Most malware doesn’t attack from the back door. Instead it comes right in the front door and creates back doors you don’t even know about. I received three emails today and one a few days later before I finished this blog post, that I am going to share because emails laced with malware is the primary method of gaining access to your computer. Two of the emails are virtually the same email just from a different person. Making mail appear on the surface to have come from someone else is not difficult.
- It comes from someone I don’t know.
- There is no salutation or greeting.
- This one says I filled out my taxes with FreeTaxUSA. I have never heard of them and I certainly didn’t send them any tax info.
- The items listed say Louisiana State Tax Return. I don’t live in Louisiana and certainly wouldn’t be filing a return there.
- The checking account listed is not mine.
- Finally the clincher for this one is the attached file in zip format.
Zip files are common around the internet as they are a container file with other files contained within. The problem with zip files from unknown sources is that they can be used to transport malware past email filters. Most email systems won’t allow you to send an .exe file (executable windows file). So by placing an .exe or other file that can contains malicious code in the zip file they are bypassing some email filtering. If you don’t know who sent the file, don’t open the zip file! The other thing this email is trying to do is get me concerned that I have been charged for something I didn’t order. Obviously I wouldn’t have ordered a tax return from Louisiana; in fact my taxes were done some time ago. The email looks like I am being charged for something, so naturally curiosity will want to see what it is. If you receive an email similar to this, you must fight the urge to look and just delete it. If you just can’t stand it contact your bank or credit card company and check your statement for any suspicious charges.
The next two emails are similar:
Flags to look for in these two emails:
- Someone I don’t know
- No salutation (This in and of itself wouldn’t necessarily be a flag, but taken with the others I would expect to see my name here.)
- They are vaguely requesting information, then referring to the attached document. These emails are usually sent to thousands of people and the goal is to pique curiosity so you will open the attachment.
- The attachment is a Microsoft word .doc file – yet another route to infiltrate malware into a computer. Microsoft Word is a very powerful program that is capable of scripting. Because of the scripting and other vulnerabilities in Word you shouldn’t open a .doc file from anyone you don’t know. Make sure all your software updates are done promptly to limit the possibility of infection, but understand there are constantly new vulnerabilities that are found – so again, just delete the email without opening any attachments!
The interesting thing about the last two emails is that I looked up the companies and they appear to be legit businesses. So either someone just copied their information for the email or their computers have been compromised.
One final email that is more obvious:
This one is typical of emails generally caught by spam filters. It appears to be written by someone for whom English is not their primary language. It’s vague and leaves a lot of questions. I also like that the email is from Country court, not County court. I am not sure if that’s a federal court or the Supreme Court. 🙂 Again this email has the attached zip file that you should avoid. The email is just supposed to entice you to try to open the attached documents, and that’s when you could get a virus or other malware launched on your system.
If you have had and used an email address for some time, you likely will receive mail like this. Various entities around the internet collect email addresses and then sell the lists. These emails are probably sent to thousands if not millions of addresses. It’s an odds game. If they send out 10,000 emails and they can get 1% of people curious enough to click on the link or zip file, then they have nabbed 100 people or computers. If they do this every day, all year – that’s 36,500 people or computers that they can do whatever they want since the person opened the document and let the bad guys in. There are enough back doors in computer systems to guard against without letting someone walk through the front door.
If you have accidentally opened an attachment that has caused a virus, please contact me for clean-up services.
I work with a wide variety of people, from home users to various sizes of small businesses. A common issue I see is poor password security. Passwords have been used since some of the earliest computer systems in order to keep people out of areas they shouldn’t be in. They are in essence a padlock on your stuff. The problem is a lot of people use a master key for all their padlocks and their padlocks are about as strong as a little luggage padlock. Perhaps you are also guilty of re-using variations on the same password like your dog’s name, the town you were born in, or even your phone number. The problem with these passwords is that they are fairly easy to guess for a hacker.
Don’t think it’s a big deal? Check this out: as a small business owner or even an employee at a business, you probably have an email address @businessname.com so any mail from you is official business communication. If someone could guess your password, they could access your address list, your sent mail, and all your mail in your inbox. Is there any information in those emails you wouldn’t want getting out? Like profit margin information, price list info, buyout or merger info? There could be a lot of damaging information stored in your email. Now suppose the person who guessed your password decided to send mail to your customers as you because they can do that now. What if they sent out an offensive email to your entire address book? While they’re at it, they go ahead and change your password so you can’t get into your own mail. Depending on how your mail is set up, an admin might be able to reset the password for you but it may take awhile and you may have to do a lot of damage control before you can get the hacker out. They could access your Facebook page and reset the password because they have access to your mail. How many other online sites would they now have the ability to access and change passwords because they have access to your email and can hit that “send me a new password button” on sites? With several of your sites in hand what kind of havoc could a hacker cause and how much trouble could they cause? How much work will it take to recover from the hack and do you have the time?
