A new frontier of insider threats: malware that infects a person’s mind

Don’t let this evil barber cause you to tear your hair out!

Samson, a supernaturally strong man in the Bible, was betrayed by his girlfriend, Delilah, who was paid by Samson’s enemies to learn the secret of his strength and find a way to defeat him. After much nagging, Samson finally is coerced into revealing his secret: he must never cut his hair. Delilah gets Samson passed-out drunk and goes to work. Weakened, Samson is captured by his enemies and imprisoned.

Delilah is not yet finished shearing her victims: she is coming for your employees.

A new form of malware has been discovered, nicknamed ‘Delilah’, whose sole purpose is to infect a computer or mobile device and quietly gather as much information about the device’s owner, employer, and family as it can. Then, if the owner does something he shouldn’t (browsing the wrong sites, sending or receiving incriminating texts, etc.), ‘Delilah’s’ controllers send an extortion message: “steal data or infect your employer’s systems, or else we will expose what you did”.

It is a simple, yet ingenious approach that has probably been used since the first time one person saw another secretly do something really embarrassing. The only problem now is that it can be done on a massive scale. Every one of your employees could potentially be a ‘sleeper agent’ for organized crime, hostile nation states, or malicious competitors.

Another feature of Delilah is its ability to infect your employees’ equipment at home and never have a chance to be detected by your organization’s defences. The true infection here targets your employee’s mind, which makes the invasion a human problem, not a technical one.

I predict that this is only the tip of the iceberg, and we will see massive growth in this approach.

It is a new frontier in social engineering. Instead of causing the person to make a mistake, it takes advantage of the fact that a mistake has already been made that the person will not want to admit. It is easy to assume that attackers will use such leverage to blackmail a single person to act several times against your organization. Once the attacker and the employee are successful in one insider attack, the next attempts will be easier and easier.

Delilah is not going to be easy to address, but we need to formulate a plan of defence. Work with your HR and Legal departments to craft some careful messaging around this problem. Perhaps a form of extortion hotline could be implemented for people to get help in the event of an extortion attempt.

If you have any thoughts on this issue, or if your organization has an approach, please share them in the comments.



photo credit: oscars.org

Leave a Reply

Your email address will not be published. Required fields are marked *