In September 2009, some unlucky visitors at the New York Times Web site clicked on an ad that attempted to install malware. The advertisement displayed a popup window informing readers that their computer might be infected with a virus; only by purchasing a new antivirus product could they be sure of having a clean system.
The Times later acknowledged the scam in a posting on its Web site: “Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software….If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser.” Phishers and scammers use this and other new tactics to deceive unsuspecting victims.
Phishing refers to an attempt to collect usernames, passwords, and credit card data by posing as a legitimate, trusted party. Often the deception involves using e-mail sent from a trusted address. Originally, phishing applied to the banking and payment industry only, but now it also covers theft of log-in credentials to games, and personal passwords to social networks such as Facebook and Twitter.
Most people wouldn’t reveal their social security number or mother’s maiden name at a strange site. Modern browsers and security software flag such content and ask you whether you’re sure you want to send it; some block it with a red-and-black warning label. So phishers have adopted new tactics.
Fake Antivirus Software an Emerging Problem
Rogue antivirus products are among the latest phishing instruments to appear, and many are quite convincing. Bearing names like Antivirus 2009, AntiVirmin 2009, and AntiSpyware 2009, they have interfaces similar to those of real antivirus apps. Some rogue antivirus products have their own keywords on search engines and cite fake reviews recommending them (including one that I supposedly wrote).
The rogue antivirus product that showed up on the New York Times site installed malware that, if executed, would have lowered the security settings in Internet Explorer, run executable files, and altered the system Registry. Such actions by phishing malware are fairly common. The real security apps knew it, too: Legitimate antivirus vendors AVG, Comodo, Kaspersky, McAfee, Microsoft, Nod32, and Sophos, (among others) detected this particular piece of malware within the first few hours.
Another phishing gambit is a variation on an old scam: The crooks mass-mail a seemingly personalized e-mail message, ostensibly from a bank, containing a fake online chat option.
In this “chat-in-the-middle” attack, as soon as the victim enters a user name and password at the designated online site, a chat window opens up and a scammer posing as a customer service rep at the bank requests additional personal information to confirm the identity of the account holder. By providing these details, the victim gives the thief crucial data.
Roger Thompson, chief research officer at AVG, says rogue antivirus products are common: “The bad guys are clearly making money at it.” Besides benefiting up front by selling the rogue antivirus product, they collect credit card information for future identity fraud.
Jon Miller, director of Accuvant Labs, a security consulting firm that works with Fortune 500 companies and several U.S. government contractors, says that the New York Times incident isn’t unusual. Further, he notes that he has seen an upsurge in the use of malware tailored to customers of particular banks and other financial institutions.
AVG makes a free product called LinkScanner that blocks new phishing attacks, yet allows users to safely view any site. For phishing attacks such as fake chat sessions and fake keywords, AVG’s Thompson says, users need to develop a healthy dose of skepticism, and learn how to kill the browser using Task Manager. That won’t stop Web-based exploits, but it will give you a way to defeat social engineering attacks.
Accuvant’s Miller recommends several common-sense antiphishing strategies:
Use a strong browser. According to Miller, Internet Explorer is the weakest browser, while Firefox and Google Chrome are relatively strong.
Use a malware-resistant platform such as Mac OS or Linux. Though neither is impervious to attack, each is less likely to be targeted than the mainstream Windows operating system.
Use antimalware software; Miller says that his program of choice is Webroot Internet Security Essentials.
Update your software promptly and regularly, but don’t depend on updates as the sole way to guarantee your system’s security. As Miller observes, “malware tends to be ahead of the curve.”
Be cautious and vigilant when using high-profile social networking sites such as Facebook and Twitter.