Comment: Watch out – cybercriminals are about

Recalling this year’s World Cup, many will be thinking of the missed opportunities and what might have been. For some, however, the games will be viewed as a complete success.

Who are these individuals? Well, supporters of Spain are definitely one group, but another is the many criminals who snared victims with numerous scams during the tournament for whom the legacy of the games continues to live on. In fact, these criminals are already replaying which tactics worked well and those that didn’t as they prepare for the next major event.

And it’s not just sporting events that present an opportunity – organisations, such as HMRC, have been imitated on many previous occasions. It’s just a waiting game to see what cybercriminals send out next, and how many will fall victim to their charms.

So, what is it about these attacks that manage to fool so many people, and what can we do to protect ourselves?

To kick off, it’s worth just recapping the top scams that lull us into scoring an own goal:

1. First is the tried-and-tested phishing attack. Primarily to steal our credentials, we’ve all be warned about them and smiled smugly as we’ve deleted the ones from Nigeria telling us we’re just a click away from becoming millionaires. Yet for some reason if the scammers manage to strike a chord with the recipient, a case in point is the recent World Cup lottery examples, people will drop their guard and click on the link.
2. The Domain Name scam primarily targets business/domain owners. There are two types of attack: 1) to make you buy more domain names than you need for fear of losing them and 2) to make you pay to renew your domain name, effectively transferring it to the scammers, and leaving yourself open to being held ransom over your domain name.
3. The ‘official’ phishing attack that pretends to be from a well-known bank, government department, or other authorities. This type of attack can take a number of formats but all have the same thing in common – they’re extremely well executed. Cybercriminals will painstakingly recreate letterheads, legitimate-looking email addresses and domain names, with the sole purpose of tricking you into believing their legitimacy. What they’re really after is your credentials.
4. A fairly new scam doing the rounds is the faked communication from IT department staff asking to ‘upgrade’ a system with a link harbouring malicious malware. This scam is particularly effective against that ‘always does as he/she is told’ type of employee.

Because cybercriminals never seem to rest, it’s impossible to provide a comprehensive list of attacks that require protection against. Let’s face it, as soon as we’ve written about one it’s already out of date as, tomorrow, there’ll be a new email or malicious website waiting to steal data. Instead, here is a checklist to follow that will help even the most savvy among us stay one step ahead of cybercriminals and their increasingly sophisticated communications:

1. Always question the legitimacy of email attachments, even from close friends and family, as they may unwittingly be passing on a virus.
2. Be suspicious of emails claiming to be from your bank, IT department, Microsoft or other software vendor asking you to execute files unless you are expecting a communication of this nature. If in doubt, visit the alleged sender’s website/department, although not through any embedded links within the communication. Then check to see if there have been any reports of fraudulent messages.
3. Likewise, if you receive an email that claims to be from your bank, IT department, Microsoft or another software vendor asking you to disclose personal information – even what looks like a legitimate email from IT asking for your password – your internal alarm bells should be sounding. None of these organisations will ever ask you to disclose your password.
4. Make sure you are always up to date with the latest operating system, browser and security software. You’ll need to be cautious of unsuspectingly downloading malware, so always use reputable sites, such as Adobe, Microsoft, etc.
5. Exercise caution when downloading software from the internet, especially from sites that you’re unfamiliar with. It is worth doing a little background on the forums to make sure that the software hasn’t been previously discussed as potentially hazardous.
6. As alluded to in tip #5, never click on a link in an unsolicited email, especially one that requires you to ‘update your details’.
7. Finally, keep your ‘gut instinct’ radar tuned in. When surfing the internet try to avoid questionable sites. When reading emails, if there’s obvious spelling mistakes in an otherwise credible-looking message, then it should no longer be considered credible. If a website is returned by a search engine – even the reputable ones, you should still exercise caution when visiting them, as it is possible for any site to harbour malicious code. In fact, a perfectly legitimate site with inadequate protection is perfect prey for a hacker who installs malicious code to steal credentials, often for a short period of time, and then slips away undetected. Always check that the address bar at the top of the screen shows an SSL connection (https://) before entering any log in details or submitting personal information, especially credit card details. With newer browsers this domain bar will be green for safe sites or red to warn that the site really shouldn’t be trusted.

I’m sure, having read this list, there will be some of you that think you’ll never fall foul of another scam again, and that’s great. There will be others who question why I haven’t suggested the use of anti-virus software, whereas the majority of you will probably be thinking that this advice is far from foolproof, and it’s just a matter of time before I slip up and fall foul of a cybercriminal.

My final nugget of gold is this – with malware and phishing attacks increasingly taking place within web browsers, this is where protection should be focussed. Secure browsing technology protects computers against new, sophisticated attacks that anti-virus and firewalls cannot always cover. For the techies amongst you, these are called zero-day vulnerabilities, which even the giants of the IT world have been victims of more than once.

Secure browsing technology is available free to download from many banks, including Santander, Coutts, Coventry Building Society, First Direct, HSBC, NatWest, The Royal Bank of Scotland and Ulster Bank, or from the Trusteer website free of charge.

The lightweight browser security plug-in and security service locks down the browser once it connects to a sensitive website, such as a bank. Any malicious software that tries to ride on or inject into the browser is left out of the secured window, and cannot access sensitive information and transactions. By locking down communication between the browser and the bank website, this secure browsing technology prevents any network-based attack from diverting traffic to fraudulent locations. Once this software is installed, it can be used to protect any website, not just bank sites.

It’s a dangerous world out there, and that’s not just scare mongering. The truth is cybercriminals really do exist and are prospering from stealing personal details.

Staying safe is ultimately up to the individual – I can teach you how to cross the road but it’s up to you to look both ways before stepping off the curb, and the same is true when you sit down at your screen.

Stay alert, stay safe.

Amit Klein, noted malware researcher and CTO of web browser security specialist Trusteer, is an expert on internet and endpoint security technologies. Prior to Trusteer he was chief scientist at Cyota (now part of RSA Security), a leading provider of layered authentication solutions. In this role, Klein researched technologies that prevent online fraud, phishing, and pharming.

Klien was also previously the director of security and research at application security vendor Sanctum (now Watchfire), where he was responsible for the security architecture of all Sanctum products. Klein spent almost seven years in the Israeli army as a research officer and project manager and has published over two dozen articles, papers and technical notes on the topic of internet security. Klein is a graduate of the prestigious Talpiot programme of the Israeli army and holds a BSc (cum laude) in mathematics and physics from the Hebrew University (Jerusalem).

Trusteer is exhibiting at 360°IT, the IT Infrastructure Event held 22–23 September 2010, at Earl’s Court, London. The event provides an essential road map of technologies for the management and development of a flexible, secure and dynamic IT infrastructure. For further information please visit www.360itevent.com.