addresses [41]. Once the IP address of the target domain
e-mail server that is an open relay, transfers e-mail name is obtained, the worm uses its own SMTP engine to
messages from destinations outside of its domain. One of send the e-mail. Some researchers [42] recommend
SMTP’s biggest security challenges is that it does authenti- monitoring DNS patterns and examining traffic on the
cate the sender of the message. In our analysis, there were SMTP port in the infected machine to detect malware that
several cases where the malware harvested e-mail use their own SMTP engines to propagate. However, such
addresses from victims’ address books and sent fake e-mails detective methods are still in their infancy and are not
from users’ e-mail accounts. This crafty strategy deceives widely used by organizations.
the receiver into thinking that the e-mail is being sent from
a trusted source. This is known as e-mail “spoofing,” and is 4.3.5. Self-defending
defined as forgery of the e-mail header, which makes the Malware now strike back at those who try to stop them.
e-mail message appear to have been received from Storm worm is one of the first worms known for striking
a different source than the actual source [40]. back by creating distributed denial-of-service attacks at
In the past malware utilized organizations’ e-mail machines trying to probe its command-and-control
servers to relay e-mail messages (e.g., Hybris, Haiku worm, servers. Storm worm-infected machines form massive bot
etc.). However, as organizations have become proactive in networks can be used to launch denial-of-service attacks at
reducing e-mail spoofing and blocking e-mail servers from targeted machines and even paralyze the machine for
being open relay agents, malware authors now use their weeks [43]. A botnet is a network of malicious bots –
own SMTP engines to propagate across the Internet. Upon programs that perform user-centric tasks automatically
activation by the end user, the malware installs the without any interaction from a user – that illegally control
necessary SMTP program files on the user’s machine computing resources. Botnets generally have a central
thereby turning it into an e-mail server. This strategy command-and-control location. Extensive methods to
enables the malware to propagate even if the organiza- combat botnets are still being developed, but one way to
tion’s e-mail server prevents address spoofing or open relay stop botnets is by detecting the command-and-control
agents. Several open source e-mail server programs are point of the botnet. This centralized property of botnets is
available that can be used by the malware authors without helpful for security professionals, as they identify a single
any cost. The e-mail worm Netsky.C is one among point of failure for the botnet [44]. The bot network of the
numerous social engineering malware that uses its own storm worm is unique in that it is a decentralized
 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196 191

command-and-control network. This means the root of the backdoor an asset that the attacker acquires in the form of
bot cannot be detected and eliminated. Some have esti- a compromised system.
mated the massive Storm bot network to comprise one
million to fifty million computers [43]. Recent social engi- 5.3. Rootkits
neering malware are designed to add computers to bot
networks that are then used by malware authors to send out Rootkits are a group of programs designed to remain
e-mail spam, launch denial-of-service attacks, and provide obscure and undetectable in computers that have admin-
false information from illegally controlled sources [44]. The istrative access to a larger system. The malware (e.g., Bagel
owner of a bot network can sell parts of the bot network to worm) then searches the computers’ directories and files
criminals enabling them to launch denial-of-service attacks for stored passwords. In many cases Rootkits are used to
against organizations and to send out spam. control and monitor the system for website visits, including
bank transactions.
5. Malware actions
5.4. Hijacking
Once the malware has breached a system’s defenses, it is
ready to complete its mission. Based on our sample of Malware can hijack an active session between a user and
malware, the next steps executed are often some combi- an e-commerce or banking site. The hijacked session steals
nation of installing key loggers, and/or opening backdoors. the role and authentication of the established legitimate
We describe each of these below. source and obtains sensitive information and even redi-
rects or alters active transactions.
5.1. Key loggers Alternatively, browser hijackers alter the default web
address in the browser, redirecting web page visits to
Some of the social engineering malware we analyzed fraudulent websites or displaying pop-ups and stealing
resulted in key loggers being installed on a user’s computer. confidential information.
Key loggers are malicious programs that capture keystroke
information, and in most cases relay the information to 6. Implications
outside sources. For example, W32.HLLW.Fizzer@mm is
a mass mailing malware that installs a key logger on the The observed trends and tactics used by social engi-
infected machine. The malware attempts to spread by e- neering malware show that organizations need to adopt
mailing itself to addresses on the user’s contact list and a multi-pronged approach to combating social engineering
through file-sharing programs. The logs on all the malware rather than pursuing purely technical solutions.
keystrokes are saved to an encrypted file on the user’s Organizations have made great strides in implementing
computer. The malware connects to various IRC servers and effective security technologies and processes, but there is
waits for commands to execute functions and transfer files. a gap in integrating these efforts with people [46]. Tech-
The dangerous aspect of key loggers is the potential to nology and security policies alone cannot protect organi-
obtain credit card numbers, social security numbers, and zational assets from cyber attacks. Technology is only
other personal information from users’ keystrokes. Key useful if adopted and accepted by people in the organiza-
loggers are easy programs to create, and there are tion [47]. People play a major role in shaping the effec-
numerous pre-build key loggers available for users to tiveness of information security policies in an organization.
download. Below we identify areas that assist organizations in miti-
gating the human risks posed by social engineering
5.2. Backdoors malware.

