Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Amit Klein, CTO, Trusteer: Stay Alert – Stay Safe, It’s a dangerous online world and you need to keep your wits about you

August 2010 by Amit Klein, CTO, Trusteer

The World Cup might be a distant memory but for the victims who fell foul of the many scams targeted during the tournament, the legacy of the games lives on. But just because the games are over doesn’t mean we can let our guard down. Criminals are already preparing for the next major event from which to hitch a ride and launch an attack in an effort to dupe us into believing their lies. With HMRC having been imitated on many previous occasions the fact that many self-employed people are expecting to pay an income tax instalment this month will not have gone unnoticed by scammers – it’s just a waiting game to see what they send out and how many fall victim to their charms.

So, what is it about these attacks that manage to fool so many people and what can we do to protect ourselves?

To kick off, it’s worth just recapping the top scams that lull us into scoring an own goal:

1. Top of the list is the plain old phishing attack. Primarily to steal our credentials, we’ve all be warned about them and smiled smugly as we’ve deleted the ones from Nigeria telling us we’re just a click away from becoming millionaires. Yet for some reason if the scammers manage to strike a chord with the recipient, a case in point is the recent World Cup lottery examples, people will drop their guard and click on the link

2. A fairly new scam doing the rounds is the faked communication from the IT department asking staff “to upgrade” their system with a link harbouring malicious malware waiting to download directly to the ‘always does as he’s told’ employee’s device

3. The ‘official’ phishing attack pertaining to be from a well known bank, government department such as HMRC tax form / refund etc or other authoritative. This type of attack can take a number of formats but all have the same thing in common – they’re extremely well executed. Criminals will painstakingly recreate letterheads, legitimate looking email addresses and domain names with the sole purpose of tricking you into believing their legitimacy. What they’re really after is your credentials.

4. The Domain Name scam primarily targets business/domain owners. There are two types of attack: 1) to make you buy more domain names than you need for fear of losing them and 2) to make you pay to renew your domain name, effectively transferring it to the scammers, and leaving yourself open to being held ransom over your domain name.

With the criminals never seeming to rest it’s impossible to provide a list of attacks that you need to protect yourself from. Lets face it, as soon as we’ve written it it’s out of date as, tomorrow, there’ll be a new email or malicious website waiting to steal your data. Instead, here is a checklist for you to follow that will help you stay one step ahead of the criminals and their increasingly sophisticated communications :

1. make sure you are always up to date with the latest operating system, browser and security software. As you’ll come to see you need to be cautious of unsuspectingly downloading malware so always use a reputable site, such as : Adobe, Microsoft, etc.

2. when surfing the internet, keep your ‘gut instinct’ radar tuned in and try to avoid questionable sites. It’s worth noting that, even if a site is returned by a search engine - even the reputable ones, you should still exercise caution when visiting them as it is possible for any site to harbour malicious code and its better to be safe than sorry. In fact, a perfectly legitimate site with inadequate protection is perfect prey for a hacker who installs malicious code to steal credentials, often for a short period of time then slips away undetected. Always check the address bar at the top of the screen states https:// before entering any log in details or submitting personal information, especially credit card details. With newer browsers this domain bar will be green for safe sites with [red] warning that the site really shouldn’t be trusted.

3. Always question the legitimacy of attachments to emails, even from close friends and family, as they may unwittingly be passing on a virus

4. Exercise caution when downloading software from the internet especially from sites that you’re unfamiliar with. It is worth doing a little background on the forums to make sure that the software hasn’t been previously discussed as potentially hazardous

5. Be suspicious of emails claiming to be from your bank, IT department, Microsoft or other software vendor etc asking you to execute files unless you are expecting a communication of this nature. If in doubt visit their websites/departments, although not through any embedded links within the communication, and check to see if there have been any reports of these messages as fraudulent

6. By the same token if you receive an email that claims to be from your bank, IT department, Microsoft or other software vendor etc asking you to disclose personal information – even what looks like a legitimate email from IT asking for your password alarm bells should be sounding. None of these organisations will ever ask you to disclose your password

7. As alluded to in tip 5, never click on a link in an unsolicited email especially one that requires you to ‘update your details’.

I’m sure, having read this list, there will be some of you that think you’ll never fall foul of another scam again, and that’s great. There will be others who question why we haven’t suggested the use of anti-virus software while the majority of you will probably be thinking that this advice is not foolproof and it’s just a matter of time before I slip up and fall foul of a cyber criminal. Our final nugget of gold is this – with malware and phishing attacks increasingly taking place in your browser, that’s where your protection should be focussed. Secure browsing technology protects your computer against new, sophisticated attacks that anti-virus and firewalls cannot always cover. For the techies amongst you, these are called zero day vulnerabilities which even the giants of the IT world have been victims of more than once.

Secure browsing technology is available free to download from many banks, including Santander, Coutts, Coventry Building Society, First Direct, HSBC, NatWest, The Royal Bank of Scotland and Ulster Bank or from the Trusteer website free of charge . The lightweight browser security plug-in and security service locks down your browser once you connect to a sensitive website such as your bank. Any malicious software that tries to ride on or inject into the browser is left out of the secured window, and cannot access your sensitive information and transactions. By locking down communication between your browser and your bank, this secure browsing technology prevents any network-based attack from diverting traffic to fraudulent locations. Once you have this software, you can use it to protect any website, not just your banks.

It’s a dangerous world and that’s not just scare mongering. There really are criminals out there trying to steal your details, and they’re making a decent living from doing so. It’s up to you to stop them because it’s you that ultimately will open the door to them. There is a security chain available – it’s up to you to use it.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts