1
00:00:01,900 --> 00:00:09,390
A perfect example of social engineering was a program called XP antivirus program used all the methods

2
00:00:09,390 --> 00:00:11,810
were discussed to convince a user to start it.

3
00:00:13,340 --> 00:00:18,200
XP in a virus was created to win the money as users were required to pay for it.

4
00:00:20,390 --> 00:00:25,010
This largest social engineering attack in history took place at the end of 2008

5
00:00:28,730 --> 00:00:33,950
after entering a web site links to which were all over the Internet or window looking just like any

6
00:00:33,950 --> 00:00:35,480
system window came up.

7
00:00:39,730 --> 00:00:42,970
In the slide you can see a window created for Windows XP.

8
00:00:44,270 --> 00:00:51,250
But later versions of Windows Vista were prepared to weather one version came up or the other was purely

9
00:00:51,250 --> 00:00:55,650
random because the script didn't check the version of the victims operating system.

10
00:00:56,510 --> 00:00:58,320
But users usually didn't notice that

11
00:01:01,160 --> 00:01:08,090
the message said attention if your computer is infected you could suffer data loss which is something

12
00:01:08,090 --> 00:01:09,020
nobody wants

13
00:01:11,580 --> 00:01:13,640
erratic PC behavior.

14
00:01:13,680 --> 00:01:16,030
PC freezes and crashes.

15
00:01:16,110 --> 00:01:19,420
In 2008 most computers were prone to such problems.

16
00:01:20,870 --> 00:01:25,350
So most users reading such a message thought that it was created specifically for them.

17
00:01:26,570 --> 00:01:33,300
The message ended with the question do you want to install XP antivirus or scan your computer for malware

18
00:01:33,300 --> 00:01:34,070
now.

19
00:01:34,960 --> 00:01:41,060
Sure you'd want to OK was a highlighted option when a user clicked it.

20
00:01:41,080 --> 00:01:45,280
The attack went on.

21
00:01:45,340 --> 00:01:51,360
The message was straightforward detect and destroy viruses before they destroy your computer.

22
00:01:53,430 --> 00:02:00,640
If a user clicked cancel another message came up this time asking the user why they don't want to protect

23
00:02:00,640 --> 00:02:04,940
their computer if the user chose OK.

24
00:02:04,970 --> 00:02:11,940
The window that came up suggested that a system scan was being performed the scan always detected a

25
00:02:11,940 --> 00:02:15,330
large number of the most dangerous viruses of all sorts.

26
00:02:16,700 --> 00:02:20,070
Names of these viruses were fake.

27
00:02:20,110 --> 00:02:21,680
The scan was a scam to

28
00:02:25,180 --> 00:02:30,730
even in 2008 it was impossible to remotely scan a hard drive without any kind of interaction with the

29
00:02:30,730 --> 00:02:32,050
user.

30
00:02:32,110 --> 00:02:36,290
It was just a realistically looking animation.

31
00:02:36,330 --> 00:02:39,150
Please note that all messages were written in perfect English

32
00:02:44,700 --> 00:02:50,670
automated translations examples of which we have seen previously were used.

33
00:02:50,690 --> 00:02:52,310
It all looked rather professional

34
00:03:11,210 --> 00:03:12,730
after the scan was finished.

35
00:03:12,770 --> 00:03:20,180
A user was presented with two options to ignore the threads was one of them but nobody would ignore

36
00:03:20,180 --> 00:03:21,210
such threats.

37
00:03:22,120 --> 00:03:24,020
Everyone chose the other option.

38
00:03:24,070 --> 00:03:33,470
Remove all this however required users to install the XP antivirus Donlin version could only perform

39
00:03:33,470 --> 00:03:35,730
a scan but to delete the viruses.

40
00:03:35,810 --> 00:03:37,550
The full version was required.

41
00:03:39,670 --> 00:03:46,870
For people who understand how operating systems work such a strategy makes sense attackers must somehow

42
00:03:46,870 --> 00:03:52,380
convince the user to perform actions they need him or her to perform.

43
00:03:52,390 --> 00:03:53,760
You can scare the user.

44
00:03:53,830 --> 00:03:56,700
You can promise them something or you can do both.

45
00:04:02,530 --> 00:04:07,810
The goal of the first phase of the attack was to gain the users trust so they would install the XP anti-virus

46
00:04:11,380 --> 00:04:18,490
you can gain more trust by employing an element well known to the user certified for Windows logo as

47
00:04:18,490 --> 00:04:25,890
one example most real installation programs don't display this logo.

48
00:04:25,890 --> 00:04:29,820
The virus however had such a logo.

49
00:04:29,910 --> 00:04:33,250
In reality it's just a bitmap that can be placed anywhere

50
00:04:37,600 --> 00:04:38,690
apart from the logo.

51
00:04:38,710 --> 00:04:42,610
The installation program displayed a link to the end user license agreement

52
00:04:51,400 --> 00:04:52,680
to use a program legally.

53
00:04:52,690 --> 00:04:58,780
You need to own a license and you need to read it through the most interesting bits of the program's

54
00:04:58,780 --> 00:05:08,920
license are marked and read the license mentioned customer support team in case of any problems the

55
00:05:08,920 --> 00:05:11,090
user should contact it for help.

56
00:05:12,820 --> 00:05:18,940
There was even a chat window on the XP and a virus Web site history of previous interactions with the

57
00:05:18,940 --> 00:05:22,230
users was displayed to.

58
00:05:22,440 --> 00:05:26,510
You could see that people reported problems and someone responded.

59
00:05:26,600 --> 00:05:33,200
The creators of the attack made it all look very professional.

60
00:05:33,200 --> 00:05:39,140
The lessons also stated that by accepting it the user agreed that the details of his or her credit card

61
00:05:39,230 --> 00:05:42,260
were being retained within the entire period of the subscription

62
00:05:48,120 --> 00:05:49,260
during the initial scan.

63
00:05:49,260 --> 00:05:56,710
Nothing suggested that a payment would be required then the license indicated that for using the program

64
00:05:56,770 --> 00:06:04,850
the user would not pay once but on a regular basis the license also explicitly stated that decomposition

65
00:06:05,070 --> 00:06:05,930
was prohibited

66
00:06:09,030 --> 00:06:13,830
the user couldn't have been given the chance to monitor the XP antivirus activities because that might

67
00:06:13,830 --> 00:06:15,840
have given away its real purpose.

68
00:06:22,490 --> 00:06:27,320
The second point of the license agreement stated that the program would uninstall the software it wasn't

69
00:06:27,320 --> 00:06:35,690
compatible with obviously XP antivirus was incompatible with real and virus scanners.

70
00:06:37,950 --> 00:06:45,170
Basically users agreed to uninstall ation of already possessed anti-virus software.

71
00:06:45,290 --> 00:06:50,310
However you didn't have to read the license because it was optional.

72
00:06:50,450 --> 00:06:55,490
You didn't have to accept.

73
00:06:55,730 --> 00:07:01,100
Moreover the creators of XP and virus stated that they were not responsible for its actions performed

74
00:07:01,100 --> 00:07:02,570
on user's computers.

75
00:07:03,820 --> 00:07:05,440
That's something everyone's use to.