Many of the social engineering malware we analyzed 6.1. Increase awareness of information security
open backdoors on computers. A backdoor is the malware
author’s hacking tool of choice, as it allows remote Among user, the lack of awareness about security poli-
connections to the system [41]. Generally a backdoor opens cies and best practices has been identified by several
network ports (TCP/UPD) and waits for remote connections security scholars as a major cause of failure [47–49].
from the attacker on the open port, providing access to the Although many organizations provide information security
system. Several malware come with built-in backdoors. awareness training, it is generally provided when an
Depending on the motive of the malware authors, various employee starts working at the organization or is a one-
backdoors are installed on an infected computer. Dumaru.Y time effort. The evolving landscape of social engineering
is an e-mail worm that, upon execution, installs several tactics, as described here, shows that training processes
backdoors and data-stealing components. The worm also need to be updated regularly in order to remain current
attempts to steal personal data and keystroke information, with the changing environment. This calls for ongoing
which is then e-mailed to predefined e-mail addresses. information security training for all levels of an organiza-
Mydoom.A is another example of an e-mail worm that tion. Information security portals in the form of websites or
opens backdoors by opening TCP ports that permit knowledge bases should be available where employees can
attackers to connect to the system and use its network obtain information on the latest threats, fixes, and security
resources. The backdoor also can download and execute patches. Employees should be aware of the existence of
files on the computer. Furnell and Ward [45] call every these information security resources. It is imperative that
192 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

