According to Panda Security, “more than a quarter of all malware samples ever recorded were produced in 2015”. Researchers from different cyber security companies such as McAfee and Kaspersky predict that this malware trend will only continue to grow.  This means that users today are more vulnerable to malware infection than ever before. Thus, it is essential that users learn to protect themselves. This article will outline three common ways users fall victim to malware infection and how to defend against them: malicious email links, macro virus, and an infected USB flash drive.
Malicious email links- Phishing and Drive-by download links
Social engineering attack is defined by the United States Computer Emergency Readiness Team (US-CERT) as when “an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems”. It can be used in emails by evoking a sense of urgency or fear into the victim causing him or her to click on a link. Example is in figure 1 below where the user is told from seemingly legitimate sources about financial issues that needs to be resolved by clicking the link, but the information is false. There are usually goes two types of websites the user ends up going: phishing or infected.
Phishing websites are phony websites that look legitimate and will ask user to enter confidential information such as account passwords, credit card numbers, and/or social security number. One example is a website that looks exactly like a PayPal’s login page asking for user credentials, but the website link is mpaypaal.com or security-paypal-center.com which are completely different websites. For additional example emails, there are information technology blogs that publish phishing websites to warn users: https://itservices.uchicago.edu/page/latest-email-scams and https://uit.stanford.edu/phishing.
Drive-by downloads are a category of malware defined by the unintentional download of a malware onto a computer or mobile device without the user knowing it happened. Once the user clicks the link to go to the infected website associated with the URL, the malicious code on the compromised website will attempt to execute. Sometimes these websites are setup by cyber criminals or a legitimate website compromised by hackers unbeknownst to the owner of the website.
Users need to consider security awareness training to protect themselves from these phishing attacks and infected websites. There is no all-in-one solution that can tell users if the email content or website has false information and/or malware inside. This training should include topics such as social engineering, setting strong and secure passwords, mobile security, privacy, and good tech habits to have.
An example of a good habit is keeping software and the operating system updated so that all known vulnerabilities are patched as soon as possible. Drive-by download websites have malicious code that tries to take advantage of specific security flaws of an application (i.e. browsers like Chrome, Firefox, and Safari or email clients like Outlook and Thunderbird). Once the software is updated to patch known vulnerabilities, users are able to prevent malware from taking over easily.
A social engineering training would help users identify a phishing email or any other suspicious email by noticing things like the display name not correlating to the correct email or website and any suspicious links.
For example, an email might have the name of the user’s bank name as the display name, but the sender’s email is [email protected], which wouldn’t the right email. These kinds of information should be verified through an authentic channel like a phone call before any sensitive information be sent.
Another way to defend against this attack is to investigate every link and ensure that the displayed name goes to the proper website. Users are encouraged to manually type out the URL shown in the email so that the user isn’t misled into going somewhere else.
It is also important to disable link preview if there is such an option because it’s the same as visiting the website itself. In Outlook 365 (for example), users can disable this by going to Options, then click on the Layout section, and uncheck the box “Preview links in email”.
For other mail client desktop applications, it’s important that users look at the preferences or search online to see if there is such an option and how to disable it. Currently, programs like Mozilla Thunderbird and Linux Evolution do not have such functionality.
In OSX 10.10.5 Yosemite and above, there is a three-finger tap gesture where tapping with three fingers on website links will generate a preview of that website in Safari browser, Mail, and Messages. To disable this gesture, user can head to System Preference, click on Trackpad, then uncheck the checkbox next to “Look up and data detectors”. This gesture was enabled in Yosemite by default, but then later disabled in 10.11.6 El Capitan.
Features like the link preview is a handy feature so users don’t have to click on every link in an email or website, but this shows how applications and operating systems can come with default settings that are insecure and lead users into bad habits. These features can be exploited by the malicious actors and allows them to take over a system.
If users want to ensure the links are valid, there are online link scanners like https://www.virustotal.com/en/and http://www.unmaskparasites.com/. These sites and others like them allow a website to be scanned for any malicious code.
Microsoft Office Email Attachments
Microsoft Office utilizes a feature known as macros, which is a recorded sequence of actions (like mouse clicks and keystrokes) that can be recalled later. It helps with repetitive tasks and can also be assigned to a custom shortcut key. For example, if users want to efficiently customize the page margins of an office document, they can record themselves editing the margins once and run the macro the next time.
