How to protect your PC against devious security traps
By Brad Chacos
PCWorldSep 16, 2013 3:30 am PDT
Securing your PC against the malicious wilds of the Web isn’t as simple as just keeping your antivirus software of choice up-to-date. In fact, the pervasiveness of security software has forced the bad guys to turn to increasingly clever tricks in their quest to “pwn” your PC.
But fear not! Those sneaky tricks are most effective if victims are unaware of the danger. And today, dear reader, I’m going to show you how to avoid the most devious PC security traps, because in this case knowing is more than half the battle.
Let’s start with the devious attack you’re most likely to encounter during your day-to-day computing.
Phishing websites mimic the look of another site in an attempt to lure you into entering your personal and account information. Although phishing websites take all forms, attackers especially like to spoof banks and social networks. Phishing attacks typically threaten from two angles: mistyped website URLs and email messages that pretend to be from legitimate sources.
One simple tell gives away a phishing site: The URL doesn’t match the URL of the website you think it is. If Facebokk.com, Faceb00k.com, or Facenook.com asks for your Facebook login, run away screaming. (Or at least do the digital equivalent.) I can’t stress this enough: Give the URL of any website that asks you to log in a close examination before you pass out your password.
Beyond that, most social media and banking websites use HTTPS encryption by default. If the site that you’re on doesn’t have the lock icon next to its URL in your browser, that’s a good sign that something is afoot.
The big three browsers—Internet Explorer, Chrome, and Firefox—all include safe-browsing warning systems that clue you in to suspected phishing and malware sites, while browser plug-ins such as Web of Trust and McAfee’s Site Advisor can provide an extra layer of protection.
Scammers and hackers love email. All too often, tales of hacked Twitter accounts and Web servers can be traced back to the same origin: “A member of the team opened a malicious email message.”
Okay, that’s not quite true. In most cases, merely opening a piece of email won’t send your world crashing down. You have to click a malicious link or open a tainted email attachment. The solution? Be wary of clicking emailed links, and don’t open attachments without ensuring their cleanliness first.
That goes doubly so for email purporting to be from banking sites, PayPal, social media, or any other site to which you need to log in; often such messages are phishing attempts. (Yes, the bad guys can fake email addresses.) Instead, open your browser and navigate to the site in question directly. Email providers and programs often flag suspicious email, but their detection systems aren’t bulletproof.
Many premium antivirus tools automatically scan email attachments for malware, but you still want to download attachments and scan them manually before opening them, just to be safe.
Though not all malicious email messages originate from foreign lands and contain spelling and grammar mistakes, many do. If you receive an error-ridden missive claiming to come from an official source, be on guard.
Fake update or error warnings
By now you’re likely aware of adware, the annoying form of malware that inundates you with a flood of ads or scary messages that promise to disappear for a fee. You can eradicate such nuisances with antivirus tools, but that isn’t the case for a similar strain of invaders that try to coax you into installing malware while you surf the Net.
These shifty sites and ads pop up boxes disguised as permission requests to update your browser, or claim that you need to download the latest version of the software to run a feature on the page. Clicking any button—often, even the Decline button—gives the attacker authority to run code on your machine, or brings you to a fake download page to install malware disguised as Flash or QuickTime or whatever. Pwned.
Side-stepping these landmines is fairly simple: If a website prompts you to update your software, manually surf to that software’s website and look for updates there, rather than clicking the update pop-up. Don’t click any buttons on the pop-ups, either; close the tab or window completely, or reload the page after you’ve installed the update via official channels.
Other drive-by downloads
Such fake updates and malicious “warnings” are part of a larger trend toward “drive-by downloads,” or attacks designed to infect your computer stealthily by exploiting vulnerabilities in software.
Again, the basics for avoiding such attacks are fairly simple. Keep security and antivirus software active on your machine—but just as important, make sure that your PC and its other applications are current. Stay on top of Windows Update (Control Panel > System and Security > Windows Update), or just set it to install new updates automatically. Use Secunia PSI to automate updates for the rest of your programs: This superb software works in the background to look for new patches, applying updates automatically if possible, or prompting you to install them manually otherwise.
Also consider activating Internet Explorer’s ActiveX Filtering, which blocks all ActiveX content by default. ActiveX is a frequent attack vector for hackers. To turn on the filtering in IE 9 and IE 10, open the Tools menu, hover over the Safety submenu, and click ActiveX Filtering when the Safety options appear.
The aforementioned Web of Trust and Site Advisor plug-ins can raise a flag when you’re on a known attack site, but drive-by downloads have appeared in malicious ads on legitimate websites in the past. Stay patched and stay protected.
Zero-day attacks exploit newly discovered, unpatched vulnerabilities to compromise your system. You can’t do much about these other than following the tips above. The truly paranoid could lock down all the various security options in their browsers—setting Internet Explorer’s security level to High, for example—but to be honest, that’s probably overkill.
If you’re worried about cutting-edge malware, consider running Malwarebytes Anti-Malware Free periodically, or whenever something raises suspicion. It’s designed specifically to identify zero-day attacks, but it doesn’t try to block more common exploits, so you’ll want to use Malwarebytes to supplement your regular antimalware protection.
Direct attacks by port-sniffing hackers aren’t really common, but you can nevertheless protect against such tactics by enabling some sort of firewall. The Windows Firewall tool included in Windows (Control Panel > System and Security > Windows Firewall) works just fine—but it scans only for malicious intrusions.
If you want to keep an eye out for suspicious data flowing forth from your machine—a sign of possible malware infection—then you’ll want a firewall that also sniffs for outbound threats, though such firewalls require a bit more effort to set up properly. ZoneAlarm Free Firewall and Comodo Firewall (32-bit or 64-bit) are two stellar free options; most premium security suites also feature robust firewalls.