Hackers are devising cunning new ways to steal your files and money in 2017. Jane Hoskyn reveals next year’s big threats and what you must do to stay safe
The biggest security story of 2016 is that we’re all fed up with security stories, apparently. According to certain newspaper reports, we’re all so bored of being warned about malware and hackers that we’ve stopped caring. This supposed epidemic of ‘security fatigue’ – based on a study by the US National Institute of Standards and Technology – neatly fits the “down with experts” narrative of recent months.
However, this isn’t what we’re hearing on doorsteps (figuratively speaking). Judging by your letters and emails, you’ve never been more attuned to the dangers of email scams, dodgy software installers and even Wi-Fi hijackers. Of all the security tools we’ve mentioned over the past 12 months, your favourite is an online tool that scans your router for dodgy DNS activity (F-Secure Router Checker: www.snipca.com/22682). Security fatigue? Not among our readers, that’s for sure.
Knowledge is power
Your lack of complacency gives you an edge because you’re less likely to be hoodwinked by hackers if you’re on your guard and know what to look out for. The trouble is that threats keep changing, so it’s hard to keep up. Ransomware is by far the most serious malware threat as we move into 2017, not least because it seems able to shape-shift every week to escape detection as hackers find new ways to evade your antivirus.
In this feature we’ll help you stay a step ahead. First, we’ll expose hackers’ latest thieving tactics, which range from breaking your PC’s security with a £4 USB stick, to laying traps using highly convincing, and wholly fake Windows 10 updates. Then we’ll explain the security rules you need to follow now to ensure you don’t fall victim to hackers in 2017.
HACKERS’ LATEST ONLINE TRICKS
Ransomware in phishing emails
A year ago, the idea that hackers could use a fake email attachment to hold your files hostage was still fairly new. Fast forward to the end of 2016, and an astonishing 97.25 per cent of all phishing emails sent during the third quarter of the year contained ransomware, and most of this ransomware was Locky.
Locky? Unlucky for many. This jaunty-sounding little horror was only discovered in February, but it now infects 90,000 PCs a day and has been used to extort hundreds of millions of pounds from victims across the world (www.snipca.com/22685).
Malicious emails may sound old fashioned, at least in the context of PC security, but this is no ILOVEYOUstyle spam from Nigerian fraudsters. Instead of relying on one phishing hook, Locky turns up in a series of personalised guises, such as fake transaction receipts, shopping orders, invoices and bogus tax refunds - and that variety makes it very hard to look out for. The emails contain attachments that prompt you to ‘enable macros’ or enable content’ – (system permissions that allow the ransomware to corrupt or encrypt your files silently in the background). The first you’ll know about it is a ransom demand that invites you to download ‘decryptor’ software for a price, usually half a bitcoin (£290).
Ransomware in Facebook and Chrome
Locky is so successful because it’s easy to obtain, use and customise. It’s putty in a hacker’s hands. Even an inexperienced cyber-criminal can tweak it so that it can use ever more serious ways to sneak on to your PC. It’s so malleable that hackers have reportedly worked out how to embed it in Facebook Messenger photos, including photos in messages sent by friends and family. Neither you nor your friend can tell the photo is infected, and as soon as you click it the ransomware downloads to your PC. You then get a plain-text ransom note (‘Locky_recover_instructions.txt’).
Facebook insists there is no Locky “or any other ransomware… on Messenger or Facebook”, and blames the ransomware invasion on “several bad Chrome extensions” (www.snipca.com/22686). Even so, security firm Check Point, which discovered the booby-trapped photos and has dubbed the saga ImageGate, warns users not to click any photos in Facebook Messenger, or indeed any social-media site (www.snipca.com/22683).
Helpfully, Check Point has posted a YouTube video illustrating how people have been infected (www.snipca.com/22684). The firm has decided not to release further information until Facebook and Google have fixed any vulnerabilities.
Whatever the details of ImageGate, it shows that ransomware can reach the parts other malware can’t. The outlook is frightening.
Personalised blackmail
Hackers have recently started combining ransomware and trojans to create a digital version of the oldest security threat in the book – blackmail. First came Delilah (dubbed an ‘Insider Threat Trojan’), which goes looking for potential blackmail material in its victims’ browser histories and webcam videos (www.snipca.com/22697).
Then, in November, researchers discovered Ransoc, which uses your Facebook profile and Skype activity to create a fake ‘Penalty Notice’, which threatens to publicly expose any suspicious or illegal files it finds, unless a ransom payment is forthcoming (www.snipca.com/22696).
So far, Ransoc has only targeted victims in the US, but it’s spreading fast via fake adverts (‘malvertising’). It combines so many current technology and security trends that we expect to see many more attacks like it in 2017.
Domino password hacking
Historical hacking attacks are coming back to haunt you in 2017. Passwords stolen from Yahoo, Myspace, Dropbox and other infamously breached sites – along with recent targets Tesco Bank and Three Mobile - aren’t just sitting under a hacker’s mattress. They’re being used to steal from your other accounts.
To give just one example, hackers used previously stolen passwords to plunder the accounts of Deliveroo customers in November. The online takeaway service had to refund customers up to £200 each for food orders placed by hungry hackers.
Hacked pizzas may sound quaint compared with ransomware, but this phenomenon, likened to “a domino effect across multiple organisations” by Kevin Cunningham of security firm SailPoint (www.snipca.com/22699), is potentially devastating for PC users. Ransomware and trojans will eventually be blocked by antivirus software (at least until hackers find ways to bypass it again), but no antivirus (AV) can stop a hacker using your old password. If they use an old password to crack your bank-card details, they’ll soon run up a bill far bigger than any ransomware demand.
Is one of your current (and regularly re-used) passwords sitting in a hacker’s treasure trove? Almost certainly. In August, the passwords of nearly 70 million Dropbox users were discovered online, four years after the site was hacked. At the time of the attack in 2012, Dropbox insisted no passwords had been stolen. In May, Myspace and LinkedIn both confirmed hundreds of millions of passwords and email addresses stolen in 2012 were now for sale online. And in September, Yahoo admitted that 500 million of its users’ accounts were up for sale on the dark net after being stolen in 2014. These vast stashes of old passwords are nothing less than a security time bomb.
Stealing your passwords from the street
Who’s been eating your Wi-Fi? All your neighbours, potentially. And that strange fellow sitting on your front wall with his tablet. We revealed just how easy it is for anyone within range of your router to piggyback your signal using free programs and apps that crack your router password.
That’s intrusive and greedy, and could land you in hot water if the Wi-Fi thief uses your connection for illegal purposes. But at least it’s not as bad as having your actual account passwords stolen. Ah, but now hackers have found a way to do that too. All they have to do is set up a makeshift Wi-Fi hotspot near you, and then use it to track your PC key strokes and touchscreen taps. This allows them to gather your passwords and PIN codes without the need to install malware on your PC or device.
Luckily, these hackers are academic security researchers, and they have published full details of their ‘WindTalker’ experiment at www.snipca.com/22702. They’ve also posted a very watchable video on YouTube (www.snipca.com/22703).
If they can do it, hackers with criminal intentions could soon follow suit. As a means of stealing your passwords, it’s a lot easier than breaking into Yahoo’s server and a lot cheaper than buying Dropbox passwords from the internet equivalent of a shady bloke in a raincoat.
HACKERS’ NEW WAYS TO BREAK INTO YOUR PC AND HOME
Botnet trojans in your set-top box
Let’s get this daft phrase ‘Internet of Things’ out of the way, and then never speak of it again. It’s jargon for internet-connected devices that aren’t PCs, phones and tablets. There are probably a few dotted around your house – router, smart TV, set-top box, wireless printer. Connected thermostats, baby monitors and even light bulbs are also increasingly common.
These devices are built for convenience not security, so they’re sitting ducks for hackers. Routers have long been an easy target. Hackers infect them with botnet trojans that forcibly recruit them into a network of ‘bots’, which they then use to blast big servers with unwanted internet traffic - like directing thousands of hairdryers at one victim. Your router may be part of a botnet right now. To find out, visit F-Secure Router Checker (www.snipca.com/22682).
