Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! Oh No! ip2location

Every trick in the book:
how hackers take over your computer
(or your bank account)

by Rich Pasco

Spammers will use every trick in the book to get you to click on their links to malicious web sites, or to open their malicious attachments, or to divulge personal information for identity theft. Below are just a few examples. As P.T. Barnum said, “There's a sucker born every minute.” Don't be one of them!

Most are designed to create a sense of alarm and urgency, threatening financial harm, embarrassment or inconvenience unless one takes the bait. Others flatter the recipient and/or hint at sexual benefits. Still others purport to be from a friend with something curiously exciting to share.

Often, the “From:” e-mail address on such fraudulent e-mail messages is forged, or “spoofed”, to resemble that of a well-known service (such as Facebook, MySpace, Verizon or CitiBank). If you have that service in your approved senders list, such junk mail will slip right past your junk-mail filter. You should never trust the “From:” address on any e-mail; it is easy to forge.

There have been an increasing number of incidents where a hacker breaks into an e-mail account and sends junk mail to all that person's contacts. Even if an e-mail seems to be from a friend, it may not be, so proceed with caution. For more information see “Spam from your friends: hacked and spoofed e-mail.”

All the same concerns about e-mail also apply to messages sent via social networking sites like Facebook via mobile phones. Be just as suspicious about strange phone calls and texts as about e-mail messages.

Motives

  1. To trick you into divulging personal information, such as account passwords, social security numbers, etc. (for the crime of identity theft).
  2. To trick you into installing software which will give them total control over your computer.
  3. To trick you into sending them money (e.g. to buy phony anti-virus software, to pay a “fine” to unlock your computer, or to aid a friend allegedly victimized by theft while on vacation).

Means

To this end, they broadcast thousands of e-mail messages which use all kinds of trickery to get you to open an attachment or click on a web link which will take you to a malicious web site, which will either prompt you to enter your personal data or directly load software onto your computer.

The tricky e-mail may pretend to be from your internet service provider or financial institution and ask you to “confirm your details” or “activate your account.” Or it may pretend to come from a known retailer (e.g. Amazon.com) and claim to “confirm” a purchase you allegedly made (but didn't).

The phony e-mail conveys a tone of urgency and a threat of loss if you don't comply quickly. Hackers want you to hurry so you won't have time to think, so they tell you that you will miss out on an offer expiring soon, your card will be charged, your account will be closed, you will be sued, or even that a warrant will be issued for your arrest, unless you quickly take the requested action.

Ways to tell a phony e-mail

  1. It does not directly correspond to any action you recently took. It may claim to be about “system upgrades” or other vague topics. It may allude to a purchase you did not make, a parcel you did not send, or a lottery you did not enter.
  2. It does not address you by your full name, but rather by your e-mail address, or by “dear customer” (even though your full name is on file with your provider).
  3. It contains links which may appear to lead to a legitimate site, but actually lead to a malicious site. (See “Where does a link really lead?” below)
  4. The address on the “From:” is obviously phony, or someone you don't want to hear from. For example, I got a junk mail from david@smashyourfacein.in.net. Note: The converse is not true: Just because an address looks legitimate does not mean that it is. More below.
  5. It is written in bad English. For example, it may contain the phrase, “needs your urgent attention.”

The address on the “From:” line of an e-mail should never be relied on to determine its origin. That line is easier to forge (or spoof) than the return address on the upper-left corner of a paper envelope. It is inserted by the sender's e-mail software, and so a sender can put anything he wants there, be it Bank of America or Santa Claus. (There are, however, postmarks in the hidden headers of an e-mail which advanced users can interpret to determine a message's true origin. For details see “Where in the world is the hacker located?”)

A phony e-mail may include all the same artwork and formatting (stationery) as a legitimate one. It is very easy for a hacker to copy artwork from a legitimate e-mail to a phony one.

Below is a sample of a phony e-mail, purportedly from American Express. As received, all of the hyperlinks lead to the hacker's web site! What lay there, I don't know because I didn't date click on them, but it would most likely either install malware on my computer or present a login screen looking like Amex's designed to trick me into entering my Amex username and password.

phish
Sample phony e-mail

What to do with a phony e-mail

If you receive such an e-mail, the safest course is to simply delete it. If in doubt about your account with your bank or other service, do not click on the link in the e-mail; instead sign in by going to their known web address from a trusted source (e.g. printed on your last statement). And, if you would like my opinion, feel free to contact me.

