What is baiting?
The Trojan horse
In my earlier post “What is social engineering?” I looked at an example of baiting from Greek myth – the Trojan Horse. In this story, the Greeks have been besieging the city of Troy for 10 years and failed to penetrate its defences. So the Greeks constructed a wooden horse, hid some soldiers in it and then pretended to sail away. The Trojans took the horse into their city as a victory trophy. That night the soldiers hidden in the horse crept out and opened the gates to Troy. Meanwhile, the rest of the Greek army had returned, entered the city, and captured it.
The lucky winner
You are a lucky winner! You’ve won a free computer, digital audio device, a weekend away – in fact, anything that could be desirable. All you have to do is to follow this link and fill in a few details to receive your prize. In fact, this prize offer compromises your computer by downloading malware – perhaps ransomware or key logger software.
Baiting relies on greed and curiosity
The trick to baiting is to appeal to the victim’s sense of curiosity (as in the case of the Trojan horse) or greed (as in the case of the lucky winner scenario). Baiting attacks can be initiated in two ways: by leaving a physical device around (perhaps a USB drive) that the victim will find, or by sending the victim an email (a phishing or spear phishing attack).
Physical device
The victim inserts the USB drive into a computer and the malware on the device downloads onto the computer and infects it. The malware then searches the network looking for other computers to infect before delivering its payload, the most common being encrypting the computer’s hard drive and demanding a ransom for the drive to be decrypted.
Phishing email
The victim clicks on a link in the email which may or may not take them to a website. Whether it does or not, in the background malware is downloaded onto the victim’s computer.
Baiting with Stuxnet
Possibly the most famous baiting attack recently is the Stuxnet attack on the Iranian nuclear facilities. Although most of the story is speculation, we know that Stuxnet was malware introduced into an Iranian nuclear power plant with the sole purpose of disrupting the production of weapons grade nuclear material. The computers infected were not connected to the Internet, so conventional hacking methods to introduce the malware could not be used, instead the malware was put onto USB drives and left where employees might pick them up. It then relied on the employee’s curiosity, waiting for him to plug it into a computer. Once he did that, the damage was done. The malware was released, and it travelled around the network until it found the controllers for the centrifuges used to produce the nuclear material. The full story can be read at CSO online or Forbes online or seen in this TED talk.
Do you want to learn more?
Network Midlands runs seminars to help you detect and defeat social engineering attacks. Find out more at “The Art of Deception“.