Truth 20 An identity thief has a gift just for you
You have come home from a long day at the office. As you unlock the door to your house, you notice a small box on the front porch. Inside, you find a letter and a brand new webcam. You didn’t order a webcam, so you begin to read the letter. It turns out that the webcam has been sent from a company called Orwell Technology Research Group. The letter explains that they are conducting a study on webcams and their ease of use. All they ask is that you complete a small online survey regarding the installation and setup of your webcam after you install it. As compensation for your time, the webcam is your gift to keep.
A couple days later, you decide to try it out. You plug the webcam into your computer and place the CD into the drive. Less than five minutes later, the camera is installed, and you are waving at your friend online.
So who is Orwell Technology Research Group? I can guarantee it is not a research company dedicated to the betterment of products. In fact, it is a fictional company that I created awhile back for use in identity theft attacks. Were you to visit the Web site that had been listed in that letter, you would have found what appeared to be a professional business. The survey form was real, but all I was interested in was you installing the webcam and software that came with the camera.
The first time I performed this attack, I got a couple engineers together with different skill sets. We purchased a bunch of webcams that cost less than $20 each. We carefully opened the packages and took the webcams out, along with the CD that contained the software. We then took the webcams apart and disabled the little red light that would turn on when the camera was activated. By disabling this light, it guaranteed that the end user would never have any indication of when the camera was on or off.
Next, one of the engineers wrote some new software that would communicate to our network and allow us to access any computer on which it was installed. Of course, the software was designed to be in “stealth” mode so that a user sitting at the computer would not know it was active. Lastly, we made new CDs that contained our new software integrated with the webcam software. The CDs were given new labels, and everything was placed back in the box.
The Orwell Technology Web site we put up was actually just a copy of another organization’s real Web site. We simply changed the name and logo and added a survey page. In all, developing the Web site, making the changes to the webcam, creating the new malicious software, and packaging everything took less than three hours.
When the webcam and software were installed, I received notification without the victim’s knowledge. At that point, I was able to run commands on the victim’s computer via the webcam and the custom software. I could browse the victim’s files, take any file I wanted, and read his emails if I so chose. More importantly, I began logging everything the user typed. In other words, if the user was doing online banking, I now had a username and password. If a purchase was being made online, I now had credit card information. But I was able to take it one step further.
I could browse the victim’s files, take any file I wanted, and read his emails if I so chose.
With a command from my computer, I then turned on the webcam that was connected to that computer. This means I truly was “Big Brother” watching. I should probably make it clear that for this test, before I turned the camera on, I did contact the victim, let him know about the attack he had fallen victim to, and asked permission to turn on the camera. While this type of attack falls under the category of creepy, it definitely lends itself to identity theft attacks. In addition, this type of attack can be used by a separated spouse, ex-boyfriend, stalker, or pretty much anyone who wants to pry into your day-to-day life.
Now, you might be thinking to yourself, “I would never have installed that webcam.” But what about other software? I have shipped fake AOL CDs, Google software, fake antivirus software, software supposedly from the IRS to help with your taxes, and many other types.
The point is that I can generally find something that a private individual will be willing to load. In fact, I have had just as much success sending it to businesses. All it takes is just one person to load my software onto his computer, and I am in. Generally within minutes, I have access to confidential information. I have even sent out music CDs appearing to be radio station sampler CDs. As soon as the CD is placed into the computer, my malicious software immediately loads. In most cases, this happens without the user’s knowledge. In Microsoft Vista, the user gets a warning message, but my software posts a friendly note explaining that it is needed to play the songs. Most users allow the load to continue. Just like the other attacks, once the software is loaded, I have complete access.
I have mentioned many types of attacks that include software being loaded onto your computer. The solution here is simple. Don’t install software unless you are absolutely certain you know where it came from and what it will do. Just because it came in a box or has an official letter does not make it any safer. While it’s nice to think there are companies sending free gifts and easy-to-use software, in reality it just doesn’t usually happen that way.