I used to believe that there was no harm in simply visiting a web site, and would occasionally click on a link in an e-mail out of curiosity, just to see where it led. I was too smart to enter my personal credentials on any form there, but I wanted to see how the site looked. Unfortunately, twice in one year, my computer got infected by malicious software by my doing so. This is colloquially called a “Drive-by download.” In each case, I was running Windows XP with all the latest security patches from Microsoft, the latest Mozilla Firefox browser, and the latest AVG anti-virus. But still malicious software got installed, apparently from scripts on the web sites.

I've received e-mail from Macintosh users who gloat about how they are not vulnerable to viruses and malicious software. While it is true that far more viruses are targeted at Windows than at Mac OS, and Windows is more vulnerable than Mac OS, Macs are not invincible, and the same general precautions apply. And no OS in the world will protect against a user who gives away his password by typing it into a phony web page.

Where does a link really lead?

Since hackers send out spam (junk mail) with a goal of getting you to click on links to their malicious web pages, it is important to know where a link in an e-mail really leads, before you click on it. With HTML-formatted e-mail (most e-mail with multiple fonts, embedded graphics, etc.), what you see (in the visible text) is not what you get (when you click on it). The visible appearance of a link can be set independently of where it really leads. If you don't believe me, click on this link to see what happens:

http://www.google.com/
In this example, the visible text says Google, but the hidden hyperlink really leads to my own page (which is harmless).

So if you can't trust the visible text to tell where a link leads, how can you tell? The answer depends on your e-mail client application, your operating system, and if you're using a web-based e-mail client, your browser. In some, you can hover your mouse over the link and view its target in your status line. In others, you can right-click on the link and choose "Properties", then look at the address shown on the pop-up. Check with your system's user's manuals to be sure.

If the target address doesn't match the visible text, beware!

The figure below shows a phony message which I actually received, as displayed in my e-mail client, Mozilla Thunderbird. The top circle shows my cursor hovering over the link “let us know immediately” (I did not click on it!) and the bottom shows Thunderbird displaying actual target of that link in the status line. I know the message to be phony because the target is not facebook.com.

Phony Facebook

Examples of Scams

The “suspicious activity” scam

You get an e-mail, apparently from one of your financial services providers, stating that there has been some suspicious activity on your account, so click on this link for details. In reality, the mail is phony, it's From address is spoofed, and the link leads to a site designed to trick you into divulging your login credentials (phishing) or to install malicious software on your computer (drive-by download). If you receive such an e-mail, do not click on any links in it. Instead, if in doubt about your account, visit your financial service's web site via a trusted bookmark and check your account there.

Here is an example of one I recently got. Notice that the link leads to a site in Moscow, according to the useful site ip2location.com.

Suspicious Activity

The “robbed-on-vacation” scam

You get an e-mail, ostensibly from a friend, stating that he or she took an unplanned vacation and was robbed, so please send money. Most likely, your friend is safe at home, and either his e-mail account was hacked or his address was spoofed. You may notice a “Reply-to” line in the header so that your reply goes not to your friend but to the hacker who has created a similar, but subtly different address. If you reply and send money, you will never see your money again. Instead, you should call your friend on the phone and discuss the situation.

The shared file scam

You get an e-mail, ostensibly from a reputable file-sharing service, for example Dropbox, stating that someone has used their service to share a file with you, so click here to view. You click on the link. Gotcha!

Several red flags highlight your way:

  1. The e-mail probably did not really come from Dropbox, but from the hacker. The address on the message's “From:” line was spoofed.
  2. You probably do not know the person who allegedly sent it to you.
  3. The link does not lead to the file sharing service, but someplace else. (See “Where does a link really lead?” above)
  4. Although “view” sounds innocuous enough, you really have no idea what you are getting. It could be a malicious executable file to take over your computer.

fileshare
The shared file scam

The credit card concern scam

You get an e-mail, ostensibly from the issuer of one of your credit cards, advising you of a security concern with you card, and offering a link to resolve the concern and warning that if you don't act then your card will be declined. But really there is no problem with your card, the e-mail comes from a hacker, and the link leads to a phony site which will either ask for personal details (for the crime of identity theft) or install malicious software onto your computer.

