The scariest sites on the web aren't the ones you might suspect. Nick Mediati explains what to watch out for and how to stay safe online.
The web is a fantastic resource if you want to research a particular topic; it's ideal for looking up facts and figures, finding out how much you should be paying for something and where the best deals are to be had. But the web isn't always what it seems. Even a straightforward informational website could be a cover for something else. Some are pure marketing guff; others pose an actual threat. Search results that look as if they answer all your questions may do nothing but create a serious tech headache. And the fun you had watching a video may not be worth the misery it can cause to your system. Scammers are known to play on your existing security fears. Many of us have come across flashing banners and alarming pop-up messages that suggest we immediately scan our machine for malware, or say it's already infected. But by allowing this 'helpful' software to perform such a malware check, you're actually allowing the scammer to install their nasty code on your PC. Often, the rogue software will masquerade as a legitimate antivirus program. To get rid of this malware, you are then held to ransom. This development is just a recent example of how the web can fool even an advanced web user. You've been warned that the internet is something of a security minefield, so it's natural to respond to an offer to help prevent infection. It's not only novice web users who are likely to be duped. You can do everything possible to protect yourself and still be taken in by a malware infection, a phishing scam or an invasion of online privacy. Often, it's the least obvious approaches that are the most effective. Over the following pages, we look at some of these lesser-known threats and outline how you can avoid falling victim to them. Read on to discover some of the hazards you may encounter, how dangerous they are and what you can do to stay out of harm's way. Websites that use Adobe Flash Adobe's Flash graphics software has become a big malware target in recent years, forcing the company to push out frequent security patches. But another danger you might not know about is associated with Flash cookies. Flash cookies are small bits of data that their creators can use to save Flash-related settings, among other things. But like other cookies, Flash cookies can track the sites you visit. Worse still, when you delete your cookies, Flash cookies get left behind. To help protect against Flash-based attacks, make sure you keep your Flash browser plug-ins up to date by visiting get.adobe.com/flashplayer. You can configure the Flash plug-in to ask you before it downloads any Flash cookies. To find out how, see tinyurl.com/yh3p3pe. Short links in Twitter Scammers love Twitter since it heavily relies on URL shorteners, services that replace long web addresses with something briefer. It's very simple to hide malware or scams behind shortened URLs. A shortened link that supposedly points to the latest internet trend-du-jour may be a Trojan in disguise. Don't click links. Of course, that takes some of the fun out of Twitter. The other option is to use a Twitter client program. TweetDeck (tweetdeck.com) and Tweetie for Mac (atebits.com/tweetie-mac) have preview features that let you see the full URL before you go to the site in question. Some link-shortening services, such as Bit.ly, attempt to filter out malicious links, but it seems to be a manual process, not an automatic one. WE regularly use TinyURL, which has a preview service you can turn on at tinyurl.com/preview.php. Your email inbox Although phishing and infected email attachments are nothing new, the lures that cybercriminals use are constantly evolving. We recently saw what looked like a legitimate order confirmation from Amazon. The only hint that something was amiss was the sender's email address. Don't trust anything in your inbox. Instead of clicking on links within a retailer's email, go directly to the retailer's site. Torrent sites Torrent sites (such as BitTorrent) are often used for sharing pirated music, videos or software, and are a trove of malware. No one vets the download files, so there's nothing to stop you downloading malware in disguise. Ben Edelman, privacy researcher and assistant professor at Harvard Business School, thinks torrent sites are dangerous because they don't have a business model or reputation to defend (by comparison, many porn sites rely on being deemed trustworthy). The best advice is not to use torrent sites, but if you do, use a secondary PC to protect your main system and up-to-date antivirus software. Scan downloaded files and wait a few days before opening them. New malware can be tricky to catch. Disreputable porn sites Porn sites have a reputation for being less secure than mainstream sites, but that assumption doesn't tell the whole story. "There's no doubt that visiting websites of ill-repute is dangerous. If you make a habit of it, it's a given that you'll be attacked at some point," says Roger Thompson, chief research officer with security firm AVG. "But staying away from those sites won't keep you safe by itself, because innocent sites get hacked all the time and are used as lures to draw victims to the attack servers." And as we mentioned earlier, many porn sites operate as legitimate businesses that want to attract and retain customers. That said, it may be hard to tell the legitimate sites from those hosting malware and using porn as a lure. Be suspicious of video downloads, or sites that require you to install video codecs to view videos. Use tools such as AVG's LinkScanner (linkscanner.avg.com) and McAfee's SiteAdvisor (siteadvisor.com) to weed out malicious sites. Consider visiting such sites on a secondary machine. You don't want that browser history on the family PC. Malicious codecs If you watch or download video online, you would expect to be told to download a video codec - a small piece of software that provides support for a type of