Social engineering has always been a feature of spam, phishing and viruses. Plenty of viruses and spam senders have catered to our appetite for sex and sensationalism by promising pictures of naked celebrities or breaking news about disasters, while the first viruses to mine address books gained a valuable edge by appearing to come from people known to the recipient. As users become more suspicious, spammers and virus writers continue to try to find new ways to induce us to open their messages.

Over the past few weeks, there's been a surge of viral messages sent by variants of the Zhelatin (Storm Worm) virus, masquerading as electronic postcards from a family member or a worshipper or some other similarly vague source. Starting yesterday, a new variant appeared with subject lines relating to the US Independence Day holiday: July 4th Fireworks Show, Celebrate Your Independence, America's 231st Birthday, and so forth. It's a simple trick, but to judge by the nearly eighty messages I've received in the past two days, it's working.

The Zhelatin July 4th virals use only an altered subject line (the message body contains the same boilerplate text about a postcard from a friend). Another recent virus uses a more elaborate approach, pretending to be a misdirected message — a common trick used by both spammers and virus authors — and creating an elaborate scenario calculated to arouse people's curiosity and persuade them to open up a Zip file that presumably contains a viral payload. Here's the message text:

Hi James, Here is the video of this patient interrogation / cross-examination. I think he doesn't say everything. I'll ask the psychologist to work with him. I suppose he can fall under hypnotist's spell. Also I'll make him to pass lie detector examination, and then we'll compare all the information and make a conclusion. If you need me, I'm online.

Who could resist the urge to dip into the mysterious world of espionage and interrogation hinted at by this message? The authors must have had fun thinking up that one.

At the higher end of the social engineering spectrum, there are more reports of spear phishing attacks. A recent article describes a targeted attack aimed at senior executives. The article says (in somewhat breathless tones) that:

... The attack was so precisely addressed that the name and job title of the recipient was included in the subject line of the email ...

I'm not exactly falling off my seat in amazement at that one. Between trade publications, corporate websites and, of course, LinkedIn, name and title information is freely available and matching names to mail addresses shouldn't be too hard. (Incidentally, social networks such as LinkedIn, Facebook and MySpace are an absolute goldmine for social engineers: if a spammer can once get on the fringes of a large network — and the obsessive friend-collection ethos of such services means that can end up with practically anyone as a third-order contact — then a whole wealth of information becomes available to them.). Yes, the authors of this scheme did rather more work than the average spammer, but this stuff isn't exactly rocket surgery.

What follows next isn't rocket surgery either. The next step is commoditization of this information. Just as smart hackers identify exploits and then repackage them so that they can be run by a million script kiddies, the owners of the kind of targeting information used in the attacks described above will repackage it and sell it at a premium as 'smart lists'. We're probably on the brink of a whole sub-industry devoted to mining social networks and other sources for information of this kind. While the first person to put the pieces together may need to be a little smarter than the average bear, once the data is packaged any idiot can use it and every idiot will.

Of course we're not quite there yet. I just received some spam announcing a special offer on spinach and ricotta ravioli at a Fini supermarket in Lima, Peru. Apparently the day of spamming the entire planet and hoping something sticks isn't quite over.