Phony Amex

The customer reward scam

You get an e-mail, ostensibly from a business of which you are a customer, thanking you for your loyalty and offering a gift card as a reward. Simply click this link to “activate” your reward. Beware!

As likely as not, the real sender of the e-mail has nothing to do with the business they claim to represent (remember, the “From:” address may be spoofed), and the link only leads to misery for you: either it will install malicious software or trick you in to completing a “survey” or otherwise divulging personal information. See “Where does a link really lead?” above.

The phony insurance cards scam

USAA is a reputable insurance company, which e-mails its policyholders their insurance ID cards in PDF format. Nothing wrong with that, no scam there. But scanners have taken the opportunity to forge realistic-looking e-mail messages (see below) which closely mimics USAA's e-mail message, with a few exceptions:
  1. The genuine one is sent to just you; the phony one is sent to a long list of e-mail addresses.
  2. The genuine one addresses you by name, the phony one begins “Dear Driver.”
  3. The genuine one shows your name and the last four digits of your USAA number in the “USAA SECURITY ZONE” in the top-right corner; the phony one shows no name and a random 4 digits.
  4. The genuine one specifies which vehicle USAA insures for you; the phony one does not.
  5. The genuine one carries a PDF file attachment; the phony one carries a ZIP archive containing a malicious executable .SCR file.

Phony USAA

The Phony “Tech Support” Scam

You get a phone call or e-mail stating that they have discovered a problem with your computer and offering to fix it if only you'll allow them remote access to it. They may or may not ask for your credit card number to charge their “support fees.”

A telephone caller may claim to be from Microsoft, which is a good reason to not believe him—Microsoft does not make phone calls! He may invite you to follow a procedure and discover a number among the system files of your computer, which he says “proves” your computer is infected, when in truth every computer has that number.

Or maybe a realistic looking pop-up tells you that you have an infection, and offers a “help” button to learn more and fix it. Likely the pop-up is phony, and the “help” button leads to more misery. Your concern should be, where did that pop-up come from, and how did it get onto my screen?

Be very careful to whom you give control over your computer. Not everyone who claims to be “support” is on your side! Remember that once you give someone remote access to your computer, they may install software giving them permanent control over it. Effectively, they now “own” your computer, even though you house it and feed it electricity.

For more information see

The Dual-Extension Trick (Phony cell-phone pictures)

You get an e-mail apparently from a username at vzwpix looking like a ten-digit phone number (spoofed of course), as would suggest pictures from a cell phone. The attachment is not a JPG image but a ZIP file containing a file named 8400587498Img_Picture.jpeg.exe. Luckily you have changed your Windows settings so as not to hide known extensions, so your recognize the executable file and don't open it. Whew!

The ACH Transfer Form

You get an e-mail, ostensibly from a well-known bank, reading:

Please fill out and return the attached ACH form along with a copy of a voided check.
There are two red flags in that one! First, I only give ACH transfer forms and voided checks to businesses I trust, in conjunction with a transaction I have initiated. And second, the attachment is a ZIP archive containing an executable file, which most certainly installs malicious software on the computer of anyone who runs it.

The Phony Friend/Link Request

You receive an e-mail, ostensibly from a social networking site of which you are a member (e.g. Facebook, LinkedIn) saying so-and-so wants to be your friend, so click here accept the link. As soon as you click on the link, your computer is compromised. Or maybe it takes you to a phony login screen (see below). Problem is, the e-mail was a forgery (spoof) which didn't really originate from the service it seemed to, and the link didn't lead to that service but to a hacker's site (which may closely resemble its legitimate counterpart).

Next time, you won't believe the “From:” address on the e-mail (see “Ways to tell a phony e-mail” above) and you will check where the link leads before clicking it (see “Where does a link really lead?” above).

The phony login screen

This scam has been around since the 1960's, but people are still falling for it. You see a log-in screen which looks just like the log-in screen of your e-mail system, bank or other account, so obligingly you enter your username and password. You don't know it, but you have unwittingly given a hacker full control over your account. Next time, you'll be more cautious:

  • Look in your browser's Address bar and make sure the page onto which you're typing really belongs to the service to which you intend to log in.
  • Be especially cautious if a log-in screen pops up at unexpected times. For example if you're already reading your e-mail and you click on a link in an e-mail and a new log-in screen pops up, it is probably phony. Maybe you shouldn't have clicked on that link in the first place.

The phony shared document

You get an e-mail stating that someone is sharing a document with you by a document-sharing service like Google docs, so click this link to retrieve it. But the link doesn't really lead to Google; it leads to a phony look-alike page on the hacker's server which collects your personal credentials. Read more from Sophos Naked Security
Google docs

Breaking News

You receive an e-mail, ostensibly from a reputable news source like CNN, BBC, or MSNBC, stating that someone has shared a news item with you. The headline sounds amazing, so you click on the link to learn more. The link infects your computer with malicious software and your computer now belongs to the hacker.

The Fax (or Scan)

You receive an e-mail telling you that you have received a fax (or a scan) and it is attached. The “From” address is forged to be something familiar so it slips past your spam filter. However, the attachment is not really a fax or document image but an executable file, so as soon as you open it, your computer belongs to the hacker.

“Someone who cares has sent you a greeting card”

You get an e-mail saying “someone who cares” or “a family member” has sent you a greeting card, so “click here to open it.” Eager to find out who sent it to you, you click on the link or open the attachment. Gotcha! You've been zapped.

Legitimate e-card services will tell you the name of the friend or relative who sent you the card. Even so, before opening it, verify that the link actually leads to a greeting card service you recognize and trust. Depending on your e-mail client, you can usually do this by hovering your mouse over the link while watching the status line. If in doubt, contact the friend and ask if they really sent you a card.

The “You Sent a Payment” trick

You get an e-mail, ostensibly from PayPal or a credit card company, “confirming” that you sent a payment which you know you didn't send. Just click on this link for details, the message says. Gotcha!

The “Your Computer is Infected” trick

In one variation, a shady web site pops up a window appearing like a system notification, stating that your computer is infected by a virus. Click here to download the software that will cure it. Only problem is, the pop-up is phony and the software in fact takes over your computer for malicious purposes.

In another variation, an anonymous telephone caller says he's with “The IT Department” or a major software company, and with a routine scan has identified malicious software on your computer. If you'll only permit him remote access to your computer then he will remove it for you. You'd be a fool to grant any stranger even temporary remote access to your computer, and if you did, you'd find that he installs software he needs to permanently give him control over it.

One common way hackers take control is by popping up a notice telling you that you have a virus and to call a certain number for help in removing it. Just close the window and don't call the number. If you do, call

  1. If you give them your credit card number, then they will fraudulently charge your card. Your bank will have to cancel the card to get them to stop.
  2. If you give them remote access to your computer, then they will install malicious software to give them permanent control.
Do not call that number! What you should do instead is determine how and why that noticed popped up the first place. If it is a web browser window, it is probably an “advertisement” embedded from a dubious site you were browsing. Just closing the window should solve it, Conversely, if it came from anywhere else, you should scan your system for malicious software.

The “Air Fare Sale” trick

You get an e-mail ostensibly announcing very low prices on plane tickets (maybe even free) from a major airline. Just click here for details. However, the e-mail comes not from an airline but from a scammer. Gotcha!

“Your bill is now available”

You get an e-mail appearing to be from a popular vendor or financial institution (e.g. Amazon.com, Verizon Wireless, PayPal, CitiBank, etc.) which looks just like a routine notification that your bill is available on-line. A very few clues suggest that the mail is phony: It does not include your real name (e.g. begins “Dear Customer” or “Dear Cardholder”), or the balance due is way in excess of what expect. It includes a link “View your detailed bill.”. Eager to find out the problem, you click on that link. Gotcha! The link installs malicious software. You learn, next time you'll hover your mouse over that link and look at your status line to see where it really leads before clicking on it. If in doubt, you'll go directly to your vendor's web site via a bookmark you trust, to view your account.

The “software update” trick

You get an e-mail purporting to be from a known software publisher like Microsoft or Adobe, claiming that your software is out of date and needs to be updated, so click here to install the update. Only problem is, the e-mail didn't really come from that publisher, and the link installs malicious software. Gotcha!

In a variation, you visit a dubious web site offering exciting videos (e.g. late-breaking news or erotic videos), but in the box where you expect a video, you see a notice stating you need an updated video player, so click here to install it. Gotcha!
Phony Flash   phony media player ad
Example phony media player advertisements: Beware!