Although intended for simplifying repetitive tasks, macros can also be utilized for malicious purposes. An attacker can automate downloading and executing a piece of malware onto a user’s computer before a user is able to stop execution. These types of macros are called “macro virus” or “macro malware”.
In order to stop this attack, macros can simply be disabled which is the default option in Office. To confirm that macros have been disabled, click the File tab, click Options, and then click Trust Center category on the left. From there, click the “Trust Center Settings” button on the right and then the “Macro Settings” on the left. From there, you should see “Disable all macros with notification” checked and then click Ok on the lower right. Figure 2 below shows this setting.
From this point on, macros will not run automatically. If a user opens a document with macros inside it, a popup will notify them first about the macro before it can be opened. This is shown in figure 3.
Microsoft Office also comes with another feature that stops macros called Protected View where documents that originate from the Internet, email attachment, and other unsafe locations are opened in a read-only mode so that users can only see the content while risk of malware infection is reduced. In read-only mode, the content of the document cannot be edited and macros will not run. To ensure that Protected View is enabled, go to File, then Options, then Trust Center, click the Trust Center Settings and select Protected view. From there, all three options should be checked to enable protected view. Figure 4 below shows this.
Figure 4: Enabling Protected View
Now, users will see a warning at the top of documents telling them they are viewing in protected view state like in figure 5 below. It is imperative that user stay on protected view until the file has been verified to be secure and authentic.
Infected Universal Serial Bus (USB) drives
On Windows, there is a feature called AutoRun where if the user inserts a disc or USB drive into a computer with an autorun.inf file in it, then any program specified in the autorun.inf file can be run immediately. This feature was intended so the user didn’t have to search through all the files in the disc to find out which executable file to run. This feature allows mischievous actors to put malicious programs and an autorun.inf file on a disc or USB drive and Windows would automatically launch them once they were inserted.
Today, Windows has “AutoPlay” that brings up a dialog box and asks the user if they want to run any executable. This is shown below in figure 6 where the user can choose whether to run the setup.exe executable file or not. It is best to not run an executable unless the disc or USB drive has been scanned for malicious content and has been vetted.
Users should educate themselves on such malicious USB drives. There was a study done at the University of Illinois at Urbana-Champaign where 297 USB drives were dropped randomly across campus and it was found that nearly half of them were picked up and plugged into a computer without much caution. It’s recommended that such flash drives should be turned into some Lost and Found Office nearby or to tech professionals.
If a user wants to disable this AutoPlay feature entirely, it can be done by going to Control Panel, typing “AutoPlay” in the top right search box, and then click on the “AutoPlay” search result. From there, user can uncheck the “Use AutoPlay for all media and devices” at the top and hit Save at the bottom right just like in figure 7 below. These instructions are for Windows 7 and above.
Antivirus and backups
Another very important defense against malicious actions is to keep anti-virus software and firewall programs up-to-date and running at all times. Weekly or even daily scans will help defend against malicious content from remaining detected on a system.
Another best practice rule is to back up data frequently. A good rule of thumb is the 3,2,1 rule: three backups on two different kinds of media and backed up on a media stored in a geographically separate location. Regular backups represent the most effective solution against a malware called Ransomware, which prevents users from accessing their system by locking the files or the screen and requires payment in order to unlock it. With these backups, users can roll back to a previous hopefully clean system. Users are recommended to report possible infections to IT professionals to limit impact and prevent malware from executing itself onto the system in the future.
We live in a very connected world today. We can communicate with people from different parts of the world at any time. It is unfortunate that these benefits bring risks as it allows malicious actors to have unauthorized access to a user’s computer and steal personal information or harm the computer. It’s important that users educate themselves about these attacks to stay safe and secure while on the computer surfing the web.
By itself, email is harmless, but the damage can happen after a link is clicked or an email attachment is opened. Users must stay vigilant about the content, links, and attachments, especially if it was unexpected or unsolicited. Software, anti-virus, firewall, and the operating system must be kept up-to-date and backups must be made. Anything external such as a USB drive must be opened with caution.
With these tips in mind, a user’s chances of malware infection will drop dramatically.
This post was written by: Oliver Hui