Hackers have finally twigged that other connected devices can be hijacked in the same way. In September, 150,000 TV set-top boxes and cameras were hijacked to create a botnet that attacked the servers of French internet firm OVH (www.snipca.com/22707). Shortly after that, the creators of the Mirai botnet trojan - which targets connected home devices - released its source code online (www.snipca.com/22705). A Mirai variant infected nearly 1 million Deutsche Telekom routers in November (www.snipca.com/22715), and we expect many more powerful variants to appear in the coming months.
Backdoors in your Android phone and tablet
Another type of malware that commonly affects routers is something known as a ‘backdoor’ – a hidden file that lets a hacker control the device from afar. Backdoors affect PCs, tablets and phones too – and the source doesn’t always have to be a hacker.
For example, security firm Kryptowire recently discovered backdoors in Android firmware developed by Chinese company Shanghai Adups, which supplies budget manufacturers including ZTE, Huawei and BLU. The bugs were pre-installed deliberately so Adups could collect data about their customers (www.snipca.com/22747). Adups told Kryptowire the firmware was not intended to be used outside China, but it nevertheless found its way on to Android devices in 150 countries, including the UK. It makes you wonder how many other software companies are secretly hacking your devices to keep an eye on you.
Worms in your lightbulbs
To demonstrate how vulnerable our connected devices are, security researchers have hacked Philips Hue internet-connected lightbulbs using a worm, a hole and a drone. Sounds like a fun day at the office.
The researchers used a worm (selfreplicating malware) to infect a batch of bulbs with their own software called IrradiateHue using a security hole that Philips has since fixed. Then, using a Wi-Fi-enabled drone (positioned more than a thousand feet away), the team took control of the bulbs and made them blink ‘SOS’ in Morse code. Then they installed malware to block firmware updates so they could theoretically control the light bulbs forever. You can watch a YouTube video of the experiment in action (www.snipca.com/22708).
Thankfully, these researchers are ethical hackers. A malicious hacker could easily use a similar strategy to attack and take control of the lighting, heating and locks in a (not so) smart home.
Recording your conversations without a microphone
Facebook boss Mark Zuckerberg famously tapes over his microphone to keep eavesdroppers out, while FBI Chief James Comey tapes up his webcam (www.snipca.com/22738). But hackers are already ahead of them.
Malware can now can turn your PC into a covert recording device that captures any sound in the same room, using the speakers attached to it (no microphones needed). The malware, called Speake(a)r – a tortuous pun on ‘ear’ – hijacks your PC’s built-in audio card to effectively reverse the output of your speakers to input. The sound can then be transmitted to a receiver several miles away (www.snipca.com/22741).
The £4 USB hacking stick
Clearly, hackers have never had it so good. Ransomware is simple to tweak, your passwords are up for sale and your house is a botnet waiting to happen. But here’s the easiest hack yet – a USB stick that automatically steals passwords and bank details in under a minute, and costs less than a posh sandwich.
The PoisonTap device is a Raspberry Pi Zero containing code that’s now freely available online. When it’s plugged into a running PC, PoisonTap emulates an internet connection and then automatically gathers account data, including cookies and history. It can do all this in seconds. It can also install malware, such as backdoors, to give hackers remote access to your PC.
Imagine how easily you could fall victim. A hacker comes to your house pretending to read the meter, then sticks a PoisonTap into your PC while you’re making them a cup of tea. Or you’re using your laptop in the library, and the guy at the next table leans over with a PoisonTap while your back is turned.
PoisonTap creator Samy Kamkar (https://samy.pl/poisontap) says he simply wanted to demonstrate what’s now possible. The method is so effective, he says, that the only way to guard against it is to fill your USB ports with cement. We wouldn’t go that far, but some of that packing tape may come in handy.
HOW TO KEEP YOUR PC UNHACKED IN 2017
Automate your software updates
New ransomware, botnet trojans and backdoors are emerging on an almost daily basis, and your software is constantly being updated to block them. So you must set your AV, Windows and software to install updates automatically.
They’re likely to do this by default, but go to their settings to check. Also make sure your AV is set to update virus definitions automatically, so threats are blocked as soon as they are discovered. Never be tempted to switch off Windows 10’s automatic updates – the consequences could be devastating.