tutorials and/or knowledge bases be accessible and inter- an organization’s networks with distributed denial-of-
esting to users. Resources containing language filled with service attacks.
technical jargon should be avoided so all users can under- Many wireless routers, especially in homes, use default
stand the information. settings that prioritize ease of setup over security, thereby
As discussed earlier, malicious code authors employ increasing the risk of Internet fraud [52]. Organizations can
timely techniques during major holidays and events. help improve employee home computer security by
Therefore, notifications should be sent to employees during providing information security tools such as anti-virus and
these times to remind users of the possibility that they may firewalls at a discounted rate to employees for their home
receive e-mails or pop-ups that in fact direct them to computers. Organizations can extend the services of their
malware. Users should be provided with examples of e- IT staff to off-sites and during non-business hours in order
mails and pop-ups so they become alert to the types of to ensure that their employees’ home computers are pro-
attacks. Depending on the number of employees, an orga- tected. Essentially organizations need to be proactive and
nization can choose between various channels to relay expand their security safety net to include employee home
information to users, such as computer-based training, in- computers as well.
person training, videos, etc. Rather than simply making
such awareness programs available to employees, organi- 6.3. Manage personal use of work computers
zations should require employees to attend and prove
proficiency in the programs. Organizations can measure Personal use of computers at work is another neglected
the level of awareness among employees by surveys, area of information security policies. The increased use of
security tests, etc., and measure the level of security social software blurs the line between personal and
proficiency among employees. Managers need to be trained professional exchange of information. Employers now rely
to promote an information security culture within their on information posted on social websites for recommen-
supervising units. Essentially, organizations need dations and hiring purposes. Organizations increasingly
a comprehensive, ongoing information security program turn to social websites like Facebook and Twitter to
that caters to employees at all levels in the organization, promote information exchange among employees. Para-
and that can be evaluated for success. doxically, a large number of social engineering attacks are
engineered using social software. Hence it is critical for
6.2. Monitor home use organizations to consider how to mitigate the risks
involved when employees utilize the organization’s
Organizations should train employees to continue computers for personal purposes.
following information security best practices beyond the Employees who access personal e-mail accounts from,
physical realm of the organization. A relatively neglected and download files to, work computers increase the risks to
area in organizational security is security of employees’ organizational security. The level of authority and authen-
residential computers. The changing work environment tication credentials of employees can make it easier for
that now demands anytime, anywhere communication hackers to gain access as well as risk the organization’s
causes employees to access e-mail constantly from various network security. It is critical for organizations to have
locations and devices. Given the growth of the tele- policies that manage personal use of work computers.
commuting workforce, the protection of residential However, in today’s information environment, totally
networks is vital to the continued protection of organiza- restricting employee access to the Internet could be coun-
tional networks. In a study of corporate and government terproductive. Instead, organizations could provide dedi-
organizations, only half of them reported having developed cated workstations in lounges for employees to access the
guidelines for telecommuting [50]. Also about 50% of Internet for personal use. These machines could be
respondents indicated that telecommuting employees configured on a different network with restricted access to
occasionally used their personally owned computers for organizational resources. They would help mitigate the
work purposes. A study of remote workers found that risks associated with employees using work computer for