video file - at least once. Usually, these bits of software are perfectly legitimate (for example, the popular DivX codec), but some less-than-reputable download services or video sites may direct you to download a piece of malware disguised as a codec. Trend Micro provides a good example of what these attacks look like at tinyurl.com/349skun. Your safest option is to stick with well-known video sites such as YouTube and Vimeo. And for catching up on the latest episodes of your favourite TV shows, iPlayer, 4oD and iTunes are safer than peer-to-peer networks. Geolocation data The smartphone market is still in its infancy, and so are the threats. One possible concern is the use - or abuse - of geolocation. Although plenty of legitimate uses for location data exist, the potential for inappropriate uses also exists. In one case, a game listed on the Android Market was in reality a client for a spy program. Apple recently updated its privacy policy to reflect changes in how it handles location data in iOS 4. It now states that "to provide location-based services on Apple products, Apple and our partners and licensees may collect, use and share precise location data". Be particular about the location-based sites, apps and services you use. Services such as Yelp are good examples of useful location-aware apps. On the other hand, weigh the privacy implications of services such as Foursquare or the new Facebook Places feature, and consider how much you feel comfortable divulging. Spurious search results Search-engine poisoning is the practice of building tainted sites or pages that are designed to rank high in a search on a given topic. For example, according to a recent study by McAfee, 19 percent of search results for 'Cameron Diaz' were malicious. Breaking news topics and Facebook are also common targets for cybercriminals. Pick and choose which sites to go to. Don't just blindly click search results; check each URL to make sure it really leads to the site you want. Although any site can be hacked, visiting the BBC or PC Advisor story on a hot news topic, for example, is probably a wiser choice than following a link to a site you've never heard of before. Poisoned PDFs Poisoned PDFs are files that have been crafted in such a manner that they trigger bugs in Adobe Reader and Acrobat; posted on a hijacked website, they may let an attacker commandeer your PC and access your files and personal information. A newer variant takes an otherwise innocent-looking PDF document and inserts malware into it. Adobe Reader may pop up an alert asking whether you want to run the malware, but hackers can edit those messages to trick you into opening the file. In 2009, attacks using malicious PDFs made up 49 percent of web-based attacks, according to security firm Symantec. Always make sure that you're running the latest version of Adobe Reader (get.adobe.com/reader). Versions 8.3.3 and 9.3.3 or later change the way it handles non-PDF attachments and reduce the risk from attacks that embed malware inside PDFs. You can also use alternative reader software, such as Foxit Reader (tinyurl.com/foxitpca). You can turn off Adobe Reader's ability to open non-PDF attachments by going to Preferences, Trust Manager, and deselecting 'Allow opening of non-PDF file attachments with external applications'. The next major release of Adobe Acrobat and Reader will provide a protected mode to fight off these attacks. Merciless media players Attackers have been known to exploit flaws in video players such as QuickTime and use them to attack PCs. The threats are often 'malformed' video files that, like malicious PDFs, trigger bugs in the player software that let the attackers in to spy on you, plant other malware and more. Keep your media player software up to date. Apple and Microsoft periodically release patches for QuickTime and Windows Media Player. Avoid downloading videos at random. Stick to well-known video-sharing sites such as YouTube, or download services like iTunes. Drive-by downloads A drive-by download occurs when a file downloads and/or installs to your PC without you realising it. Such downloads can happen just about anywhere. Some sites are built to lure people into a drive-by download; but in a common attack method, criminals will hack a legitimate web page and insert code that will download malware to your computer. Keep your security software up to date, and be sure to run regular scans. Many security suites flag up suspicious downloads. Fake antivirus software Fake antivirus looks and acts like the real thing, complete with alert messages. The fact that they are often riddled with typos may be the first sign that you're in trouble. Most fake antivirus software is best described as extortionware: the trial version will nag you until you purchase the fake antivirus software, which usually does nothing to protect your PC. Once you send the criminals your credit-card information, they can reuse it for other purposes. You can get infected with a fake antivirus program in any number of ways. For example, a malicious payload that downloads and installs without you even realising. If you get an alert saying your PC is infected with malware, but it didn't come from the antivirus software you knowingly installed, stop what you're doing. Try booting into Safe mode and running a scan using your legitimate antivirus software. However, such a scan may not clean up all of the malware - either the scanner doesn't have a signature for one fragment, or that piece doesn't act like traditional malware. This may render behavioural detection (which spots malware based on how it acts on your system) useless. If all else fails, you may need to call in a professional. Ad-supported sites Ads aren't all bad: they help sites pay the bills. But cybercriminals have taken out ads on popular sites to lure in victims. Last year, the New York Times site ran an ad from scammers, and earlier this year some less-than-scrupulous companies were gaming Google's Sponsored Links ad program and placing ads that looked like links