Here are some of the ways cyber-criminals attack unwary web-surfers. That's why it's essential to employ a proactive defense if you engage in wide-ranging Web travels.
Sham or bogus webpages are designed to fool people so well that they give up their personal information. It can be very tough to tell a bogus webpage from the real thing. You're sure you're at a site you trust. But your personal information — account number, credit card number, expiration date and even your SSN — is actually going to a rip-off artist.
It's easy to steal a real webpage — graphics and all — and use it for your own evil purpose. The whole webpage may seem to be completely legitimate; but all but the bogus links go to the counterfeiter. The website address will also look plausibly correct. Many financial websites — banks, mutual funds, PayPal, Earthlink, etc. — have been used as templates for these frauds.
Bogus websites are often used for phishing. The bait is usually a bogus email message — an urgent notice to go online and straighten out some problem with an account. The link takes you directly to the fake webpage.
Web mail also presents webpages to give you access to your messages. Bogus messages can be sent by anybody. They can look exactly like they come from a real financial firm.
You're liable to run into malicious content just about anywhere these days, including sites that you trust. Cyber-criminals have learned how easy it is hack legitimate websites. They simply hide their poison content or links to it right in the legitimate webpage.
Why is it so easy to poison websites? By extending the original HTML concept, modern browsers can access several computer languages. For example: Java, Javascript, ActiveX, plus Microsoft Word macros. Browsers use those extensions to happily execute any malicious code that gets past your defenses. It all happens quietly without you being the wiser.
Poisoned websites (and email in HTML format) can install spyware, adware, hijackers, dialers Trojans or other kinds of malware. The attack may occur as the webpage opens, or you may launch the attack when you click a link. You will probably not even know it happened. [where angels fear to click]
Poisioned content may be lurking on a personal page on a service like Facebook, or YouTube, or on a friend's blog. It may be disguised as an advertisement, image or video. It may just be a link, for example, in a tweet on Twitter.
Miscreants also poison search results pages — like those from Google and Bing — with "sponsored" or search word ads that link to booby-traps.
Popup windows are another way to foist spyware onto PCs. You get used to seeing popups or other notices from websites. Clicking "OK" can become a reflex action. Spyware writers know this. Popups advise that software is needed to fix a problem, properly view a page, or some such malarkey. When you click, in comes the spyware.
"Pop-up Downloads" often appear as small system or security notices, and ask things like, "Do you accept this download?" or "Do you trust this software from..., and do you want to install it?" It often appears that if you don't, the content you wanted won't be available. They're designed to get a knee-jerk benefit of the doubt. When you click the "Yes" button the foistware is installed on your computer. [more]
That dialog box that pops up and claims you need to install a plug-in to view special characters, or to open the page, or to get some great new whiz bang could also be a trap. Even those that carry a widely recognized name like Adobe Reader Macromedia Flash, Shockwave, RealOne, etc. They could be fake.