Fake and Poisioned Websites
Counterfeit webpages
Fake webpages trick people into giving up their personal information. It can be very tough to tell a fake webpage from the real thing. You're sure you're at a site you trust. Your personal information -- account number, credit card number, expiration date and even your SSN -- is actually going to a rip-off artist.
These counterfeit websites are often used for phishing. The bait is usually a bogus email message. For example, an urgent notice to go online and straighten out some problem with your account. The link is the hook in the bait. It takes you to a fake webpage.
It's easy to steal a real webpage -- graphics and all -- and design a page for your own evil purpose. The webpage looks completely legitimate. Most of the links may even take you to the real website. The website address usually looks plausibly correct. Many financial websites -- banks, mutual funds, PayPal, Earthlink, etc. -- have been used as templates for these frauds.
Web mail utilizes webpages to give you access to messages. Bogus messages can be sent by anybody. They can look like they come from a real financial firm. They can be used for fraud as easily as using a fake webpage.
Malicious webpages
You're liable to run into malicious content just about anywhere these days, including sites that you trust, like a search page or news site. Cyber-criminals have learned how to easily poison legitimate websites. Malicious content may be hidden in a personal page on a service like MySpace, or even in a personal comment. It may be disguised as an advertisement, image or video. It may just be a link. Malicious webpages are the fastest growing Internet threat today.
Why is it so easy to poison websites? By extending the original HTML concept, modern browsers can access several computer languages. For example: Java, Javascript, ActiveX, plus Microsoft Word macros. Browsers will use those extensions to happily execute any malicious code that gets past your defenses. It all happens quietly without you being the wiser.
Poisoned websites (and email in HTML format) can install spyware, adware, hijackers, dialers Trojans or other kinds of malware. The attack may occur as the webpage opens, or you may launch the attack when you click a link. You will probably not even know it happened. [where angels fear to click]
Popup windows
Popup windows are another way to foist spyware onto PCs. You get used to seeing popups or other notices from websites. Clicking "OK" can become a reflex action. Spyware writers know this. Popups advise that software is needed to fix a problem, properly view a page, or some such malarkey. When you click, in comes the spyware.
"Pop-up Downloads" often appear as small system or security notices, and ask things like, "Do you accept this download?" or "Do you trust this software from..., and do you want to install it?" It often appears that if you don't, the content you wanted won't be available. They're designed to get a knee-jerk benefit of the doubt. When you click the "Yes" button the foistware is installed on your computer. [more]
That dialog box that pops up and claims you need to install a plug-in to view special characters, or to open the page, or to get some great new whiz bang could also be a trap. Even those that carry a widely recognized name like Adobe Reader Macromedia Flash, Shockwave, RealOne, etc. They could be fake.
Example
You're surfing along, and a window pops up. It has an "X" on it, so you click it to close the window. That triggers a stealth download. The software disconnects you from your ISP, dials a $4.99 per minute "premium service" and you end up with a huge phone bill.
What happened? The "X" was fake -- the whole window was just a graphic. Anywhere you clicked was a link to the "drive-by download". If you get a popup, close it with the "Ctrl-W" keyboard shortcut. Just hold down the "Ctrl" key and press the "W" key. That will close the window without triggering the download.
Demonstration
There's a simple way to include malicious content in music or video files. The file can then be simply linked from a webpage. The link can even be hidden. To see a demo, download and run example.mp3 -- you can trust me, I'm a grandfather -- to see a convincing but perfectly safe demonstration. (*.mp3 is a popular compressed file format used for music.)
You'll need Windows Media Player to play the sound and see the results. In addition to the music, three more browser windows will open -- unless you have your security settings set too high. These windows will just display some perfectly safe content. If this little file can do that, just imagine what a crook or malcontent could do with a file they concoct.
- • attack vectors
- deception the #1 threat
- phishing #1 deception
- poisoned websites
- poisoned email
- email attachments
- downloads
- spam (scams and phishing)
- hackers and worms
- popup warnings
- • malicious content
- spyware
- viruses and worms
- trojans
- • backup is security job one
- • develop your "web smarts"
- don't get hooked
- guard against spyware
- be careful with email
- fear attachments
- surf safely
- • tighten security settings
- windows
- browsers
- email clients
- • defense tools and software
- firewalls
- hardware firewalls
- anti-virus
- anti-spyware/-malware
- all-purpose security suites
- • patch and upgrade software
- • bonus: double your security
- • test your protection
- • protect your privacy
- • WiFi security