to major companies' websites. "The bad guys have become very clever at exploiting advertising networks, tricking them into distributing ads that load malicious content - especially scaremongering pop-ups for rogue antispyware," says Eric Howes of Sunbelt Software. Most large sites, such as PCAdvisor.co.uk, have ad sales departments that work frequently with a core group of large advertisers, so it's reasonably safe to click on their ads. But nothing is entirely fail-safe. Facebook applications Facebook applications have long been an issue for security experts. You don't always know who's developing the applications, what they're doing with the data they may be collecting, or the developers' data security practices. Even though you have to approve applications before they can appear on your profile and access your personal information, from there the security of your data is in the developer's hands. Be selective about the applications you add to your profile - don't take every quiz, for example. Check your privacy settings for Facebook applications, as well: click the Account drop-down menu in the upper-right corner of Facebook's site, select Privacy Settings, then click 'Edit your settings' under 'Applications and Websites'. There, you can control which applications have access to your data and more; you can also turn off Facebook applications altogether. Oversharing on social networks Oversharing isn't just a matter of getting a little too personal - it can leave your private information viewable to the general public. But it's avoidable. "Few people understand the danger of information leakage," says AVG's Roger Thompson. "People, particularly teens, put all sorts of information online, without realising that many more people than just their friends can see that data." Oversharing could lead to more serious privacy issues further down the road, Thompson adds. "As today's young teens reach an age to apply for a credit card, I expect an onslaught of fraudulent card applications on their behalf, because they unwittingly divulged so much information." Data harvesting is relatively easy to avoid, in that a little common sense can go a long way: be mindful of what you post. Finally, be certain to check your privacy settings to make sure that you're not divulging your deepest, darkest secrets to all 500 million Facebook users. What happens when you surf unprotected? Don't believe our scare stories? We ran a Windows Vista PC without security software for a day and our machine was quickly compromised. Remember: if you do nothing else to protect your PC, you should run up-to-date antivirus and antispyware programs, plus a firewall. 11:45 We begin the experiment with a pristine computer running Windows Vista. 11:55 We need to check our email and download what appears to be a CV file. Strange - we aren't recruiting. We open it anyway. The screen flickers a little, but no file opens. 12:00 We start poking around on the web, running a Google search for free smilies. Sure enough, we find some. Who are we to refuse? 12:29 After installing a couple of smiley packs, we suddenly have three browser toolbars. Junkware, but no malware... yet. 12:41 We download some free antivirus software we've never heard of. Let's see what this does... 12:48 More random downloads, and the desktop is getting junked up. We now have icons for free games and 1,000 free songs littered all over the screen, plus more browser toolbars than we care for. 12:55 Internet Explorer hates us. Still no signs of malware, but something's eating up system resources. 13:25 After a restart, Windows Vista throws up a warning about a program at C:\Users\PCW\AppData\Roaming\host32.exe. We have no idea what it is. 13:40 We killed Internet Explorer: it refuses to launch. However, after uninstalling a couple of toolbars it seems to work again. 15:00 It's unclear whether we've been infected by anything nasty, but we haven't done anything too risky yet. We're expecting an important email, so we'd better check our inbox again. 15:05 Whoops! We clicked on the wrong file. We've now got a fake antivirus program running on our machine. 15:25 We now have three or four fake antivirus programs running. Malware has also planted three shortcut links to porn sites on the desktop. And whenever we open something in Internet Explorer, a fake antivirus program kicks in with a fake warning. 16:13 Something just forced the PC to shut down and restart. We appear to have successfully destroyed this PC. How to stay safe online Stay up to date, stay paranoid, stay protected. That's the message from the security experts we consulted while writing this feature. Here are a few of their top tips and suggestions for protecting your computer against malware and hackers. Keep up on patches Be sure to run Windows Update, as well as the software update features in the other programs that you use every day. Be password-smart As tempting as it is to use the same password in multiple places, don't. And use longer passwords, too - they're harder to crack. If you have several accounts to manage, use a password manager. Use up-to-date security software It can block malware or software that is acting suspiciously, and security software companies are hard at work devising new ways to stop infections before they reach your PC. No, someone in a faraway land isn't really offering you millions of pounds. No, attractive Russian women aren't seeking you out specifically. No, those aren't magic cure-all pills. Assume that everyone's out to get you PC security is one area where it pays to be paranoid. Just remember that no security software is fail-safe, and that you're still the one sitting at the keyboard. Assume that no website is safe. And don't automatically trust a link or file download, even if a friend sends it to you. To unsubscribe send a message to [email protected] with the subject unsubscribe. To change your subscription to digest mode or make any other changes, please visit the list home page at http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