people working from home tend to be less conscious of their personal use as well as give employees alternative
information security practices [51]. Additionally, the home avenues for accessing personal information.
computer might be used by other family members who are
not trained in information security best practices. 6.4. Motivate users to follow secure practices
Even though home users may get security training at
work, they need to take some initiative to ascertain that As pointed out earlier, it is important to provide ongoing
their home computers are secure. Organizations employ training for employees, to educate them about the evolving
staff to ensure that their networks are protected and landscape of attack strategies. Although awareness is
provide employees with machines that have updated anti- necessary for involving end users in security efforts, it does
virus and security technologies. However, employees not guarantee compliance with information security poli-
themselves have to purchase the necessary security tech- cies. It is equally important to motivate users to incorporate
nologies for their home computers and keep them updated. a security culture. As security is a secondary goal of end
If the employee uses a home computer that is unlikely to be users [53], they are not always motivated to behave in
actively monitored for malicious software, it can remain a secure manner [54,55]. Motivation is an antecedent to
compromised for long periods of time. It only takes end user behavior, and a number of studies have identified
a handful of compromised residential computers to disable the need to focus on motivating users to behave in a secure
 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196 193

Fig. 6. Social responsibility in combating malware.

manner [53,54,47,48]. Information security needs to be Even if organizations become more proactive about
embedded into the culture of the organization. Incentive creating policies for protecting against social engineering
programs that recognize and reward employees for attacks, it is important to have laws in place that are
keeping their computers virus-free can create a positive enforceable. It is impossible to implement a single law that
buzz around information security. Employees need to pertains to mitigating the risk of social engineering mal-
understand the importance of information security, and ware or computer crimes because the landscape of attacks
incorporate a security culture not just inside the organi- spans the realms of websites, e-mail, international areas,
zation but outside as well, to foster an information security software compliance, etc. Hence we find a myriad of laws in
culture from home and during personal use of the organi- place that aid in reducing the risk of social engineering
zation’s resources. computer crimes. Table 2 lists some of the laws in the
United States that aim to improve information security.
The mere existence of laws does not produce viable
7. Social responsibility in combating social results unless they are enforced and verified for compli-
engineering malware ance. It is important to ensure that penalties are sanctioned
for failure to comply with laws. A major challenge for
Fig. 6 captures the interactions between end users, governments is enforcing and ensuring compliance of
governments, and other organizations, and highlights the cyber-crime laws.
fact that combating social engineering malware calls for Unlike organizations that have a responsibility to
shared social responsibility. The figure shows a scenario protect the users of their network, ISPs (Internet Service
where a user located in the US unintentionally sends an e- Providers) are not held responsible for monitoring their
mail message embedded with malware to a friend in networks for malicious activities. Information security laws
Thailand. From the spatial boundaries and policy implica- like Sarbanes–Oxley and the Federal Information Security
tions, we can see that the responsibility to combat malware Management Act specifically target organizations. The
spans a wide array of entities, from organizations, Trusted Internet Connection (TIC) Initiative issued in
governments, Internet service providers, international November 2007 is a start in streamlining ISP security, but it
bodies, and end users. We further investigate the role of focuses on Internet access points for federal agencies. There
these entities and the challenges they confront in are currently no specific laws governing security standards
combating malware attacks. for ISPs that provide services to home users. It is equally