Remember two important rules:

  • Legitimate software publishers do not send updates by e-mail.
  • Links on untrusted web pages are not trustworthy.

Many applications can be configured to automatically update themselves by connecting directly to their publisher's legitimate server--this is the preferred way to keep your software up to date. And if you do need an update that didn't get installed this way, please directly visit the publisher's web site by going to a known, trusted address, rather than by a link in an unsolicited e-mail or dubious web page.

The “notification pending” trick

An e-mail pretends to come from Facebook, LinkedIn, or another popular social-networking site. The “From:” address is forged (spoofed) accordingly, and the body exhibits a phony but convincing replica of that service's graphics and tells you that you have a notification, friend request, or other message pending on their system, so click here to get it. Gotcha!

The wise user, upon receiving such an e-mail, will not click on the link in the e-mail without first checking where it really leads. (In some e-mail programs, you can hover your mouse over the link and read the status bar.) Better yet, just delete the e-mail and then log into your networking site in the usual way to see what messages may await you there.

Emil Protalinski of ZDNet gives details of one version of this trick in his article Virus warning: Someone tagged or added a photo of you on Facebook.

Your craigslist ad has been posted

You get an e-mail, ostensibly from craigslist, confirming that your advertisement has been posted. Only problem is, the ad isn't yours, and the item advertised isn't one you're selling. So you click on the link provided to view the ad in full. Gotcha! The “From:” line was a forgery (spoof), and even though the visible text shows a craigslist address, the hidden hyperlink leads somewhere else. You need to learn to hover your mouse over a hyperlink to see where it really leads before you click on it.

The “order confirmation” trick

You receive an “order confirmation” e-mail ostensibly from a known retailer (e.g. Amazon.com) or a known credit card (e.g. MasterCard) confirming a purchase you allegedly made. You know you didn't make the purchase, so you click on a link to view the details. Gotcha!

If you suspect that something you didn't order was charged to you, you should go directly to your credit card company by telephone or by the link you trust and usually use—not the link in the e-mail. If you can't corroborate the e-mail, that confirms that it was phony.

The parcel delivery problem

You receive an e-mail message telling you that a parcel you shipped could not be delivered, and please click here (or open the attachment) for details. Gotcha!

The giveaways are that you didn't ship a package recently, the e-mail comes from a shipping agency you don't patronize or doesn't exist (e.g. United States Parcel Service or United Postal Service), and it is very vague except for the insistence that you open the attachment or click on the link. Besides, how would they know your e-mail address, anyway?

The travel reservations trick

You get an e-mail ostensibly from an airline, hotel or travel agent saying that they have your reservations, just click here to see the details. You don't recall making any, so you click to investigate. Gotcha!

Unless the e-mail comes from an agent with whom you already made reservations and includes information which a stranger would not know (such as your full name, travel dates, itinerary, flight numbers, etc.) it's safest to just delete it.

“Is this you in this video?”

You get an e-mail message, apparently from a friend, asking “Is this you in this video?” You wonder what videos showing yourself might have been posted on-line, so you click the link. Gotcha!

In a variant of this scheme, the link takes you to a page pretending to be a video player unable to play the video unless you install a new video driver. Gotcha! Please see the “software update” trick above, and my page about executable files.

“I liked your profile ... here's mine”

This one preys on people having profiles on singles dating or social networking sites. You get an enticing e-mail flattering you on your profile and inviting you to click on a link to see their profile, or open an attachment to see their picture. Gotcha!

The dead giveaways are that the e-mail doesn't state which profile the writer saw or where he saw it, or what it was about it he liked. It's vague enough to apply to anybody with a profile anywhere! Also, legitimate social networking services don't give out your e-mail address. If someone responds to your profile, their response will be forwarded by the service, not come directly from the correspondent. If, having read all this, you still feel compelled to reply, then you should ask which profile the person saw and, “Just what about my profile was it that you liked?” Only proceed if you get a credible response to this question.

Here is an obviously phony e-mail message, because it claims to have gotten my e-mail address from Facebook, and Facebook does not give out my e-mail address:
My name is Blessing. i got your email address while browsing today at www.facebook.com, can we be friends? i will like to know you more then. I will tell you more about myself with my picture as soon as i get your reply, I believe we can move from here! (Remember the distance,colour or age does not matter but love matters a lot in life)hoping to read from you, Miss Blessing.

