You’ve been warned that the Internet is something of a security minefield—that it’s easy to get in trouble. You can do everything you can think of to protect yourself and still be taken by a malware infection, a phishing scam, or an invasion of online privacy. We’d like to provide a little help. Here are some of the hazards you may encounter, how dangerous they are, and what you can do to stay out of harm’s way.
Geolocation—your smartphone and perhaps other parties know where you are
The smartphone market is still in its infancy, really, and so are the threats. One possible concern is the use—or abuse—of geolocation.
Although plenty of legitimate uses for location data exist, the potential for inappropriate uses also exists. In one case, a game listed on the Android Market was in reality a client for a spy app (see find.pcworld.com/70802).
and our partners and licensees may collect, use and share precise location data” (www.apple.com/privacy). See find.pcworld.com/70803 to read more on Apple’s new privacy terms and what they mean for you.
Be particular about the location-based sites, apps, and services you use. Services such as Yelp are good examples of useful location-aware apps. On the other hand, weigh the privacy implications of services like Foursquare or the new Facebook Places feature, and consider how much you feel comfortable divulging.
Oversharing—exposing too much personal information on your social network profiles
Oversharing isn’t just a matter of getting a little too personal—it can leave your private information viewable to the general public. But it’s avoidable.
“There is a subtle danger that few people understand with the social networking sites, and that is the idea of information leakage,” says AVG’s Roger Thompson. “People, particularly teens, put all sorts of information online, without realizing that many more people than just their friends can see that data.”
Oversharing could very well lead to more serious privacy issues further down the road, Thompson adds. “As today’s young teens reach an age to apply for a credit card, I fully expect an onslaught of fraudulent card applications on their behalf, because they unwittingly divulged so much information. Harvesting is going on now, and we have no idea who is doing the harvesting.”
This particular threat is relatively easy to avoid, in that a little common sense can go a long way: Just be mindful of what you post. Do you really need to publish your home address and phone number to your Facebook profile?
Finally, be certain to check your privacy settings to make sure that you’re not divulging your deepest, darkest secrets to all 500 million Facebook users.
Websites That Use Flash
Malicious Flash files that can infect your PC
Adobe’s Flash graphics software has become a big malware target in recent years, forcing the company to push out frequent security patches. But another danger you might not know about is associated with Flash cookies. Flash cookies are small bits of data that their creators can use to save Flash-related settings, among other things. But like regular cookies, Flash cookies can track the sites you visit, too. Worse still, when you delete your browser’s cookies, Flash cookies get left behind.
To help protect against Flash-based attacks, make sure you keep your Flash browser plug-ins up-to-date, by visiting find.pcworld.com/70829. And you can configure the Flash plug-in to ask you before it downloads any Flash cookies. To find out how, see find.pcworld.com/69816.
Your E-Mail Inbox
E-mail scams/attachments that get you to install malware or give up personal info
Although phishing and infected e-mail attachments are nothing new, the lures that cybercrooks use are constantly evolving, and in some cases they’re becoming more difficult to distinguish from legitimate messages. My junk mailbox has a phishing e-mail that looks like a legitimate order confirmation from Amazon. The only hint that something’s amiss is the sender’s e-mail address.
Don’t trust anything in your inbox. Instead of clicking on links in a retailer’s e-mail, go directly to the retailer’s site.
‘Legitimate’ Porn Sites
Malware in photos or videos of scantily clad women
Porn sites have a reputation of being less secure than mainstream sites, but that assumption doesn’t tell the whole story. “There is no doubt that visiting websites of ill-repute is deadly dangerous. If you make a habit of it, it’s a given that you’ll be attacked at some point,” says Roger Thompson, chief research officer with security firm AVG. “Unfortunately, staying away from those sites won’t keep you safe by itself, because innocent sites get hacked all the time, and are used as lures to draw victims to the attack servers.”
And as mentioned earlier, many porn sites operate as actual, legitimate businesses that want to attract and retain customers. That said, it may be hard to tell the “legit” porn sites from malware-hosting sites that use porn as a lure.
