Instant messaging users are being duped into downloading viruses and opening the door to intruders who use their systems to launch distributed attacks across the Net.
Hackers are increasingly attacking systems through instant messaging, says Art Manion, Internet Security Analyst at CERT, a federally funded high-tech research and development center at Carnegie Mellon University.
”We have reports of tens of thousands of systems being compromised in this way,” says Manion. ”Instant messaging is being used a lot and people arent paying attention to the security risks that are out there. People are still way too trusting, and they think instant messaging can’t be used against them. But it can.”
And Manion says attackers aren’t simply hacking their way in. Users are actually being fooled into inviting them in — literally opening the door and laying out the welcome mat.
Attackers are socially engineering people. That means, simply, that they are duping people into giving away key information that leaves their system unsecure, or they are being fooled into downloading an executable attachment that actually plants a virus or leaves behind a Trojan horse. Social engineering is the human side of breaking into a corporate network.
Companies with authentication processes, firewalls, VPNs and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don’t know or even by talking about a project with coworkers at a local pub after hours.
When it comes to IM, attackers are luring users with intriguing opportunities — spamming people with get-rich-quick schemes, offers of free software or even offers of free porn. When the user clicks on the link, a virus is downloaded or the attacker creates a backdoor into the user’s system so he can go back in whenever he wants. That way, he creates a collection of compromised systems and uses them in a concerted denial-of-service attack against another company, government agency or sector of the Internet.
”The attacker puts out messages to entice a user to download a file,” says Manion. ”They could be getting users’ instant messenger logons from chat rooms or from forms users fill out when they go to a Web site. They’ll contact you and ask if you want a free movie viewer but youre actually getting a virus or a Trojan horse or a backdoor.”
Ralph Logan, a manager at PentaSafe Security Technologies Inc., a security software company based in Houston, Texas, says it was just a matter of time before attackers turned their attention to instant messaging.
”It’s a very, very large problem,” says Logan. ”Everyone I know is on IM. My mother is on IM. Millions of people are on it. The file transfer feature is built in and people will use it because it’s convenient. And with convenience always comes security issues. If the barn gate doesn’t have a latch on it, nobody will close it.”
And no matter how many firewalls and intrusion detection systems a company has set up, that doesn’t protect them from social engineering. The minute an employee double clicks on a link that comes to them over email or instant messenger, all those security efforts go right out the window.
”We did a security awareness study last year and found that a company’s greatest vulnerability is the employee,” says Logan. ”If your employees aren’t educated about security policies, there’s a gap in the human firewall. You’re instantly vulnerable.”
Mike Rasmussen, director of research and information security at Giga Information Group, a Boston-based analyst firm, says instant messenger software — whether it’s from Yahoo, AOL or Microsoft — has been lax when it comes to any kind of security. If a user is sending a credit card number or critical company information over instant messengers, they might as well be yelling out the window.
But Rasmussen says makers of instant messenger software are working to make their transmissions more secure, preparing to add encryption capabilities, along with virus scanners. He says improvements should be coming as soon as six months from now.
But all of the industry watchers agree that for now, companies need to protect themselves. And that means setting policies about instant messenger usage. Do employees really need to use the software? Maybe some do, but maybe everyone doesn’t. Be selective.
And set rules for what is allowed and what isn’t. Don’t allow users to click on links, download attachments or even post their logons in chat rooms and on Web pages. Don’t allow users to instant message with anyone outside the company.
When a company has a policy, they next need to make sure that employees are aware of the rules and understand what will happen to them if they break those rules. Also educate employees to the risks they create when they misuse email or instant messengers.
”If I succumb to an attacker trying to convince me to download a file, it’s game over for my system,” says Manion. ”It’s all over.”