The “job offer” (or opportunity) scam

You're looking for work, and you get an unsolicited e-mail purporting to offer you a job. Full details are in this link; click here. Gotcha!

To defend against this one, look carefully at the e-mail. Was it addressed to you by name (as a legitimate inquiry would be) or just by e-mail address? Did the writer say what it was about your résumé that interested him or her? Does the offer state the physical location of your new workplace? (If not, why not?) Your salary? (Legitimate employers save this for a printed job offer letter.) Does it urgently request immediate action (within minutes or hours)? If it seems to have come from a job-search site where you have a résumé listed, are you sure? Some spammers forge, or “spoof” the address of a well-known job site. As always, never click on a link unless you're sure where it leads. (See “Where does a link really lead?” above.)

The erotic photo trick

An unsolicited e-mail carries an attachment or link with a cover letter claiming it's an erotic photo. For example, here's one I actually got:

Hey. I am attaching a pic of my big boobs. Enjoy my love!
Fortunately, my virus scanner deleted the attachment. Yours may or may not. Here's news story about a similar trick.

“Your e-mail account will be terminated”

This one threatens to cancel the recipient's e-mail account unless certain very personal details are divulged by return e-mail. Of course the e-mail doesn't really come from your service provider (who would already have this information), and your response allows the scammer to steal your identity. Here's one example:
ATTN,

We are currently upgrading our database and as such terminating all
unused accounts to reduce congestion on the network. To prevent
your account from being terminated, you will have to update it by
providing the information requested below:

******************************************
PLEASE CONFIRM YOUR EMAIL IDENTITY NOW!

Email : ......................  Password : ..................  Date
Of Birth : ..............

******************************************

NOTE: Your data and information will not be interfered with or
tampered we will just record your data back into our data base and
send you an email and after 24hours. Warning!!! Account owners
that refuses to update their account may lose such an account
permanently.

Message Code: NXDT-4AJ-ACC Thank you, Mail Support Team.

Upgrade on your Webmail Account.
Delete this junk mail. If you still suspect something wrong with your e-mail account, contact your service provider by a trusted means.

The “Credit Card Overdue” trick

You get an e-mail claming that your credit card payment is overdue, but the late fee will be waived if you open the attachment right away, or complete and submit this form. Catch is, the e-mail didn't come from your bank, the attachment installs malicious software on your computer, and the form doesn't go to your bank but sends your personal information to the con artist who sent it to you. Gotcha!

What to do instead: Delete the junk mail. If you really suspect something is amiss with your credit card, log in to the bank's web site via a link you trust and check your account activity there.

The “Better Business Bureau” trick

You get an e-mail purporting to be from the Better Business Bureau reporting a complaint against you. Details are in the attachment. However, the e-mail is phony and attachment (or link) leads to malicious software. Gotcha!

The Wedding Invitation

You get an e-mail inviting you to a wedding, except it doesn't name the bride and groom, state the location or give any other important details, which are supposedly on the linked page. If you click for details, your computer belongs to the hacker.

You are Cordially Invited to Celebrate
the Our Wedding
On Tuesday March the 29 at Four O'clock
Followed by a Reception

This example was received in 2013, in which March 29 is not Tuesday. Notice also the bad grammar, “the Our”.

The Lottery

You get an e-mail stating that you've won a lottery, click for details. If you do, maybe you download malware, or maybe you're asked to pay a “processing fee” to claim your winnings.

Questions to ask: Did I buy a ticket in that lottery? Did I give my e-mail address when I did? Does the e-mail make reference to that purchase? Unless all three answers are yes, the e-mail is either a malware scam or a financial scam.

“Scan from a Hewlett-Packard ScanJet”

You get an e-mail from someone you don't know with the above title, and are tempted to open the attachment. After all, what could be wrong with a scanned image? Gotcha! Problem is, it's not a scanned image, but a link to install malicious software on your computer.

The downloader

A web site offers a free download of a popular, music album, movie, or other software, but to get it you must first download and install an executable download utility (in .exe format). Be very careful! Reputable distributors (like Amazon.com) may provide an innocuous downloader (like Amazon's Amazon's MP3 Downloader), but other, unscrupulous distributors may include malicious code in their downloader, so that while your music is downloading, so is their ability to take over control of your computer. Remember, opening any executable file gives total control of your computer to its distant and unknown author, so you should only use executable files obtained directly from publishers you know and trust.

