By Andrew Brandt
Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.
In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.
It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.
Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.
Scam #1: Your computer is (not) infected (yet)
We’ve detailed in depth the lengths that some scam artists will go to convince you to hand over money willingly. The biggest criminal enterprise in this regard is the rogue antivirus product. Through deceit and trickery, the criminals behind rogue security products make an exceptional living for themselves by selling literally nothing to hapless victims.
The scam: Convince the victim that their computer is infected. Open popup windows with fake warning messages; hijack search engine results to launch bogus “antivirus scans”; place benign “malware” files on the victim’s computer; convince the victim to download and run a malicious executable, then refuse to remove the executable unless the victim pays an exhorbitant “license fee.”
How to avoid it: Most of these scams come from deliberately manipulated search results: You click the link and you’re sucked in — but it’s not too late. The minute you see a fakealert, stop everything you’re doing, kill the browser (use the Alt-F4 key combination if you need to), and perform a full scan with the legitimate antivirus product of your choice.
Scam #2: Someone you know sends you a message with a link
Ask anyone who uses social media, and they’ll tell you that nobody scrutinizes the links passed around by friends, until someone stumbles upon a drive-by download or a worm. Koobface is the archetypical example of malware that abuses the bond of interpersonal relationships in order to spread.
The scam: Send a social network user’s friends a brief message with a short URL. Make the short URL point to a page that convinces the user to download and run a “codec” or a “Flash update” program. When the victim runs the “codec” installer, infect the victim’s computer with a wide array of malicious programs, including keyloggers, rogue AV installers, and downloaders. Then hijack the victim’s own social network account(s) to continue the spread of the worm.
How to avoid it: Stop and think. Most shortlink services have a feature that lets you preview where the shortlink will go; Use it. If you’ve never heard of the Web site, check the true destination domain against a reputation service, such as Webroot’s Brightcloud. And don’t be the first one among your friends to click a link.
Scam #3: Someone you don’t know sends you a message with a link and/or an attached file
Even though you weren’t expecting anything, you receive an email from DHL informing you that a package destined for your address is being held at the local facility, and an attached shipping manifest will permit you to claim the package. Oops, that manifest is actually the installer for a keylogger, or a downloader, or some other undesirable junk.
The scam: Create a downloader or a keylogger, and give it an icon so it looks like a Word document, Excel spreadsheet, or a text file. Compress the file into a .zip archive. Spam out the file to 24 brajillion people, with a poorly worded sob story, a business contract, or an order confirmation message, and wait for the valuable data to come flooding back.
How to avoid it: Stop and think, then don’t click. Whether it’s a message that claims to be from the IRS; from a shipping company like DHL, UPS or FedEx; from a Web store like Amazon or iTunes; or from someone supposedly sending a resume, apartment application, or some other misdirected form, never, ever open those files, especially if they have a .exe extension. Uncheck the “Hide file extensions for known file types” option (instructions at the end of this post).
Scam #4: You receive an “invitation” to a service from a stranger
Juanita Uzmayo wants to be your friend on Yahoo. Frank Schmedlebeck wants to connect on LinkedIn. Sexy Beast has sent you a message on Facebook. Click here to…uh oh.
The scam: Set up a drive-by download site, Canadian Pharmacy page, or phishing page. Look at one of the automated messages sent out by a multitude of online services, such as Facebook, LinkedIn, Plaxo, or an instant messaging service. Duplicate the format and wording of that message, but instead of hotlinking to the service, tag the message with links to your malicious page instead.
How to avoid it: Without clicking anything, move the mouse over the link in your email message, then look at the Status Bar (along the bottom edge of the browser window) to see exactly where the link leads. If the message claims to come from one company, but the URL points to a domain you’ve never heard of, don’t click the link. See how easy that is? If you’re curious, check the domain against Brightcloud’s reputation database. Don’t have a Status Bar visible? Turn it on now. Click View -> Status Bar in most browsers.
Scam #5: Offer the victim something of value, steal credentials instead
Want 1600 points on Xbox Live? How about early access to the latest beta test for World of Warcraft? Maybe you’re interested in getting free stuff for your Habbo Hotel account. Do you want to know who is blocking you on MSN Messenger? Join our club, log into Steam, and get a free game. Just enter your username and password here, and we’ll send you your points/access/whatever in four to six weeks.
The scam: Create a Web page which uses the site graphics and design used by a legitimate company. Make outrageous, impossible-to-keep promises on the page. Stick a username and password field on the page. Program the page to submit any usernames and passwords that people enter into the form to you, and not to the real company the page claims to represent. Spam the world with links to the page. Profit.
How to avoid it: Stop, then think about it, and do not follow the link. TANSTAAFL, gamer boy. Does the page say “Blizzard” but the domain name in the URL contain 110mb.com, surge8.com, altervista.org, or t35.com? Those are legit, free Web hosting services, abused by cheapskate script kiddies, who set up temporary pages on those services in order to scam foolish people. There is no mechanism that can permit you to see who has blocked your IM account on MSN, Yahoo, ICQ, or anywhere else. Nobody’s going to give you anything for free. Provide your credentials, and you’re just going to lose control of your account (and probably that rare armor the mob dropped during the raid you participated in last week).
Of course, these aren’t the only scams in the world perpetrated against victims, only some of the most common. If something seems fishy, trust your gut and stop what you’re doing. Don’t worry about losing your place in the browser; It’s easy to retrace your steps, but hard to clean up an infected PC.