Table 2
Information security laws in the US.

Law Enacted Information security protection

Family Educational Rights and Privacy Act 1974 Protects privacy of student educational records
Health Insurance Portability & Accounting Act 1996 Security and privacy of health data
Gramm–Leach–Bliley Act 1999 Imposes security policies for financial institutions
Electronic Signatures in Global and National Commerce Act 2000 Security requirements for businesses using electronic transactions
USA PATRIOT Act 2001 Increases law enforcement agency’s ability to conduct searches
Sarbanes–Oxley 2002 Security standards for public corporations
Federal Information Security Management Act 2002 Requires federal agencies to adhere to security standards
CAN-SPAM 2003 Security rules for commercial e-mail
Security Breach Notification Laws Since 2002 Requires disclosure in the event of security breaches
of personally identifiable information
194 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

important to develop security standards to protect Table 4

networks including homes and small businesses. Majority Challenges in combating social engineering malware.

of botnets are believed to be operating from residential Motivating end users toward information security practices
computers. Such malicious activities can be stopped if ISPs Enforcement and compliance of information security laws
take a lead in detecting anomalous activities. A number of Implementing security standards for Internet service providers
Cultural and language barriers in fighting international crimes
ISPs offer security solutions to their customers for an Information sharing across boundaries
additional fee, but the major challenge for ISPs is to inte- Abuse of domain names service
grate cost-effective services with embedded security
services.
We recognize that it is not feasible for ISPs to ensure
organizations or banks. The allocation of domain name
that every user in the network has up-to-date anti-virus
services needs to be monitored and requests for domain
software and security protections. End users also share the
names tracked, especially for those that are typographically
responsibility to ensure that they have appropriate
close to existing and established domain names. ICANN
protection mechanisms that facilitate safe Internet surfing.
(Internet Corporation for Assigned Names and Numbers) is
A simple analogy is the seatbelt law that protect drivers
working to streamline the process of approving domain
from accidents. Most countries have some form of seatbelt
name sellers. With more than 500 domain name registrants
legislation requiring manufacturers to fit their vehicles
in the market, and the existence of third-party domain
with seatbelts and their occupants to wear the belts while
name registrants, the process to authenticate domain name
driving. If the Internet is considered to be an information
registrants is enormously complicated. Authentication
highway, and the computer the motor vehicle being driven,
needs to be strictly verified and monitored to prevent
manufacturers should include anti-virus and security
phony domain name registrations. A major challenge for
protection mechanisms with any computer sold. Analo-
ICANN includes identifying the registrants and tracking
gously, if end users are the drivers, they should be required
international domain name sellers. Table 4 summarizes
to use protective mechanisms while using the Internet. End
some of the challenges we identified in combating social
users need to be mindful of ensuring that their ignorance
engineering malware.
does not cause loss of data or service for other users.
The Internet is not limited by geographical boundaries,
and it requires the participation of international bodies to 8. Conclusion
foster the cooperation of all countries in tracking and
eliminating social engineering crime networks. A major Even as computer systems continue to become more
challenge in tracking such crime lies in overcoming the secure through better software development and testing,
barriers of language, culture, and laws across countries. they are just as easily subverted by hackers using social
Cross-national information sharing among international engineering techniques [56]. We determined that social
government entities is challenging, and it is important to engineering malware is both pervasive and persistent. As
set security standards that enable safe and active moni- presented here, our analysis of attack strategies shows that
toring of cyber crime. Table 3 lists some of the international social engineering attacks are evolving and becoming more
organizations fighting computer crime and their initiatives. complex and sophisticated. The relative lethargy of users
An important area that calls for international attention toward security practices, coupled with the aggressiveness
is the abuse of Internet domain name service. Stricter laws of spammers and hackers, is a dangerous combination. In
need to be enforced when selecting domain name services. the early days of hacking, one had to be an expert and
Attackers have increasingly tricked users by registering technically savvy in order launch and create malware.
domain name services that appear to be similar to Today custom-built malware kits are commercially avail-
able that can be used to test potential networks and
machines to launch attacks [12].
Table 3 Technology and security policies alone cannot protect
Initiatives by international standard-setting bodies.
organizational assets from cyber attacks; they are useful
International bodies Outreaches only if adopted and accepted by people in the organization
ISO (International Develops security standards [47]. Although this has long been recognized, our analysis
Organization for leads us to urge organizations to expand their efforts to
Standardization) encourage and cater to safe home computer use as well.
NIST (National Institute Develops supportive documentations,
of Standards and standards, recommendations, evaluate
Culnan et al. [57] advocate security awareness training
Technology) security policies programs to reduce risks stemming from unsecured home
Internet Society Provides leadership in Internet related computers and mobile devices used in unsecured networks
standards, education and policy away from the office. However, the efficacy of such training
ITU (International Facilitates cooperation internationally
programs may be limited due to the fact that malicious
Telecommunications to strengthen cyber security
Union) code authors are now utilizing highly sophisticated attack
Information Security Independent non-profit organization strategies that make it difficult for end users to distinguish
Forum that provides guidance in information between legitimate and non-legitimate e-mail messages
security and websites. We emphasize the need for organizations to
FBI (Federal Bureau of Enforce laws and investigate cyber
Investigation) crimes
provide ongoing training at all levels, and for such training
to be tested and evaluated for success.
 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196 195

