Malware could soon become sophisticated enough to launch social engineering attacks based on analysis of a victim’s behavioural patterns and social interactions, researchers have suggested.

According to the MIT and Israel-based authors of Stealing Reality, such malware would represent a major step change from today’s crude threats, capable of inflicting serious damage to targeted individuals.

Some malware might exist solely to build databases of behavioural data on individuals culled over a long period of time, which would then be used as the fuel for highly-targeted social engineering attacks able to penetrate even the best-defended organisations or social groups.

After analysis using mathematical models of optimum spread, the researchers dub this the ‘social reality’ attack, the dark twin of today’s consensual social networks where complex data would be collected and exploited for a variety of criminal rather than social or legal ends.

The danger of such an attack would be that a victim could not easily escape from its hold as might be the case with a technical attack.

“It is much harder to change one’s network of real world, person-to-person relationships, friendships, or family ties. The victim of a “behavioural pattern” theft cannot easily change her behaviour and life patterns. Plus this type of information, once out, would be very hard to contain,” say the authors.

So is this ‘dark Facebook’ thesis (our phrase) plausible?

As the authors point out, Marshal McLuhan’s famous dictum of the 1960s ‘the medium is the message’ can now be re-formulated to say ‘the network is the message. People reveal huge amounts of data social information about themselves when they interact online, often without realising it.

Despite this, today’s social engineering attacks are primitive. They reach out to victims using technical workarounds and crude communication concepts, which limits their scope.

The value of information is that spammers and other malware criminals could use behavioural patterns to build up a more complex picture of individuals the better to work who to attack, using which method, and when. Such information-based attacks would also persist.

It follows form this that people with large numbers of connections might be at greater risk simply because they are likely to be generating more data that could be analysed for weakness, particularly in a professional context. Today’s security systems pay little or no attention to the collection of such information, so people are pretty much unprotected.

 “The difference between SR [social reality] attacks vs. more traditional forms of attacks should be treated with the same graveness as non-conventional weapons compared to conventional ones,” say the authors.