CIOZone.com - Professional Network for CIOs and IT Professionals

We all know the Internet is a dangerous place. It’s littered with ads for software to make your PC run faster, speed Internet downloads, screensavers with adorable pictures of kittens or puppies, and offers for free anti-virus protection. Unless the source is trusted, most people know to avoid such ads, as the most likely thing they’ll be downloading is a Trojan horse or some other form of malware.

That’s why a warning sent out on the weekend by the New York Times caught many by surprise. The Times is a Web site people trust – if it posts an ad for a software program that will provide antivirus protection, most people will not think twice about downloading it.

Yet on Sunday, the newspaper warned readers that a rogue antivirus ad made its way onto the paper’s Web site, NYTimes.com.

“Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software,” the Times warned in a “Note to Readers”. “We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you do not click on it. Instead, quit and restart your Web browser.”

The fact that the Times was infiltrated by such a rogue software scam – it has not yet said how the ads made its way onto the site – is another warning of just how easy it is to fall victim, no matter how careful you are in your surfing habits.

In fact, Redspin, a Carpinteria, Calif.-based information security assessment firm released a study Monday detailing how successful it has been at penetrating corporate security policies, primarily using social engineering techniques.

Redspin says it has conducted hundreds of social engineering assessments for corporations, using such techniques as email phishing, telephone password acquisition calls, and thumb drive drops. On average, it has observed a 22% employee failure rate for emails, and 53% failure rate for phone calls.

One of the more successful social engineering ploys tested by the company involves thumb drives. The company puts out a candy dish filled with brightly colored thumb drives (small storage devices that plug into a USB port), with a note that says “FREE!”

“Employees snap them up and promptly plug them into their computers,” says Redspin Chief Executive Officer John Abraham. If planted by cybercriminals, the thumb drives could contain malicious software. “If we were the bad guys, we would own that company’s system,” adds Abraham.

What’s the lesson? For starters, beware of anything that’s free. Beyond that, it pays to remain vigilant and stay on top of the latest scam techniques. I’ve got a desk drawer with a half-a-dozen free thumb drives I’ve snapped up at booths at conferences. For the most part, I haven’t put them to use. Now I’m wondering if it would be smart to just drop them in the trash. Free might come with too great a price.

Comments (1)

	1. 09-15-2009 15:17
	The Times published an article giving further details on how the malicious ad appeared on the site. It said the perpetrators posed as the Internet telephone company Vonage and initially ran legitimate Vonage ads. But some time last Friday, the Vonage ads were switched with ads warning readers that their computers were infected with a virus, and instructing them to download software. Because the Times thought the ads came directly from Vonage, it accepted the ads, without vetting the agency which placed them.  On a bigger picture note, I’m wondering who should be responsible for covering the cost of damage associated with the possibly malicious software. Should the Times be responsible, or is it a case of buyer beware? Curious to hear your thoughts. Registered

Mel Duvall

Only registered users can write comments.
Please login or register.