Use the front door, not the windows!
Here’s the situation. You’ve received an email. It purports to be from an organization that you have some dealings with. It proclaims some change in policy or procedures and presents you with a URL to visit. This email looks really legit. The spelling is correct. The grammar looks sound. Heck! It even looks professional. But you weren’t born yesterday. And with the proliferation of email borne scams around at the moment you really do have to be sceptical. So how can you tell if it is legit or not and what should you do about it?
Unfortunately, there are no easy answers. Some of the scammers are trying very hard to make their email look just like the real ones. Sometimes these emails are copies of real bank emails. Some of the scammers are actually getting quite good with their forgeries.
I’m hardly going to try to distil the experienced garnered over last few years of research into a single blog post. However I am going to offer you some measures and precautions that will hopefully offer you a little protection.
First, ask yourself: did I ever give my bank this email address? If you have the option, you might consider keeping one email address for all your personal business while using a second, throw away, email address for web stuff. I have one or two email addresses that attract almost no spam. They attract virtually no spam because I only ever give them to specific institutions, like my banks, that have and are held accountable to high standards of information security. I specifically do not use these email address:
- When subscribing to websites (even reputable ones, see here).
- To post to news groups or forums.
- To communicate with family or friends who might forward an article from a news site to the address, or try send me an invite to the flavour of the month social networking site.
- Publish the address on any website.
The second: do not click on links in emails. Try to get out of the habit. It is trivial to hide the true destination of an embedded url and in mere seconds you could have malware running on your system. Phishing sites are almost invariably placed on a hacked web server. If the web server has been compromised there’s no telling who else might have access to it and what other things (eg malware installers) might have been setup. It is really not worth the risk of visiting the site at all. As I say in the title, use the front door, not the windows. Even if you are only a casual or infrequent user of internet banking websites, you probably know the url, so type it. It doesn’t take long and it might save you a lot of money and/or hassle with the bank.
Third, keep your operating system and other software up to date. Make sure Sophos Anti-Virus is running and up to date and for Windows systems run Sophos Client Firewall to limit your systems exposure to the net.
Another way to add a layer between your computer and the internet is to access the internet via a purpose built Virtual Machine. Makes of virtualization software include Microsoft Virtual PC, vmware, qemu and others. Using a Virtual Machine will allow you to install operating systems that run as applications on your existing computer. Virtual machines are resource intensive and are not recommended for older computers but one of their greatest strengths is that they can be reverted to a known state with just a couple of clicks, thereby deleting any malware that might have gotten through your defences. You can and should install Sophos Anti-Virus on the virtual machine and make sure it is up to date before browsing. Similarly, you should apply operating system and especially browser software updates before browsing. Be aware though, that if malware does start running in your virtual machine, it may acheive its purpose (eg, a keylogger may still harvest your keystrokes). However, a virtual machine can be setup to revert to the last snapshot when you reboot it. At this point any malware will be deleted.
Using a virtual machine will not necessarily protect you from all threats, as some malware knows how to detect that its running in a virtual machine and maybe able to infect the host.
It is worth noting that almost all of the malware I find in my day to day work will only run on Windows computers. All operating systems suffer from vulnerabilities and personally, I refuse to enter the ‘my os is better than your os’ argument. But using an operating system other than Windows will prevent the majority of malware from running.
If you use the Mozilla Firefox web browser you could install the No-Script plugin. No-script will prevent javascript from running on all sites except those that you authorize. It might be painful training it to allow the sites that you trust at first but most, if not all, of the drive-by installers I’ve seen have relied on javascript at some point.
Having said all that though, had you been a Bank of India customer and visited their home page recently from an unpatched Windows computer with no antivirus protection, you would have been infected. The sad truth is that software vulnerabilities exist and the bad guys occasionally find ways to exploit them before the vendor can issue a fix. And as a result sometimes even high profile companies have parts of their infrastructure compromised.
So let me finish with one last piece of advice: unless you are using secure browsing techniques and know how to spot internet nasties in the source code of web pages. And unless you’re willing and able to examine the source code before visiting the specific pages your email advertises. But you think the email that you have received may actually be legitimate and it comes from an institution you have dealings with, you are sure they have your email address and it advises immediate action, there is no chance at all at getting infected if you simply pick up the phone and talk to them about it.
Posted on September 10th, 2007 by Neil, SophosLabs AUFiled under: General, Malware, Spam, Web
Free virus scan - Download the Sophos Threat Detection Test
