I have been reading a ton about that major companies that have been owned in the past 2 months for most of the attacks the main vector was email. They attackers sent email and someone opened it and clicked on the link or file in the email and that was all she wrote. At that point the computer was compromised and the attackers were able to use the compromised system to search for data to be stolen. The easiest way to avoid this problem is to stop using email… stop right now.
Ok so that is not going to work for most of us longer than a weekend. The next best option DON’T CLICK links or open files in emails without some research. Even if you have antivirus software you are still not fully protected from these threats. A lot, but not all, of the attacks used in spear phishing leverage vulnerabilities in windows or other operating systems that have not yet been patched, or some take you to a site and install software that might in other ways be used for system management by an IT department so your antivirus sees nothing wrong with it. Below are a few tips and suggestions that all of us can use to reduce our vulnerability to this type of attack:
1. When you get an email that claims to be from your bank or another retailed that you frequent that says you need to click on this link right away or something bad is going to happen to your account don’t panic. This is a tactic many attackers use to get your attention and panic you so that you will click on their nefarious links. If you get an email from one of these businesses that you use instead of clicking on the link, go to their website and login the way you normally do. For example if Bank of America sends an email wanting you to check your account balance open your web browser and type www.bankofamerica.com into your browser and login. It takes an extra step or two but it keeps you safer. Also know that your bank or any other reputable retailer is not going to ask for your sensitive account data via email or on a single web page. Be wary of what you type into forms on the internet and of the address bar. Don’t be fooled into giving out information on a site that merely looks like the site you intended to visit. Always double check the address bar before submitting anything.
2. Don’t blindly open attachments sent to you in emails. If someone sends you an email attachment evaluate who it came from and if it was something you were expecting. If I get an attachment from someone that I am not expecting one from I don’t open it. I email them back, or pick up the phone and call them to ensure that they meant to send it to me. Also, if an attachment looks too good to be true such as, employee-compensation-chart.xls, then it is probably a trap. You have to treat email like you treat the things that come through snail mail at home. If you get a packet claiming you have done $10,000 and to promptly call this number you chuck it into the recycling and move on. We need to show the same level of scrutiny to our email inbox.
3. Before opening a file you receive as an attachment run it though a virus scanner, or 50. There is a free site (www.virustotal.com)that will let you upload any file you have on your computer and compare it against a multitude of antivirus products. They even have a tool your can load into your Windows Operating System that will shortcut this process down to right clicking on the suspect file and selecting send to virus total and it will immediately upload it and give you the lowdown on the file’s contents. You can get this tool here – http://www.virustotal.com/advanced.html. This site also supports pasting in links to suspect sites and having them analyzed for malware/spyware.
4. Don’t think that just because you don’t run Windows on your computer that it can’t be hacked. For many years those of us on Macs and Linux/Unix boxes looked down our nose at those suits running Windows thinking about how special we were because we were virus proof. I am sorry to say that those days are long gone. If you don’t believe your box can’t be had just keep surfing and clicking on links without considering their source and sooner or later you will fall victim to a fake antivirus program or something much worse that will take over your bank or social networking sites.
5. Keep your antivirus up to date. I know that I have already stated that many of these nasty bugs can evade antivirus detection, but there are also a multitude that can’t. So pick an antivirus vendor and stay patched with AV updates as well as updates to whatever flavor of Operating System that you choose to run. This is your first line of defense from these types of attacks. Your second line of defense after these automated tools comes down to a manual process of using your brain to make educated decisions about the links and files you open in emails.
I am going to include some links to palaces that have some more good information about specific types of attacks with examples they have seen used on others. Just today we got notification of a user getting a bogus link from www.logmein.com wanting the user to click the link to activate a new account. The page said www.logmein.com but upon further inspection the link was do a nefarious site that would have installed software onto the machine to compromise it. Don’t blindly trust my links either. Feel tree to type these into your browser manually or google around to locate the same results.