All too often, cyber attacks are crimes of opportunity. This was exactly the case when late last week, hackers created a fake website to fool users into downloading a virus instead of the latest version of Java. As many of you read here in the blog, Oracle recently released a patch for a critical Java security issue found spreading malicious files to unprotected computers. In response, users scrambled to download a new, protected version of the software, attracting cyber criminals in the process.
We’ve seen this behavior time and time again: Criminals go where they can get the most bang for their buck. This means finding ways to infect as many computers as possible, so there are more opportunities to siphon off money or steal user credentials. What’s attractive about Java for hackers is that it runs on billions of devices worldwide (and probably every Internet connected device currently in your home). This means that when Oracle releases a critical patch, millions of people are typing in “Java update” or “Java virus” into search engines like Google or Bing. This presents a grand opportunity, because if criminals can create a fake website that looks nearly identical to the Java update website, they’re bound to fool a large number of people into downloading their malicious software.
This is called Social Engineering.
Social Engineering is different from other types of cyber attacks, because victims must actively participate in the hacker’s plan. In this case, a user must freely give up access to his or her computer by clicking the “Download Now” link on the fake Java website. In other cases, attacks may involve sending victims a fake email to request sensitive information, with the byline forged as a message from a boss or colleague (this is called “phishing”). The attacks can even be carried out in-person, with hackers sneaking into IT departments disguised as management personnel. But in all cases, the user must be fooled into letting the attacker in, as opposed to the hacker circumventing security barriers by force or other means.
There are tricks of the trade that users at home can learn in order to avoid falling victim to social engineering attacks.
- Pay close attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL typically uses a variation in spelling or different domain (e.g., yahoo.co vs. yahoo.com).
- Pay attention to grammar and spelling. Many illegitimate websites, including the fake Java update website, will have misspelled words and poor grammar (“A new version of Java is require”).
- Be suspicious of unsolicited phone calls or email messages asking you to share personal information, change a password, or download software. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company before taking action.
- Install and maintain all-inclusive antivirus software like McAfee All Access to prevent spam, malicious traffic and flag suspicious sites before you click.