Be suspicious of video downloads, or sites that require you to install video codecs to view videos (see the next threat, below). Using tools like AVG’s LinkScanner (linkscanner.avg.com) and McAfee’s SiteAdvisor (www.siteadvisor.com) can help you weed out the malicious sites.
And, again, consider visiting such sites on a secondary machine. You don’t want your browser history on the family PC.
Video Download Sites
Malicious video files using flaws in player software to hijack PCs
Attackers have been known to exploit flaws in video players such as QuickTime Player and use them to attack PCs. The threats are often “malformed” video files that, like malicious PDFs, trigger bugs in the player software that let the attackers in to spy on you, plant other malware, and more.
Keep your player software up-to-date. Apple and Microsoft periodically release patches for QuickTime and Windows Media Player, respectively. Avoid downloading videos at random. Stick to well-known video sites such as YouTube, or to download services like iTunes.
Just About Any Ad-Supported Website
Fraudulent ads on sites that lead you to scams or malware
Hey—ads aren’t all bad! They help sites pay the bills. But cybercriminals have taken out ads on popular sites to lure in victims. Last year, the New York Times site ran an ad from scammers (find.pcworld.com/70807), and earlier this year some less-than-scrupulous companies were gaming Google’s Sponsored Links ad program and placing ads that looked like links to major companies’ websites (find.pcworld.com/70808).
“The bad guys have become very clever at exploiting online advertising networks, tricking them into distributing ads that effectively load malicious content—especially nasty, scaremongering pop-ups for rogue antispyware,” says Eric Howes of Sunbelt Software.
Most large sites, such as PCWorld.com, have ad sales departments that work frequently with a core group of large advertisers, so it’s probably safe to click a Microsoft ad on the New York Times site. But as the Google Sponsored Links incident shows, nothing is entirely fail-safe.
The Place Facebook
The Threat Questionable Facebook apps
Facebook apps have long been an issue for security experts. You don’t always know who’s developing the apps, what they’re doing with the data they may be collecting, or the developers’ data security practices. Even though you have to approve apps before they can appear on your profile and access your personal information, from there the security of your data is in the developer’s hands.
Be selective about the apps you add to your profile—don’t take every quiz, for example. Check your privacy settings for Facebook apps, as well: Click the Account drop-down menu in the upper-right corner of Facebook’s site, select and then click under ‘Applications and Websites’. There, you can control which apps have access to your data, and more; you can also turn off Facebook apps altogether.
Shortened links that lead you to potentially harmful places
Scammers love Twitter since it relies so much on URL shorteners, services that take long Internet addresses and replace them with something briefer.
It’s very simple to hide malware or scams behind shortened URLs. A shortened link that supposedly points to the latest Internet trend-du-jour may be a Trojan horse in disguise.
Simply don’t click links. Of course, that takes some of the fun out of Twitter. The other option is to use a Twitter client app. TweetDeck (find.pcworld.com/62924) and Tweetie for Mac (find.pcworld.com/70861) have preview features that let you see the full URL before you go to the site in question.
Some link-shortening services, such as Bit.ly, attempt to filter out malicious links (find.pcworld.com/70866), but it seems to be a manual process, not an automatic one. TinyURL has a preview service you can turn on at tinyurl.com/preview.php.
Video Download Sites, Peer-to-Peer Networks
Trojan horses disguised as video codecs, infecting your PC with malware
If you watch or download video online, you’ve likely been told to download a video codec—a small piece of software that provides support for a type of video file—at least once. Usually, these bits of software are perfectly legitimate (for example, the popular DivX codec), but some less-than-reputable download services or video sites may direct you to download a piece of malware disguised as a codec. Security software company Trend Micro provides a good example of what these attacks look like at find.pcworld.com/70799.
Your safest option is to stick with well-known video sites such as YouTube and Vimeo. And for catching up on the latest episodes of your favorite TV shows, Hulu, TV.com, ABC.com, and iTunes are safer than peer-to-peer networks.