We recognize that organizations alone cannot mitigate [27] Raman K. Ask and you will receive. McAfee Security Journal Fall
2008;2008:9–12.
the risks of social engineering malware, and that respon-
[28] Kanich C, Kreibich C, Levchenko K, et al. Proceedings of the 15th
sibility spans governments, ISPs, end users, and interna- ACM Conference on Computer and Communications Security,"
tional bodies. The collective effort of these entities in Alexandria, Virginia, 2008.
overcoming current and future challenges is needed in [29] Chien E. Symantec threats and risks. Available from: <http://www.
symantec.com/security_response/writeup.jsp?docid¼2001-021219
order to mitigate the crimes perpetrated using social -1830-99>; 2007.
engineering malware. [30] Sharek D, Swofford C, Wogalter M. Failure to recognize fake Internet
popup warning messages. Human Factors and Ergonomics Society
52nd Annual Meeting, New York; 2008.
[31] Gallego A. TrendLabs malware blogs. Available from: <http://
References blog.trendmicro.com/critical-update-leads-to-critical-info-theft/>;
2009.
[1] International Standards Organization (ISO). ISO/IEC 17799 infor- [32] Garretson C. Whaling: latest e-mail scam targets executives. Avail-
mation technology security techniques: code of practice for infor- able from: <http://www.networkworld.com/news/2007/111407-
mation security management. Geneva: ISO; 2005. whaling.html>; 2007.
[2] Whitman M. Enemy at the gate: threats to information security. [33] BBC News. Major cyber spy network uncovered. Available from:
Communications of the ACM 2003;46:91–5. <http://news.bbc.co.uk/2/hi/7970471.stm>; 2009.
[3] Stacey TR, Helsley RE, Baston JV. Identifying information security [34] Tracking GhostNet: investigating a cyber espionage network.
threats. Information Systems Security 1996;5:50–9. Information warfare monitor. Available from: <http://www.scribd.
[4] Loch KD, Carr HH, Warkentin ME. Threats to information systems: com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-
today’s reality, yesterday’s understanding. MIS Quarterly 1992;16: Espionage-Network>; 2009.
173–86. [35] Wang J, Chaudhury A, Rao R. A value-at-risk approach to informa-
[5] Solms RV, Solms BV. From policies to culture. Computers & Security tion security investment. Information Systems Research 2008;19:
2004;23:275–9. 106–20.
[6] Erbschloe M. Trojans, worms, and spyware: a computer security [36] Computer Security Institute (CSI). Computer crime and security
professional’s guide to malicious code. Butterworth-Heinemann; survey. Available from: <http://www.gocsi.com/forms/csi_survey.
2004. jhtml;jsessionid¼XIAUBOB54ND50QSNDLPCKH0CJUNN2JVN>;
[7] Mitnick KD, Simon WL. The art of deception: controlling the human 2008.
element of security. Wiley & Sons; 2002. [37] Internet Corporation for Assigned Names and Numbers (ICANN).
[8] CERT. E-crime watch survey. Available from: <http://www.cert.org/ SSAC advisory on fast flux hosting and DNS. Available from: <www.
>; 2007. icann.org/committees/security/sac025.pdf>; 2008.
[9] Wagner A, Dübendorfer T, Plattner T, Hiestand R. Experiences with [38] HoneynetProject. Honeynet project. Available from: <http://www.
worm propagation simulations. In: Proceedings of the 2003 ACM dts.ca.gov/security_awareness_fair/DTS_Security_Awareness_Fair_
Workshop on Rapid Malcode. Washington, DC; 2003. Presenter_Patrick_McCarty.ppt>; 2007.
[10] Sanok D. An analysis of how antivirus methodologies are utilized in [39] Hines ES. MyDoom.B worm analysis. Applied Watch Technologies,
protecting computers from malicious code. In: Proceedings of the <https://isc.sans.org/presentations/MyDoom_B_Analysis.pdf>;
2nd Annual Conference on Information Security Curriculum 2004 [accessed 02.11.07].
Development. Kennesaw, GA; 2005. [40] Kruck GP, Kruck SE. Spoofing: a look at an evolving threat. Journal of
[11] Siponen M, Oinas-Kukkonen H. A review of information security Computer Information Systems; 2006 Fall:95–100.
issues and respective research Contributions. Database for Advances [41] Szor P. The art of computer virus research and defense. Addison-
in Information Systems 2007;38:60–81. Wesley Professional; 2005.
[12] Symantec. Security response: Symantec. Available from: <http:// [42] Wong C, Bielski S, Mccune J, Wang C. A study of mass-mailing
www.symantec.com/security_response/>; 2008. worms. Paper presented at the 2004 ACM workshop on rapid
[13] Brownlow M. E-mail and website statistics. E-mail Marketing malcode. Washington, DC; 2004.
Reports; May 3, 2008. [43] Larkin E. Storm worm’s virulence may change tactics. Available
[14] Kienzle D, Elder M. Recent worms: a survey and trends. In: from: <http://www.networkworld.com/news/2007/080207-black-
Proceedings of the 2003 ACM Workshop on Rapid Malcode. hat-storm-worms-virulence.html>; 2007.
