So who can you trust?

As criminals get better at what they do best, it’s becoming harder and harder to tell if an application is trustworthy or not.

To protect oneself, adhering to the following best practices can help. But even if you adhere to all these best practices 100% of the time, there’s still no guarantee of safety.

Things to check for when evaluating software for trustworthiness:

  1. Perform the CERT DCAL test
  2. Watch out for incorrect grammar or spelling
  3. Make sure all purchases are done through a secure “https” connection and watch for warnings about a site’s “security certificate“. With a working https connection – your browser will show one of the following lock symbols in the bottom right corner of the current window.
    Internet Explorer:
    IE SSL
    FireFox:
    FireFox SSL
  4. keep an eye on the address bar to make sure it doesn’t change unexpectedly on you. (You don’t want to provide information to / or download from an untrusted site accidentally!)
  5. if a site displays an SSL or Code Signing Certificate, double check that the certificate is still valid and hasn’t expired or been revoked.
  6. perform a quick web search to see if any other websites warn about the site you’re thinking of trusting & look for online reviews about the product you’re considering purchasing
  7. if in doubt, try verifying the contact information provided on the site (if any contact information is provided)
  8. before you download or install ANYTHING, make sure that your system and anti-virus products are up-to-date.

Here is an example of a site that looks very legitimate, but isn’t..

url

The site is reasonably professional looking and has few grammatical or spelling mistakes.

main logo - contraviruspro.com

All the links work. It has a privacy statement, End-User-License-Agreement, professional looking support and contact area that even uses a captcha.

– Testimonials area.

– User login area.

– “30-day 100% Money Back Guarantee”

VeriSign Secure Site logo.

Looks and smells legitimate so far!

A quick google search comes up with a few download sites that give it a high user rating (another good sign!).

bluesofts.comallapp.com

Since the site bares the Verisign Secure Site logo

VeriSign Secure Site

– I contacted VeriSign just to double check.

Welcome to VeriSign you are now speaking with Annette . How may I help you?
Annette : Hello, where are you chatting from today?
Customer: work
Customer: I have a quick question about a site that bears your symbol
Annette : How can I assist?
Customer: I’d like to know more about the trustworthiness of this site
Customer: http://www.[Url ommited].com/buynow.php
Customer: your sign is in the bottom left corner – could you tell me about this site and this product
Annette : Please hold while I check the URL.
Annette : This website does not use a VeriSign SSL certificate and may not be safe to use.
Customer: is it possible to get written confirmation of that – or is there an url that I can enter this url at to verify that without contacting your support?
Annette : You can report site seal abuse at https://www.verisign.com/support/ssl-certificates-support/secure-site-seal/abuse.html
Annette : You can enter the URL into www.verisignsecured.com or http://www.verisign.com/log-in/index.html by clicking search
Customer: excellent – thank you very much !
Annette : My pleasure, have a great day.

Hmmm – warning bells are starting to go off.

My next step (which is an advantage that I have from working in SophosLabs, but which most businesses won’t have the resources to safely do), is to analyze the binary provided from the download link.

After carefully analyzing the download, which was a legitimate-looking installer and appeared to operate as specified as an Anti-Virus/Spyware application, it turns out the application downloaded is a Trojan after all.

Troj/FakeVir-AB (click here for more details)

So what can you do to protect yourself?

Following the best practices provided by the following sites at all times:

http://www.sophos.com/security/best-practice/

http://www.getsafeonline.org/

http://www.cert.org

What to do if an application you’ve installed is detected by SAV as being a suspicious file or exhibiting suspicious behavior?

Sophos Anti-Virus’s suspicious file and behavior detection features only indicate that a file MAY be a threat. If you are confident that the file is from a trustworthy source, authorize it. If you’re not confident, submit the file to SophosLabs for analysis. (click here for more information on how to decide whether to authorize or block a file)

It’s not practical for a businesses to “trust no one”, so to operate in today’s business world it’s becoming more and more important to use the best anti-virus product you can, ensure it’s up-to-date, and to submit suspicious files for analysis when you have any concerns.