Five Ways to Keep Online Criminals at Bay
The New
York Times,
On Wednesday May 19, 2010, 7:45 pm EDT
THE
Web is a fount of information, a busy marketplace, a thriving
social scene - and a den of criminal activity.
Criminals
have found abundant opportunities to undertake stealthy attacks
on ordinary Web users that can be hard to stop, experts say.
Hackers are lacing Web sites - often legitimate ones - with
so-called malware, which can silently infiltrate visiting
PCs to steal sensitive personal information and then turn
the computers into "zombies" that can be used to spew spam
and more malware onto the Internet.
At one time, virus attacks
were obvious to users, said Alan Paller, director of research
at the SANS Institute, a training organization for computer
security professionals. He explained that now, the attacks
were more silent. "Now it's much, much easier infecting trusted
Web sites," he said, "and getting your zombies that way."
And there are myriad lures aimed at conning people into installing
nefarious programs, buying fake antivirus software or turning
over personal information that can be used in identity fraud.
"The Web opened up a lot more opportunities for attacking"
computer users and making money, said Maxim Weinstein, executive
director of StopBadware, a nonprofit consumer advocacy group
that receives funding from Google, PayPal, Mozilla and others.
Google says its automated scans of the Internet recently turned
up malware on roughly 300,000 Web sites, double the number
it recorded two years ago. Each site can contain many infected
pages. Meanwhile, Malware doubled last year, to 240 million
unique attacks, according to Symantec, a maker of security
software. And that does not count the scourge of fake antivirus
software and other scams.
So it is more important than ever to protect yourself. Here are some basic tips for thwarting
them.
Protect
the Browser
The most direct line of attack is
the browser, said Vincent Weafer, vice president of Symantec
Security Response. Online criminals can use programming flaws
in browsers to get malware onto PCs in "drive-by" downloads
without users ever noticing.
Internet Explorer and Firefox
are the most targeted browsers because they are the most popular.
If you use current versions, and download security updates
as they become available, you can surf safely. But there can
still be exposure between when a vulnerability is discovered
and an update becomes available, so you will need up-to-date
security software as well to try to block any attacks that
may emerge, especially if you have a Windows PC.
It can help
to use a more obscure browser like Chrome from Google, which
also happens to be the newest browser on the market and, as
such, includes some security advances that make attacks more
difficult.
Get
Adobe Updates
Most consumers are familiar with
Adobe Reader, for PDF files, and Adobe's Flash Player. In
the last year, a virtual epidemic of attacks has exploited
their flaws; almost half of all attacks now come hidden in
PDF files, Mr. Weafer said. "No matter what browser you're
using," he said, "you're using the PDF Reader, you're using
the Adobe Flash Player."
Part of the problem is that many
computers run old, vulnerable versions. But as of April, it
has become easier to get automatic updates from Adobe, if
you follow certain steps.
To update Reader, open the application
and then select "Help" and "Check for Updates" from the menu
bar. Since April, Windows users have been able to choose to
get future updates automatically without additional prompts
by clicking "Edit" and "Preferences," then choosing "Updater"
from the list and selecting "Automatically install updates."
Mac users can arrange updates using a similar procedure, though
Apple requires that they enter their password each time an
update is installed.
Adobe said it did not make silent automatic
updates available previously because many users, especially
at companies, were averse to them. To get the latest version
of Flash Player, visit Abobe's Web site.
Any software can
be vulnerable. Windows PC users can identify vulnerable or
out-of-date software using Secunia PSI, a free tool that scans
machines and alerts users to potential problems.
Beware
Malicious Ads
An increasingly popular way to get attacks onto Web sites
people trust is to slip them into advertisements, usually
by duping small-time ad networks. Malvertising, as this practice
is known, can exploit software vulnerabilities or dispatch
deceptive pop-up messages.
A particularly popular swindle
involves an alert that a virus was found on the computer,
followed by urgent messages to buy software to remove it.
Of course, there is no virus and the security software, known
as scareware, is fake. It is a ploy to get credit card numbers
and $40 or $50. Scareware accounts for half of all malware
delivered in ads, up fivefold from a year ago, Google said.
Closing the pop-up or killing the browser will usually end
the episode. But if you encounter this scam, check your PC
with trusted security software or Microsoft's free Malicious
Software Removal Tool. If you have picked up something nasty,
you are in good company; Microsoft cleaned scareware from
7.8 million PCs in the second half of 2009, up 47 percent
from the 5.3 million in the first half, the company said.
Another tool that can defend against malvertising, among other
Web threats, is K9 Web Protection, free from Blue Coat Systems.
Though it is marketed as parental-control software, K9 can
be configured to look only for security threats like malware,
spyware and phishing attacks - and to bark each time it stops
one.
Poisoned
Search Results
Online criminals are also trying
to manipulate search engines into placing malicious sites
toward the top of results pages for popular keywords. According
to a recent Google study, 60 percent of malicious sites that
embed hot keywords try to distribute scareware to the computers
of visitors. Google and search engines like Microsoft's Bing
are working to detect malicious sites and remove them from
their indexes. Free tools like McAfee's SiteAdvisor and the
Firefox add-on Web of Trust can also help - warning about
potentially dangerous links.
Antisocial
Media
Attackers also
use e-mail, instant messaging, blog comments and social networks
like Facebook and Twitter to induce people to visit their
sites.
It's best to accept "friend" requests only from people
you know, and to guard your passwords. Phishers are trying
to filch login information so they can infiltrate accounts,
impersonate you to try to scam others out of money and gather
personal information about you and your friends.
Also beware
the Koobface worm, variants of which have been taking aim
at users of Facebook and other social sites for more than
a year. It typically promises a video of some kind and asks
you to download a fake multimedia-player codec to view the
video. If you do so, your PC is infected with malware that
turns it into a zombie (making it part of a botnet, or group
of computers, that can spew spam and malware across the Internet).
But most important, you need to keep your wits about you.
Criminals are using increasingly sophisticated ploys, and
your best defense on the Web may be a healthy level of suspicion.
