You’ve been hacked! These are words no one wants to hear, but that are becoming increasingly common in our cyber-connected lives, both at work and at home. Not only are these attacks becoming more frequent, but the variety and cunning of those creating them are also increasing. Although protection against these attacks is also becoming much more sophisticated, as soon as one potential malware problem is addressed two others spring up to replace it.
Imagine any of the following scenarios:
- You are working on your computer and a message pops up that says all your files have been encrypted and demands that you pay several hundred dollars to get them back. When you check further, it turns out that your problem has spread to the entire firm.
- Your Director of Information Services shows up in your office and says your workstation is bringing down the entire firm’s network and must be shut down immediately.
- You get a call from the bank asking if you have ordered computer equipment totaling several hundred dollars to be delivered to Cairo, Egypt, because an unusually large charge has been made to your credit card.
These are all recent examples of the types of damage that malware causes.
We are going to explore in a little more depth the types of malware currently making the rounds, their characteristics, and what you can do to avoid being a victim. Keep in mind that many malware infections are designed to spread throughout your firm including all its users and servers. Also, many types of malware extract data from your email system so that it can then propagate by emailing itself out to your clients, friends, and coworkers to infect them.
Before we get into the details, we need to make a distinction between malware and phishing attacks. Malware can be loosely described as unwanted and malicious software applications that are loaded onto your machine, either through a specific action by a user or without the user’s knowledge. Phishing attacks are deceptive communications that solicit information by fooling you into revealing your personal information in some fashion. We will discuss malware first.Malware Types
You may have heard of several types of malware including viruses, Trojans, worms, or rootkits. It is not really as important to understand the technical differences between these as it is to understand the types of damage they cause and what you can do to avoid them.
The types of problems that malware can cause can be lumped into one of two categories: 1) using your computer to do bad things, and 2) stealing information. These are described below.
USING YOUR COMPUTER TO DO BAD THINGSDenial of Service Attacks
You may have heard of this problem. It occurs when malware is installed on many computers, sometimes thousands or even millions, which then begin to flood a particular third-party site on the Internet with requests for information. The flood becomes so great that the site that is attacked is so overwhelmed with these spurious requests that it cannot process legitimate requests for information. Sometimes it will crash or it will operate so slowly that it becomes unusable. Political and commercial sites are often attacked. If your computer is one of the ones doing the attacking, your system may slow down tremendously, flood your network with useless data, and slow down your entire operation—in addition to the problems caused for the site that is being attacked.Sending Spam
Spammers do not send spam from their own computers; they use yours! Malware gets installed on people’s computers and then those infected computers are used to send thousands or millions of spams to others, often including everyone in your email address book. Typically, the spammers prefer to send emails from a user to the people in his or her address book because the recipients will trust the sender more than they would an email from an unknown user. In a law firm or other business, this might result in everyone in your offices receiving the same phony email from a partner or firm management.Infecting Other Computers
In addition to sending spam, your computer can be used to send the same kind of message that resulted in your computer’s infection in the first place, often to everyone in your email address book along with others. Any spammer can go online and purchase hundreds of thousands of email addresses to attack and can harvest more from the victims who have been attacked.Chaos
Some malware exists only to cause chaos to those who are infected. This might mean erasing files off your hard drive (or your entire hard drive), sending threatening email to important political figures, or doing other unsavory things to generally make your life miserable. Some malware intercepts social media communications and makes you look bad to your friends or coworkers.
STEALING INFORMATIONAcquiring Information Off Your Computer or Network
Some malware either sifts through all your files looking for valuable information and reporting it back to the thief who infected your system or the malware intercepts and records every keypress you make (keystroke logging) and sends the results back over the Internet to an unknown party. Items typically stolen include passwords, personal information which can be used for identity theft (addresses, phone numbers, social security numbers, etc.), or other valuable information. The criminals behind these schemes typically automate the whole process so that the stream of data being returned is automatically screened and only the pertinent information is conveniently extracted and presented to them using pattern recognition.Valuable Business-Related Data
Sometimes, the goal is corporate espionage where valuable trade secrets are stolen or information is gathered that can harm a firm by making it look bad or by exposing confidential information.
Harvesting credit card numbers, along with stealing user IDs, passwords, and social security numbers are the holy grail to information harvesters. You have all seen stories where large numbers of IDs and passwords have been stolen or where Protected Health Information (PHI) has been exposed.Harvesting Email Addresses
A sideline for data harvesters is identifying and stealing email addresses. The more email addresses a spammer has, the more people that can be sent malware. Sending 100,000 emails is no more difficult for a spammer than sending a single one. Even if the infection rate is only 1%, if 100,000 emails are sent out, 1,000 people will be affected. There is a thriving business opportunity on the web for criminals selling vetted (i.e., legitimate) emails to send malware and phishing attempts to.How Does This Stuff Get on My Computer in the First Place?
How does malware get onto your computer in the first place? There are several routes that generally fall into one of the following categories:Email
Email is the delivery mechanism for malware that can be included in attached documents or in links embedded in the email. Therefore:
- Be suspicious of all email attachments—even those sent from friends or coworkers. Scan all attachments for malware before opening them.
- Emails asking for money or personal information are almost universally dangerous.
- Never open attachments or click on links in emails sent from unknown or untrusted senders.
- Just because an email appears to be from someone you know, you must NOT automatically trust it.
