Defending against web-based malware: Spot the smoke, don't wait for fire

Filed Under: Featured, Malware, Phishing, Security threats, Web Browsers

Fire sprinklers and clearly marked escape routes are a great way to save lives in the event of fire. But smoke alarms save both life and property, and they do so at a much earlier stage.

It's much the same with cyberattacks: malware rarely gets into your network without signs of smoke beforehand.

Learning to spot smoke, and react accordingly, is not only a smart way to protect your physical property, but a handy metaphor for keeping your network safe, too.

As with fire, there are many ways that malware and other threats can get a foothold in an organization.

That's why bigger companies have IT staff, firewalls, security policies, anti-virus software, and more. But, even with strong defensive mechanisms, a threat only becomes a problem if it has an opportunity, and opportunity often boils down to a user decision.

Malware is designed to be devious: it searches for ways to circumvent a defensive perimeter. And users can be surprisingly good at finding ways around defensive processes, especially if they feel they get in the way of productivity.

Cybercriminals, of course, exploit this propensity with social engineering: actively persuading users to take shortcuts or to indulge in behaviors that get the attacker past the smoke alarms.

Training users to recognize suspicious on-screen behavior is the best security measure that any family or organization can take. It goes far in curtailing inadvertent participation. It goes beyond policies and mechanisms.

That's because it doesn't just prevent inadvertent participation, it recognizes a basic tenet of human nature: security policies and mechanisms are sometimes circumvented when faced with individual authority or sympathy.

Many cyberattacks begin when we do everyday things: check email, browse the web, click on a tempting news story, or agree to some sort of update. They are initiated by activity that should not have been approved.

With just a little training and occasional reinforcement, your users will recognize the seductive signs of phishing and malware knocking at the door, from the clumsy and prurient (Check out these hot babes), to the falsely authoritative (You need to update Adobe Flash).

Educated users who are knowledgeable of trends and wary of unexpected behavior become your first line of defense. They feel empowered. They are proud to participate in security and they play a more important role in suppressing threats than policies, procedures and technology.

It's impossible to cover all of the sneaky ways in which malware circumvents suspicion and gains temporary trust - just enough that it can get in the door. But a few simple examples can give users a defensive edge.

So, show users the suspicious signs. Cultivate their antennae. Remind them of the most common hooks used in social engineering. These hooks play either on one of several deep-seated, natural desires such health, wealth, sex and status, or (ironically) on a user's desire to maintain and even to help improve security.

Here are some examples:

  • Trust this brief exception! (Threat poses as important maintenance.)
  • Check this out! (Inducement appears to be from a friend.)
  • Get more friends! (Appeals to sex, money or personal status.)
  • Limited time offer! (Urgency: act fast, or miss out on a bargain.)
  • Enjoy life more! (Who doesn’t want greatly enhanced anatomy?)

The interesting thing about these offers is that they create a seductive path between truth and desire. It's easy to joke about offers for Viagra - after all, who gets lured into these things? - yet Viagra is one of the best selling drugs in the world. So, the key to persuading family or staff to mitigate threats is not to change human nature.

Instead, get them to recognize the risks and to understand that those risks are mitigated the most when they decide to initiate online activities themselves, rather than to be talked into an action by an invitation from a stranger.

Find your own way

Here are a few ways to make sure you are following your own path to an online web destination, rather than being (mis)guided by an outsider:

1. Enter important URLs directly, or use a bookmark.

If you have an account on a website, and you plan to log in, don't be lazy and use a search engine to get you there: type the full URL into the address bar, or use a bookmark that you previously created. (Many browsers automatically initiate search queries from the address bar if you enter something that doesn't look like a URL, so be sure to type thecompany.example, not just thecompany.)

Cybercriminals spend plenty of time and money trying to poison search engines so that their malicious sites supplant legitimate ones at or near the top of search results.

2. Look for the HTTPS padlock.

If you plan to do anything that involves logging in, or viewing or uploading information you wouldn't want anyone in the world to know about, look for "https" (secure HTTP) in the address bar.

Don't bother looking for assurances of security and privacy within the actual window, such as pictures of padlocks or mention of cryptographic key lengths. Simply saying something doesn't make it true.

3. Don't be influenced by words or images.

It's common for friends to send links within an email and, personally, I don’t think that it is necessary for organizations to prohibit this sort of email use, or to block links in messages.

But there are some links that we should learn to shun instinctively.

Never use email links to web pages where you have an account, or to any site which requires login. With email, it is difficult to verify the original sender, or to be certain of the integrity of the path between sender and recipient.

Check, and check again

So, when you visit a website where you have an account, follow the advice given in (1) above. When the web page opens, look at the URL again, and follow the advice in (2).

Check that the page is secure (https), and that the domain name is exactly what you expect. Watch out for unfamiliar characters, or a variant of the domain name you are looking for, immediately before the first slash. (E.g. check you are going to bank.example/ and not something like bank.example.198.51.100.12/.)