The phony self-extracting archive

An archive file is a big file containing lots of little files. For example, a music album might be stored as a single archive containing a separate file for each song or track. Popular archive formats include ZIP and RAR. Normally, an archive file needs an application program to unpack it (extract the individual files it contains), e.g. WinZIP or WinRAR.

For the convenience of people who might receive an archive file, publishers of archive software offer an option to create a self-extracting archive file, which is an executable file (.EXE) comprising an archive file plus extraction software in a single file. So far, all that is legitimate.

Unfortunately, hackers have seized on the opportunity to distribute malicious executable files disguised as self-extracting archives, to trick their recipients into installing their malicious software. Remember, any time you run any executable file, you give its author full control over your computer system.

Therefore, when obtaining archive files, it is strongly recommended that you choose the regular archive format over its self-extracting, executable counterpart. Even if you get the executable format, you still should be able to open it with your trusted archive application without actually executing it. If you can't, do not open it (execute it) directly.

Sneakware

I'm not sure whether this topic belongs on this page, since whether or not it is about truly malicious software is open to argument. But I get really angry enough about sneakware, and I feel like I have to warn people somewhere.

By definition, sneakware is unwanted software which tags along for the ride when installing something you want. In that sense it is a kind of Trojan horse, although the latter term is usually applied to truly malicious software (malware).

Sneakware comprises commercial applications which are not truly malicious, because some users deliberately and voluntarily choose to install them. However, because their publishers stand to gain by getting as many users as possible, they pay the publishers of unrelated software to bundle their installers together, so that when a consumer installs a desired piece of software, the sneakware gets installed too.

Prevention

When installing any software, particularly that which is distributed free or at very low cost, pay careful attention to the questions it asks when being installed. In the installer, don't be afraid to always choose the “advanced” installation over the “standard” one. Do not just click OK, OK, OK all the way through on each screen. Instead, read carefully the options presented (especially the pre-checked ones) and ask yourself whether they truly represent your wishes. If you don't understand them, ask a more computer-literate friend to explain them. Some of the options to be careful about are:
  • Make [this software] the default application to open everything it can [thus replacing the associations you have already made between file types and your favorite applications to open them. If you're like me you probably already have a preferred way of opening the files on your system, and you may not want this newcomer to replace them.
  • Also install the ________ browser Unless you're installing a browser (software to display web pages) today, why would you want to accept such an offer?
  • Make ________ your default browser
  • Make ________ your default search engine
  • Install the ________ toolbar

The phony Intel® Driver Update Utility

You need a software driver for an old piece of hardware, so you enter a description into Google and you find an advertisement for the “Intel® Driver Update Utility” featuring this screen shot:

phony screen shot

If you accept the bait and download this software, you have just turned full control over your computer to the hackers. Sometimes, the hackers even charge you money for the privilege! The problem is, you didn't get it directly from Intel!

The genuine software

The genuine Intel® Driver Update Utility is available free of charge directly from Intel. To be sure, verify that the URL begins:

http://www.intel.com/

As of this writing (December 2015) the screen of the genuine utility looks like this. Notice any difference?

genuine screen shot

Of course, any hacker could clone any screen shot for his ad, just as easily as I did for this article. So you should not rely on screen shots to determine software authenticity. Instead the rule is:

Only download software directly from a publisher you know and trust.

The “Fun Content” Trick

By now, I shouldn't have to state the obvious danger in this advertisement:
Dangerous Ad
Dangerous advertisement: Beware!

The “Serious Malfunction” Trick

You're surfing the web and a window pops up telling you of a serious malfunction and instructing you to call a specific number for technical support. The helpful technician tells you that to fix your computer he will need you to give him remote access. Trouble is, the window was phony and the technician is a hacker who installs software to give him full control of your computer. After that, he owns your computer and all your personal data.

The information about your operating system and browser is routinely made available by web browsers for web servers to use; all this page did was parrot it back as part of the phony warning message. What is especially funny in this case is that the operating system is OS X (by Apple) and the browser is Chrome (by Google) and yet the message says to call Microsoft technicians! That alone should be a dead giveaway that the message is phony.

For more reading

Index to all of Rich Pasco's articles on e-mail and viruses

Rich Pasco's home page

Copyright © 2010-2013 Richard C. Pasco. All rights reserved.