‘Poisoned’ search engine results that go to malware-carrying Websites
Search engine poisoning is the practice of building tainted sites or pages that are designed to rank high in a search on a given topic. For example, according to a recent study by the security firm McAfee, 19 percent of search results for “Cameron Diaz and screensavers” had some sort of malicious payload. Breaking news topics and Facebook are also common search targets for attackers. For more, see find.pcworld.com/70804.
Pick and choose which sites to go to. Don’t just blindly click search results; check each URL first to make sure that it really leads to the site you want. Although any site can be hacked, visiting theWashington Posts story on a hot news topic, for example, is probably a wiser choice than following a link to a site you’ve never heard of before.
Hacked Websites, Plus Your Inbox
Malicious PDFs that try to fool you into installing malware
So-called poisoned PDFs are PDF files that have been crafted in such a manner that they trigger bugs in Adobe Reader and Adobe Acrobat; posted on a hijacked Website, they may let an attacker commandeer your PC and access your files and personal info.
A newer variant takes an otherwise innocent-looking PDF document and inserts malware into it. Adobe Reader may pop up an alert asking if you want to run the malware, but hackers can edit those messages to trick you into opening the file (find.pcworld.com/70806).
How serious is this problem? In 2009, attacks using malicious PDFs made up 49 percent of Web-based attacks, according to security firm Symantec.
First, always make sure that you’re running the latest version of Adobe Reader.
You can also use a different PDF reader, such as Foxit Reader (find.pcworld.com/70099). This can protect you from attacks on holes in Adobe Reader itself, but it won’t make you immune to all PDF attacks, such as the newer ones that embed malware inside the PDFs. Make sure, also, that you update to Adobe Reader 9.3.3 or later (Reader 8 users should update to version 8.3.3 or later); these updates change the way Adobe Reader handles non-PDF attachments and reduce the risk from such attacks (see find.pcworld.com/70828).
Malware hiding in video, music, or software downloads
Torrent sites (such as BitTorrent) are often used for sharing pirated music, videos, or software, and are a trove of malware. No one vets the download files—they may be malware in disguise.
Ben Edelman, privacy researcher and assistant professor at Harvard Business School, thinks torrent sites are the most dangerous places to visit, since they don’t have a business model or reputation to defend (by comparison, many porn sites rely on being deemed trustworthy). “The [torrent] customers, they really don’t want to pay,” he says.
Use a secondary PC to protect your main system. Use antivirus software, and keep it updated. Scan downloaded files and wait a couple of days before opening them. Brand-new malware can be tricky to catch.
Hacked Legitimate Sites
Drive-by downloads that install malware when you visit a site
A drive-by download occurs when a file downloads and/or installs to your PC without you realizing it. Such downloads can happen just about anywhere. Some sites are built to lure people into a drive-by download; but in a common attack method, criminals will hack a Web page, often on an otherwise legitimate site, and insert code that will download malware to your computer.
The first thing to do is to keep your security software up-to-date, and to run regular malware scans. Many security suites can flag suspicious downloads.
Your Inbox, Hacked Legitimate Sites
Fake antivirus software that extorts money—and your credit card information
Fake antivirus programs look and act like the real thing, complete with alert messages. It isn’t until you realize that these alerts are often riddled with typos that you know you’re in trouble.
Most fake antivirus software is best described as extortionware: The trial version will nag you until you purchase the fake antivirus software—which usually does nothing to protect your PC. Once you send the criminals your credit card information, they can reuse it for other purposes, such as buying a high-priced item under your name.
You can get infected with a fake antivirus app in any number of ways. For example, in drive-by downloads (see the previous item), a malicious payload downloads and installs without the user realizing it or having any time to react.
If you get an alert saying you’re infected with malware, but it didn’t come from the antivirus software you knowingly installed, stop what you’re doing. Try booting into Safe Mode and running a scan using your legitimate antivirus software.
However, such a scan may not clean up all of the malware—either the scanner doesn’t have a signature for one fragment, or that piece doesn’t act like traditional malware. This may render behavioral detection (which spots malware based on how it acts on your system) useless. If all else fails, you may need to call in a professional.