Remember, updates are not the same as upgrades. You do not have to upgrade to Windows 10. Windows 7 is safe for another three years provided you keep it automatically ‘patched’ and up to date. The same goes for Windows 8.1 until January 2023. Once a program or operating system stops being updated, it’s not safe to use. This will happen to Office 2007 and Windows Vista in 2017.
Encryption, encryption, encryption
If you’ve got nothing to hide, you’ve got nothing to encrypt, right? Fine, if you don’t mind hackers secretly snooping on your texts. Get into the habit of encrypting sensitive documents and all messages. WhatsApp now encrypts messages as they’re being sent, but stores these unencrypted on your phone. Try using free new app Signal Private Messenger (https://whispersystems.org). It encrypts messages and lets you set them to self-destruct completely and permanently.
To scramble sensitive PC files and back them up at the same time, use the brilliant open-source tool CryptSync (www.snipca.com/22756). Once you’ve chosen a pair of folders, CryptSync will encrypt the backup folder and leave the original unencrypted so you can work on its contents. You can add a password for even better security.
Use a VPN to keep snoopers out
It’s no surprise to see VPNs becoming popular, given that even the government can now monitor your online activity. VPNs, such as free program TunnelBear (www.tunnelbear.com), mask your IP address to prevent hackers and websites – as well as civil servants – seeing where you are and what you’re clicking.
A VPN can slow down your connection, so you might not want to use one all the time at home. But it’s essential when you’re using Wi-Fi hotspots. More than one in four hotspots are unsecured, according to Kaspersky (www.snipca. com/22758), so even a casual observer can intercept everything you do.
Ditch passwords and go biometric
Your old passwords are probably up for sale on the dark net, and a hacker may be using them right now to unlock accounts you’d forgotten you had. Stay safe by finding these accounts before the hacker does, then delete them. To find accounts you’ve forgotten about, search your email for phrases like “confirm email” and “security question”, then follow the links. Also look up services using JustDeleteMe (http://backgroundchecks.org/justdeleteme).
To secure the accounts you still use, change all your login details now. Create un-guessable passwords using an encrypted password manager such as LastPass (www.lastpass.com), which is now free for PCs, phones and tablets. If an account supports two-factor authentication, use it.
If you can set up biometric login, even better. A hacker may guess your password, but they’ll have trouble hacking your face and fingerprints. Apple and Lenovo are already building biometric sensors into PC touchpads, so instead of using a password you use your fingerprint.
Free Android app IObit AppLock (www.applock.tech) now lets you lock your device using your face and voice. We hope to see other tools adopting similar techniques for account logins.
Never pay ransoms
Believe it or not, victims of ransomware usually pay. They’re in a panic, they want their files back, and £290 may seem just affordable enough to escape the nightmare. But that’s like handing over cash to a criminal who says he’ll hand your car keys back after you’ve paid him (hint: he’ll drive off with your car and cash). The decryptor software mentioned in ransom notes often fails to work, and by paying for it you’re just supporting the hackers’ business. You can find Locky removal instructions here: www.snipca.com/22768.
Find out if your router is secure
How can you tell which brand of router or set-top box is safest? At the moment, you can’t. PC user Michael Horowitz was so shocked by the lack of guidance from router manufacturers that he created a site, Router Security (http://routersecurity.org), to help. From here, click Tests to find all kinds of router security checks, including the DNS Leak Test.
With the rise of malware like Mirai, which specifically targets routers and set-top boxes, things need to change fast. The influential Broadband Internet Technology Advisory Group (BITAG) has called for a Kite Mark-style industry logo to help shoppers choose safe products. Meanwhile, it’s demanding that manufacturers build in security measures such as automatic software updates, encryption for stored data and easy ways to set and change passwords. You can read BITAG’s new report at www.snipca.com/22765.
Tighten up User Account Control
By default, Windows User Account Control (UAC) notifies you when certain system tools try to make changes to your PC settings. For better security, change its settings so that it notifies you every time a program wants to make changes. Type user account into Search, then press Enter to open User Account Control Settings. Drag the marker to the top (‘Always notify’), then click OK.
