Which malware lures work best?

“More often than not, malware peddlers’ main goal is to deliver their malicious wares to the maximum number of users possible. Choosing the right lure is crucial to achieving that goal.

Two researchers from University of Cambridge and Southern Methodist University have examined real world data from some worms that spread over the social graph of Instant Messenger users, and have confirmed what most of us considered to be true: simple lures are more than enough, and people are more likely to fall for lures in their native language.

The data set they used is that regarding the spread of the Yimfoca worm, which in 2010 spread via Yahoo! Messenger, and prevented Facebook users from accessing their accounts until they completed an online survey. After the Yimfoca threat was tackled by the security community, other similar worms followed in its footsteps, and used the same (ultra-effective) lure.

Yimfoca used the local machines IM address book to send out “personalized” messages to the victims’ contacts – email addresses were extracted from the Microsoft IM client, and inserted in the following message:


Later, they changed the malicious link included in the message, and started using shortened links in order to bypass Yahoos blocking system, which was tweaked to detect the first type of messages.

The criminals experimented with different strategies over time: used domains impersonating Facebook or other legitimate-looking, brand domains; URL shorteners; different languages for the lure (English, Portuguese); different message content (the aforementioned “foto” vs. “Is this you?”).

These experiments proved that hostnames that vaguely resembled brands worked better than shortened URLs, and that brief Portuguese phrases were more effective in luring in Brazilians than more generic “language independent” text.

“The criminals were, more often than not, hosting the malware at a hosting site with world-readable weblogs, so we were able to inspect logs and determine activity,” they shared. Access to the logs also gave them a reliable measure of the click-through rate, although not (quite) the infection rate.

They found that over 14 million distinct users clicked on all these lures over a two year period from Spring 2010, and discovered that 95% of users who clicked on the lures became infected with malware. This is a fascinating finding, given that the victims were required to press OK on a Windows warning pop-up in order to get infected and continue the malware-delivery campaign.

“It is important to understand what works in social engineering, not because we want the criminals to be more efficient. Rather, we hope it will inform the efforts made to train people as to what they ought to look out for,” the researchers concluded.

For more details about their research, check out the paper.”

Don't miss