Social Engineering
Social engineering is a version of the classical confidence game. It is quite well-known that the weakest link in computer security is often the person at the keyboard.
A social engineer takes advantage of the human tendency to trust, and may additionally take advantage of a user’s lack of understanding of the system they are working with.
Social engineering can happen on the phone, in person, over social networks, email, and even over IRC, and the objective can range from simple “griefing”, to theft of personal information, and even financial crimes.
The Bad - Trolls
Trolls may use social engineering techniques to try to convince others to run commands which will disconnect them or otherwise disrupt their use and enjoyment - for example, telling a user that pressing Alt+F4 will give them ops in a channel, when in reality, it’s a command to close the current program.
The Ugly - Phishing
A more serious attack might be aimed at control of your computer - once obtained, an attacker can install malicious programs to spy on your activities, gather passwords, and potentially gain access to your other accounts - even your bank account if you use online banking.
Once you’ve unwittingly invited them into your computer, they have a foothold and will proceed to install software to mask their presence on your system while gathering up your information. Such malware may evade detection even by current, up to date antivirus programs if it’s not widely circulated and used just by the attacker.
And everything in between.
The same tactics are also used for channel takeovers, and to give attackers a launchpad to attack other systems or a place to store files for ilicit distribution - even if you have nothing to protect, you might be providing a springboard from which other attacks are launched.
Protecting yourself
- Understand that users on IRC and elsewhere may not have your best interests in mind.
- Make sure you understand what any key combinations or commands will do before you execute them. For example, if SomeBadUser tells you to type
/op somebaduser
, don’t do it! - Don’t accept unsolicited files from strangers, they might be Trojans.
- Be especially wary of unsolicited “help”; the instructions might be destructive.
- Don’t pass on messages about malware or other security issues; they might be fake and may even spread malware.