As mentioned above, malware can be embedded in documents such as Microsoft Word documents or PDFs. You should always scan documents before opening them when they are received via an email or given to you on some type of portable media.
Malware can be inadvertently downloaded from malicious websites. Links to these sites might be delivered in an email or might be embedded in a harmless website or shown on a social media site.
- If you do not have a good reason to click on a link, avoid clicking on it. Among other things, this means if you are at work, do not mix your work and personal pursuits by clicking on items related to your personal life at work.
- Be very suspicious of requests to download applications or to install ‘Add-Ons,’ such as suspicious ActiveX components or strange media players.
- Never download or install software from unknown or untrusted websites.
- Sites notorious for housing malware include porn sites, gambling sites, music lyric sites, dating sites, and—sadly—religious sites.
A fairly new tactic to spread malware is to use pop-ups that appear to be legitimate Windows alerts, messages, or ads.
- Never buy software in response to unexpected pop-up messages or emails.
- Be especially wary of hoax adverts that claim to have scanned your computer and detected malware.
- Immediately close your browser if you see one of these types of pop-ups. Do not respond or click on any part of the pop-up to acknowledge or close it.
The popularity of social media is exploding. Criminals are always looking for ways to exploit their victims and the relative newness of social media makes it a natural vector for delivering malware and extracting information from victims, particularly young and naive users. Malware is increasingly spread through social networking sites by installing dubious third-party add-on applications or by providing web links in messages. There is a false sense of security when using these sites, so you must remain vigilant at all times.
- Only install third-party social networking applications that are well-known and trusted.
- Never click links in messages from unknown or untrusted contacts, and avoid clicking on message links sent from trusted contacts unless you are absolutely sure the content is valid.
- Avoid clicking on games, joining groups, adding people you do not know, or agreeing to load any software unless you want to receive the social networking version of spam in your account.
Malware is sometimes located in legitimate software, although this is rare. If you suspect this to be the case, you should contact the software vendor immediately.
- You should never install unauthorized, unlicensed, or unapproved software on your computer.
- Be suspicious of all free software. There are many valuable free software applications available, but many also carry malware or have other undesirable side effects such as pop-up ads.
CDs, DVDs, portable hard drives, diskettes, and USB drives are all potential sources of malware, particularly if shared between home and work systems.
- Never access untested computer media with your computer.
- Always scan all files stored on computer media for malware before accessing them.
- Give suspicious disks to your Information Services Department to test before loading them on your own computer.
A new threat is malware spread through mobile devices such as smartphones and tablets.
- The same warnings that apply to computers described above apply to mobile devices which are really miniature computers and are susceptible to all the same types of problems that workstations might encounter.
- Be aware that mobile devices can also disclose your location, which is potentially a very serious exposure that could be exploited by sophisticated criminals.
Everyone who routinely uses emails is familiar with phishing. You receive what looks like a legitimate email from an individual, business, or political entity (often someone you know) that asks you for something you would normally never freely provide to someone else. Usually personal information or money is requested. Spearfishing occurs when the sender specifically targets a particular individual or group with a phishing attack. For example, a law firm may be solicited to send money to an escrow account for a particular matter at the request of a particular client. Spearfishing attempts can be extremely convincing.
Avoiding phishing attempts is fairly simple. Never give out personal information or spend money over the Internet unless you originated the conversation. If possible, contact senders to check for legitimacy and report phishing attempts to your Information Services Department.
In addition to the specific information provided above, there are some general rules you should follow to avoid problems. It is absolutely necessary to recognize that there are people in the world who want to cause harm to you and/or your company, family, and friends. They want to take your money, damage your company, or cause general chaos, sometimes just for “fun.” Therefore, when online, you should view every communication as a potential attack on you, your friends and family, and/or your company. These attacks may occur at work, at home, or on the road. Being protective of your information and suspicious of all electronic communications is a state of mind you should acquire and nurture.
Your first and most important line of defense at work is your Information Services Department. An effective Information Services Department has policies, procedures, and hardware and software applications in place to block or disable attacks. To help them help you, you should:
- Never try to circumvent security controls that are put in place.
- Never violate your company’s safety and security policies and procedures.
- Understand that when your Information Services Department does not give you administrative access to your computer, they are doing so to prevent you from inadvertently loading malware onto your system.
Use the malware scanning tools provided by the Information Services Department to check out potentially dangerous files.
Second, trust your intuition. If something seems wrong, nine times out of ten there is something wrong. We are all busy and in a hurry, but avoid blithely clicking on links or opening attachments if something seems strange. You may lose a few minutes checking the validity of the communication, but it is far better than having your whole system, and potentially your entire firm, rendered nonoperational for hours or days due to carelessness.
Always remember: the “from” field in an email can be easily spoofed to look like the email came from a trusted sender. This is, in fact, the most desirable situation from the criminal sender’s viewpoint.
If someone asks for money or information in an email, you are virtually always dealing with a phishing or malware situation. Banks, businesses, and the government (in particular, the IRS) never contact people soliciting this type of information. The most trustworthy way to interact with others is to initiate the contact yourself, not through a supplied link or attachment.
These guidelines also apply to your home systems and their use by family and friends. Be vigilant!
| @Law |
Doug Leins has been managing Information Services and other technical departments for more than 30 years in healthcare, government, and law firms. He is currently the Director of Information Services at Waller Lansden Dortch & Davis, LLP in Nashville, Tennessee.