How easy is it to get malware on your machine? Can you spell Phish?
One of the most popular retorts we hear from customers goes something like this, “I don’t understand how that could have gotten on my computer. I always update my AV and don’t visit any porn or other dangerous sites.” Well you would be surprised how easy it actually is go get your machine infected.
One of the most popular vectors used today is Phishing. More social engineering than hacking, phishers lure users to fake, often look-a-like web sites to enter their confidential, personal information. We have all probably seen these kind of emails before. Your bank is going to shut your account if you don’t verify your information and stuff like that.
Recently, with more people on guard about phishing emails, the bad guys have taken it up a notch. Now they will use social media to lure you in. You may receive a twitter or facebook message purporting to be from a friend with a link to something that “you won’t believe” or is “so funny”. Sometimes the URL is obscured by one of the URL shrinker’s like bit.ly or ow.ly. You click on the innocuous looking link and bang! your hooked. Pretty darn easy. In fact too easy.
This type of phish does not get you to enter your personal information. The deliver the payload via the website link. Once you click the link with some of these phishes you don’t have to do anything else. The malware will load in without you doing anything else. Other times it will tell you that your software needs to be updated. In any event, the average person doesn’t even know that his computer is now pOwned. On top of this adding insult to injury. the bad guys will now use your computer to reach others on your network and your friends.
So the lesson is that even if the message is coming from a trusted source, you should not just click on links if you do not know the site they go to. That brings up another twist on the phish. I call it SE-ishing, for search engine phishing. I wrote about SE-ishing on my own personal blog back in December. Using SEO (search engine optimization) techniques the bad guys are using Google, Bing and other search engines against you. They seed web sites that will rank high in certain key words. You do a Google search, click on one of the suggested sites and again you are the victim!
This came up again just the other day. Patrick Walsh covered it over on the Infosecurity-us.com site. Hotmail was down for a while much to the dismay of the many Hotmail users. When one did a Google search about Hotmail being down 8 out of the top 10 results returned dangerous URLs. Either they were sites that deliver a malware payload onto your machine or ask for your credit card information to download the free Hotmail program.
What was amazing to me is that within just minutes of the Hotmail outage the trap was already laid. This kind of stuff makes SE-ishing more like catching fish in a barrel! So next time you think you don’t do anything that would expose you to malware or other bad things, think again. Don’t leave your common sense at the door to the Internet.