One of the worst places I see poor passwords used is on a registrar like GoDaddy.com. If you have a domain for your business, then you have it registered somewhere. If your password isn’t extremely secure, a hacker could gain access to your domain, take over your website, your email and anything about your domain. They can redirect your traffic to other sites or just stay quiet and glean as much from your information as they can. It all depends on the intents of the hacker as to how much damage they can do.
I completely understand why people want to use the same password and make it simple to remember. The problem with this is that hackers have automated tools that can run through dictionary searches against your passwords. This is basically trying every word in the dictionary, then trying words with 1 or 01 or 02 and so on at the end, or capitalizing the first letter. All of this can be done on a pretty simple computer in minutes. This is why a good password 1. doesn’t contain any words, 2. has upper and lower case letters, with the first letter not being the only one capitalized, and 3. has numbers and symbols interjected. Something like this: vU5ZQ85u7E is a good, strong password and would survive any dictionary attempts.
Just changing your passwords to make them strong won’t fully solve the problem if you use a spread sheet to keep track of them or they are on sticky notes on the side of your computer. Case in point: the recent Sony hack was made much worse because a spread sheet with a number of online account information was found sitting on a server. This allowed the hackers to go even further with ease. Most of us humans can’t remember passwords like vU5ZQ85u7E unless we use it a lot. So what’s the solution? Use a password manager. A password manager uses encryption to securely store all your passwords under the lock of one good password. So you use one good password to open your password vault and then pull passwords for other sites as needed. There are a number of products out there. Some encrypt your data then upload them to cloud storage making them available to any of your devices. Others are for use on a single computer and don’t leave that machine unless you backup the vault. I have used LastPass which is an online service and also KeyPass that is a local only program. There are other options and I may do a review at a later date, but if you have your business locked down with a luggage lock, I highly recommend that you fix it soon!
Revelation that the NSA has been looking at more emails than they probably should be raises the issue of how secure are your emails? This will be a multi-part blog about different methods of communication. If you happen to be reading this from outside the USA, then some of this may not pertain to you or it may be even more pertinent. In this country we have the 4th amendment that is supposed to guarantee us the freedom from illegal search and seizure. Over the years what this actually means had changed with different court rulings. Most of us expect our email and other communications to be hands off and secure. This is a fallacy I hope to correct with this and future articles.
How Secure is your Email:
The short answer is, IT’S NOT! Email was originally developed to send simple text messages between computers. Nothing was encrypted – not even passwords. Today email is still the centerpiece of most online communication. Many services use an email account as the basis of the service. Think Gmail.com, Mac.com and Outlook.com. These are used for a lot more than simply sending and receiving email and using an email account for access to other services doesn’t change the security of the email system. The simple truth is that most email is passed around in a basic text format. So even if you are using a secure connection to pass your mail from your machine to the server, most likely from there to the destination server your mail is passed around and stored in plain text. Anyone with access to the server could view and read your mail. Anyone capable of reading the traffic between servers could read your emails. However, at the server level the volumes of email being processed create security through anonymity that would deter most from trying to find a specific email.
There are some services that have tried to eliminate this problem. Hushmail is a Canadian secure email provider. They have several levels of service they offer. It was revealed that a Canadian court forced it to decrypt some users emails and turn them over. Hushmail also offers a version of their mail that utilizes a java applet that runs on the customers machine to encrypt the email. This is the most secure method but still has some vulnerabilities if the applet were compromised.
Lavabit, a US based secure email provider used by Edward Snowden, decided to shut down rather than comply with government demands to divulge information on some of its customers. Silent Circle, another messaging provider stopped their offering of encrypted email offerings as well.
The problem with secure emails is that if someone else holds the keys to your security, then the law allows the government to force that provider to cough up the keys and the data. The only protection for a service provider is if they don’t have they keys. This means that if you really want secure email communication you have to encrypt it yourself and pre-share the key with the person you are sending it to.
If you really must send secure data by email be sure it’s encrypted locally. In my next post I’ll discuss some of the other methods of communication and how secure they are.