Know how to remotely wipe your tablet and phone
A ‘remote wipe’ option lets you remove all data remotely from your phone and tablet if they’re hacked or stolen. iPhones and iPads have this feature built in (www.snipca.com/22767). If you have an Android device, you can use a free app such as Android Device Manager (www.snipca.com/22766). Set it up now, before it’s too late.
HOW TO CATCH A PHISH
Phishing emails are the biggest malware threat facing computer users in 2017, according to the security company that discovered Locky ransomware. Proof-point recommends blocking all email messages that contain executable code – usually EXE or JS (JavaScript) files (www.snipca.com/22771). But this wouldn’t stop Locky, which is usually spread in Microsoft Word files. So never open attachments in emails from senders you don’t know. If an attachment asks you to enable macros – even when sent by someone you trust – don’t click OK.
Be wary of any email asking you to verify your account details. Even if the email seems legitimate – for example, Yahoo urging you to change your password – go to the site via your browser’s address bar, instead of the email link.
We’ve seen far too many accountverification phishing emails, and it’s just not worth the risk. Also remember that you’re very unlikely to be asked to ‘verify this transaction’ after shopping online or placing a legitimate order, so don’t click any email links that ask you to do so.
WHY WINDOWS 10 COULD GET YOU HACKED
Microsoft wants you to think you’re in danger unless you upgrade to Windows 10. Those using Windows 7 do so “at your own risk, at your own peril”, said Microsoft marketing boss Chris Capossela in early 2016.
That’s both patronising and untrue. Windows 7 is safe, and will continue to be fixed and updated for security – in other words given ‘extended support’ – until January 2020. Even Windows Vista still benefits from extended support, but only until April 2017, so you must stop using it soon. As for Windows 10, it’s not quite the unhackable fortress Microsoft imagines. Here’s why.
1 WINDOWS 10 CRIES WOLF
Windows 10 blocks far too many safe third-party programs. Its blue SmartScreen warning window pops up constantly when we’re trying to test free software. We check every blocked file using VirusTotal (www.virustotal.com) and our antivirus (AV), and in nearly every case it shows it to be a false positive. This makes Windows 10’s warnings hard to take seriously – meaning we’re more likely to get bitten one day.
2 WINDOWS 10 IS WATCHING YOU
Windows 10 automatically tracks your activity and stores the data. This ‘telemetry’ doesn’t exactly cultivate trust. Instead, it encourages users to install powerful thirdparty tools that block Windows 10 services, including vital security updates.
3 WINDOWS 10 MAY KILL YOUR ANTIVIRUS
Microsoft is desperate to push Windows 10 and its built-in tools. It installs massive Windows 10 files on Windows 7 and 8 PCs without asking, and on Windows 10 PCs it reinstalls and re-enables unwanted tools including Windows Defender - which may do more harm than good. In a blog post, security firm founder Eugene Kaspersky accuses Defender of interfering with other AV programs (www.snipca.com/22746). Defender should not run if you’ve installed your own choice of antivirus.
YOUR BACKUPS AREN’T SAFE IN 2017
Backups are bad for hackers’ business. If you have a spare copy of your files, you won’t need to pay a ransom for the original files. So hackers are now using ransomware to blitz your backups, too.
First came Samas, a ransomware strain discovered in March and already regarded as “infamous” (www.snipca.com/22706). After encrypting your files, it goes looking for backup files on your hard drive or any connected source such as a NAS drive or Dropbox folder, then deletes them permanently. By the time you realise your originals are encrypted, your backups have gone. A newer variant, Jigsaw (pictured), backs up your files then deletes the originals. Then it threatens to destroy a batch of backups every hour until you pay up (www.snipca.com/22688).
Does this mean backups are pointless in 2017? No. But you need to make more backups than ever. Keep at least one copy of valuable files in a place ransomware can’t reach, such as an external drive that isn’t connected to your PC, or a USB stick or DVD that you then remove from your PC.
As ransomware grows more sophisticated, though, even these ‘off-site’ backups have the potential to become unsafe. We haven’t yet seen ransomware that lies silently in wait until you plug in a USB stick and then corrupts every file on it, but that would be the logical next step. Not that we want to give hackers any ideas.