By Andrew Brandt
February 9 marks Safer Internet Day, and around the world, people are trying to help their fellow netizens navigate an obstacle course of threats to their security and privacy. InSafe, the organization funded by the EU that sponsors the annual youth-targeted event, has themed the day around the concept “Think B4 U post.” As grammatically sloppy as that sounds, it’s actually good advice.
Readers of this blog shouldn’t be surprised that myriad dangers threaten the safety of all Internet users: Keylogging software disguised as “updates” are everywhere; Fake security alerts pop up when you least expect them; Phishing Web pages are more cleverly designed than ever to steal your passwords; Spam is choking email; Worms stalk social networks; Even your mobile phone is at risk of malicious software designed to steal valuable information from you. The big question on everyone’s mind is: What do you do to protect yourself?
The answer’s simple, really. You have to think before you act, and make sure you understand the consequences of whatever you do, write, post, or click online. Once you develop your Internet spidey senses, you’ll be able to spot something that’s out of place, or weird, or just dodgy before it catches you out.
Despite the increasingly clever tricks criminals employ, they still have to lie and cheat in order to steal. What follows are a few easy ways you can catch them out in their lie before it’s too late. We’ve also put together a short video that shows just how easy it is, once you’re in the right frame of mind.
What most criminals want is money, and cyber criminals get it by stealing information, then either selling or using that stolen information. But it’s not as easy as it used to be for them to simply break in to people’s computers. As computers beocme increasingly hardened against attack, Internet criminals have turned their attention to the weakest links.
That’s you. The person behind the keyboard.
So criminals instead try to lure their victims to visit a Web page, like an anglerfish, by offering the victim something he or she wants. When the victim visits the Web site, the criminal springs the trap. If the trap is to convince you to give up a username and password, it’s called phishing. If the trap is designed to infect your computer with dangerous Trojan Horse software or viruses, it’s called an exploit. If the exploit forces your browser to get a Trojan Horse, without you doing anything other than clicking a link, it’s called a drive-by download.
Criminals will do anything to convince victims to visit — including using infected computers owned by your friends or family to trick you. They might try to convince you that your computer is warning you about an infection. They might offer to show you a funny video, or promise a free videogame.
Clearly, the old adage “if something sounds too good to be true, it probably is” applies to the Internet as well.
If a link to something looks suspiciously like a trap, simply search for the words in the link (wrap the search terms in quotation marks to search only for the exact phrase), or for the URL itself, using a major search engine like Google or Yahoo. If the URL, or the words from the page, show up in news or blog reports about online dangers, or are identically repeated on lots of Web pages, don’t follow the link.
Don’t fall for the common tricks
You can also usually tell when a page is a phishing site, simply by looking at the Address Bar in your browser. Web addresses can contain any number of words, but the most important part of the address is the domain name, the word that appears immediately before .com or .co.uk. As far as Internet security is concerned, everything that appears to the left of the domain name is extraneous.
For example, “Google.com” is the domain name in the URL http://www.google.com but “fake.com” is the domain name in http://www.google.com.fake.com — phishing Web pages often use this trick to convince users that they are visiting a legitimate site. Remember, you need to pay attention to the domain name, not the appearance of anything on the Web page itself — not graphics, or words, or even a little picture of a padlock. Everything else is just window dressing. If the domain doesn’t look right, don’t use the Web site.
Besides phishing, the most common trick in the book is the “fake update” or “fake codec” scam. A “codec” is just a bit of code that lets you watch videos or listen to music on the computer. Criminals commonly lead you to a page that looks like it will show you a video, but then tell you to “download a codec” or “update your codec” to trick you into running a program that will infect your computer. When in doubt, upload the “update” program to Virustotal.com, a free service that will scan one file at a time against a large number of antivirus programs and tell you whether the “codec” or “update” program is dangerous. You can also do some searches before you do anything, as described above.
There are a few other things you can do to make sure you don’t end up a victim.
- Update your computer and its programs: If you use a Windows computer, then the Windows Update Web site will make sure the operating system is protected. But criminals also target programs that can use the Internet: Make sure you’ve updated Adobe Flash, Adobe Acrobat Reader, your browser, and whatever IM or chat programs you use. And if you use any kind of antivirus software, make sure it updates itself at least daily, and set it up to scan your computer periodically.
- Change browsers: The Firefox browser partners with Google to prevent people from visiting sites associated with both phishing and exploits. Simply using Firefox instead of Internet Explorer can keep you from accidentally visiting a dangerous Web site.
- Use plug-ins for security: A plug-in is just a small program that adds a feature to a browser. Firefox has two of the most effective plug-ins for security: NoScript blocks nearly every type of browser exploit from working, which can save your behind if you click something you shouldn’t. Web of Trust uses feedback from participants to rate the safety of Web sites, and will warn you before you visit a dangerous page.