As with all security threats, alert users are the best prophylaxis against infection. If in doubt, leave it out!

Image of smoke alarm with smoke courtesy of Shutterstock.

Image of pointy click-me hands courtesy of Shutterstock.

, , , , ,

You might like

9 Responses to Defending against web-based malware: Spot the smoke, don't wait for fire

  1. The problem with entering important URLs directly instead of searching for them is that criminals also spend time and money typo-squatting. Just ask some poor teacher who put in whitehouse.com instead of whitehouse.gov during class. Misspelled domain names are actually MORE dangerous than just Googling for the name of the company and clicking the correct link. I can count on one hand the number of businesses that I've done a websearch for their website and found a possibly poisoned search result. Maybe you guys shouldn't use sketchy search engines?

    Better advice would be to teach users how to judge search engine results. Make sure the results match the domain they're looking for. It's trivial to look at at result page and find the official site URL when you know what to look for.

    • Paul Ducklin · 336 days ago

      Typosquatting! Indeed. I did some extensive research into typosquatting a year or two back, and the results were, well, interesting:

      http://nakedsecurity.sophos.com/typosquatting/

      (More than one third of typosquat domains in my survey - 560 out of 1502 - were "powered by Google," or at least by its DoubleClick subsidiary.)

      Note that we do suggest using bookmarks of your own - that means you can get the URL right once, applying great care, and use the bookmark with a decent amount of confidence later on, without retyping the URL.

      I think the big risk with search engines is that a lot of people (put your hand up if guilty :-) use them so they don't need to be exact, assuming the search engine will "help them home."

      I'd still advise using a "known good, static URL" than relying on the ever-varying output of a search engine...

    • Philip Raymond · 336 days ago

      Hi Aaron. Thank you for your feedback,

      With both methods (I recommend direct entry and you suggest a trusted search), it seems that we agree one one thing. It boils down to just a bit of user vigilance. If the user checks the resulting address carefully (preferably in their own address bar after the page settles), then I am comfortable with either technique.

  2. Joe Dubin · 335 days ago

    For sites requiring login, I recommend using a password manager which stores the correct URL along with username and password, like 1Password, Lastpass or Dashlane. If an email asks to log in to the site, use your password manager to navigate there and log in. And if, in spite of it all, you click on the phishing link, the password manager won't fill in the credentials, which should be a red flag that something is amiss. That won't protect against drive-by attacks, but it will help protect against credential harvesters.

    • Philip Raymond · 335 days ago

      I like your idea, Joe, and I should have mentioned it in the original article. I use LastPass myself. In addition to the primary function, It certainly addresses issues of typosquatting and search-phishing.

      The idea of an online bookmark page is interesting too. Might raise an issue of personal privacy, but it certainly makes your web shortcuts portable! Good thinking.

  3. Sam · 335 days ago

    For those who have the facility to create a web page, I recommend making a page which contains links to all your regular sites together with a target of a new tab, and save it on your own device (PC, laptop, etc). Make this your home page on each of the browsers you commonly use and then you have instant access to all those regularly accessed web sites. Simples.

  4. MikeP_UK · 335 days ago

    The biggest issue I have is with software downloads that are for a legitimate application but carry 'foistware' with them, quite often unannounced. Some of the big names in the industry are implicated as are some of the download sites that confuse users with untidy web pages that obfuscate and make it hard to find the actual download you are looking for.

    I like the KISS principle so it is harder, but not impossible, for the nefarious to hide the unwanted from the unwary.

    • Philip Raymond · 335 days ago

      I'm with you 100% on this one, Mike.

      It was an enormous disappointment to see even very "legitimate" sites that play this game. Download.com, a C|Net property, has recently begun adding unexpected, Trojan-like cr*pware to the legitimate applications downloaded by visitors.

      I am using whatever influence that I can muster to get them to reconsider this serious abuse of consumer of trust. They have already monetized their service in acceptable ways. They needn't stoop so low.

  5. John · 324 days ago

    This article has lots of good info - But IMO malware has turned into an extrusion game with its commercialization in the form of web exploit kits - It's become virtually impossible to spot the smoke for many who casually browse the web; inevitably hitting an exploit pack landing page.

    With high-traffic sites serving malicious code, the malware is going to get in - it's our job to identify, verify, and erradicate now more than ever. Add to this list countless small / local organizations for which getting a web presence at ALL is a big deal, and the attack surface of vulnerable sites rises to an absolutely ridiculous number.

    Of course, a well-defined patching policy is paramount to protect our Users and information, as well as the User education Mr. Raymond describes in this article; however at this point I don't believe we have the luxury of surviving on user education anymore. The same User who didn't click a phishing email gets compromised because YouTube's ad rotator is serving malicious code...Very uncomfortable feeling.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Philip Raymond is a security consultant and privacy advocate. He is inventor of Blind Signaling and Response and the former chairman of Vanquish Labs.