Washington, DC; 2003. [44] Julian BG, Vikram S. Peer-to-peer botnets: overview and case study.
[15] National Institute of Standards and Technology (NIST). History of In: Proceedings of the first conference of the first workshop on hot
worms. Available from: <http://csrc.nist.gov/publications/nistir/ topics in understanding botnets. Cambridge, MA: USENIX Associa-
threats/subsubsection3_3_2_1.html>; 1994. tion; 2007.
[16] Jakobbson M, Myers S. Phishing and countermeasures: under- [45] Furnell S, Ward J. Malware comes of age: the arrival of the true
standing the increasing problem of electronic identity theft. Wiley- computer parasite. Network Security; 2004:11–5.
Interscience; 2006. [46] Andress A. Surviving security: how to integrate people, process and
[17] Tiauzon S. TrendLabs malware blog. Available from: <http://blog. technology. Lincoln, NE: CRC Press; 2005.
trendmicro.com/nu-war-tactics/>; 2006. [47] Siponen M. A conceptual foundation for organizational IS security
[18] De la Paz R. TrendLabs malware blogs. Available from: <http:// awareness. Information Management & Computer Security 2000;8:
blog.trendmicro.com/solar-eclipse-2009-in-america-leads-to-fakeav>; 31–4.
2009. [48] Puhakainen P. A design theory for information security awareness.
[19] Ramzan R. Drive-by-pharming in the wild. Symantec. Available from: Unpublished dissertation, University of Oulu: Oulu, Finland; 2006.
<https://forums.symantec.com/t5/Emerging/Drive-by-Pharming- [49] Thomson ME, Solms RV. Information security awareness: educating
in-the-Wild/bap/305989;jsessionid¼A89BA88385E764FD3EACA22 our users effectively. Information Management & Computer Secu-
3FD0346F6#A94>; 2008. rity 1998;6:167–73.
[20] Tepper M. The rise of social software. netWorker 2003;7:19–23. [50] Telecommuting poses security risk. NetworkWorld 2008:24.
[21] Narain R. Rogue advertisement pushes scareware to NYTimes.com [51] Cisco. Understanding remote worker security. Available from: <http://
readers. Threat Post: Kaspersky Lab Security News Service; 2009. www.cisco.com/web/CA/pdf/Understanding_Remote_Worker_
[22] Jagatic T, Johnson N, Jakobsson M, Menczer F. Social phishing. Security_A_survey_of_User_Awareness_vs_Behaviour.pdf>; 2006.
Communications of the ACM 2007;50:94–100. [52] Tsow A, Jakobsson M, Yang L, Wetzel S. Warkitting: the drive-by
[23] Dang H. The origins of social engineering. McAfee Security Journal; subversion of wireless home routers. Journal of Digital Forensic
2008. Fall. Practice 2006;1:179–92.
[24] Krebs B. Phishers now twittering their scams. Washington Post [53] Good N, Krekelbert A. Usability and privacy: a study of Kazaa P2P
January 2009;5. sharing. O’Reilly Media; 2005.
[25] Fergusen R. TrendLabs malware blog. Available from: <http://blog. [54] Adams A, Sasse A. Users are not the enemy: why users compromise
trendmicro.com/new-variant-of-koobface-worm-spreading-on- security mechanisms and how to take remedial measures. O’Reilly
facebook/>; 2009. Media; 2005.
[26] Pimentel J. TrendLabs malware blog. Available from: <http://blog. [55] Stanton J, Stam K, Mastrangelo P, Jolton J. Analysis of end user
trendmicro.com/worm-sdbot-variant-spreading-through-msn- security behavior. Computers & Security 2005;24:124–33.
instant-messenger/%23ixzz0PsFb6PTN>; 2007.
196 S. Abraham, I. Chengalur-Smith / Technology in Society 32 (2010) 183–196

[56] Kashyap R. The changing face of vulnerabilities. McAfee Security research at various conferences and her work has been published in
Journal; 2008 Fall:31–3. Computer Law and Security Review.
[57] Culnan M, Fosman ER, Ray AW. Why IT executives should help
employees secure their home computer. MIS Quarterly Executive
InduShobha Chengalur-Smith is Chair of the Information Technology
2008;7:49–56.
Management Department at the School of Business, State University of
New York, Albany. She received her PhD from Virginia Tech, Blacksburg,
Sherly Abraham is a PhD student at the College of Computing & Infor- VA. Prior to joining academia, she worked in the private and public
mation, State University of New York, Albany. She has a Masters degree in sectors. Her research interests are in open source software, technology
Telecommunications from SUNY Institute of Technology, Utica, NY, and adoption and implementation, information quality, and security. She
a Bachelors degree in Computer Engineering from Assumption University, serves on the editorial boards of several journals, and her research has
Bangkok, Thailand. Her research interests include information security, been published in journals such as Information Systems Research,
software patents, and telecommunication policies. She has presented her Communications of the ACM, and multiple issues of IEEE Transactions.