If someone would have suggested that the absence of comment about a
specific file on a vendor's website would have been spotted as a social
engineering vulnerability, I would have said sure, theoretically
possible, but not significant enought to be worth the time to leverage.
I guess nothing is insignificant or bizzare enough these days...
===================
http://www.theregister.co.uk/2009/03/11/symantec_social_engineering_attack/
Online attackers feed off Norton forum purge
Silence isn't golden
By Dan Goodin in San Francisco
Posted in Security, 11th March 2009 00:22 GMT
Quick-moving attackers took advantage of a glitch in an update for
Symantec anti-virus software, using an information vacuum that followed
as an opportunity to lure panic-stricken users to websites that tried to
install malware on their computers.
The glitch began around 4:30 pm California time on Monday, when Symantec
engineers accidentally distributed a software update for older versions
of the Norton Anti-Virus that had not been digitally signed. Symantec
customers soon received ominous error messages popping up on their
computer screens - so they did what good end-users are supposed to do:
they went to the company's support forum to get the official word on a
file called pifts.exe that was the subject of the warnings.
To the amazement of many, there were no messages. To make matters worse,
there was evidence that every time a customer posted a query about the
error, someone at Symantec removed it. By Tuesday morning, several
websites with top billing from Google and other search engines were
exploiting the confusion by promising details about the problem but
pushing malware instead.
What's impressive about the scam is how quickly the miscreants seized on
the completely unexpected event. Within hours, their sites had managed
not only to reference pifts.exe but also to rise to the top of Google's
rankings.
Jeff Kyle, group manager for consumer products at Symantec, said posts
were only deleted after the forum was flooded with more than 600
nonsensical messages that contained the string "pifts." Recognizing
their site was under attack by bot-controlled PCs, forum administrators
promptly shut down threads that were discussing the file.
The removal of the threads only made users more eager for information
about a file they had every reason to believe represented a clear and
present danger to their computer security. That created a golden
opportunity for professional malware pushers.
One of the websites promising information was inspected by Randal
Vaughn, a professor of information systems at Baylor University. He said
it was outfitted with javascript that checked to see how visitors had
arrived at the rogue site. If Google, Yahoo, or MSN had referred them,
the site tried to foist malware on them. If not, it returned an error
message.
It's unfortunate that this episode happened at all. A single well-placed
post from a Symantec official would likely have nipped most of it in the
bud and prevented the mass confusion that enabled this
social-engineering attack. Kyle said that the forum is run by Symantec
employees in what amounts to their spare time, and isn't supposed to be
relied upon to communicate glitches such as the one that happened on
Monday.
We wouldn't be surprised to see that change. As the episode makes clear,
real-time communication with customers is key for security providers,
especially following glitches.
"We have to look at how to better communicate to our users," Kyle said
in an interview. "We constantly do that and this just calls out a
different flavor and an increased need to be able to communicate
actively and accurately to our user base."
Computer Security