Wednesday 28 October 2015

What you must never click

What you must never click

Phishing is still hackers’ favoured method to get malware – including ransomware – into your PC. Jonathan Parkyn reveals their latest tricks

Poor Hillary Clinton. As if running for US President wasn’t stressful enough, Mrs Clinton has reportedly been plagued by phishing emails. These included fake notifications of parking violations containing malware that could have let hackers gain access to her precious PC.


But you don’t have to be in the running for the White House to be the target of scams like these. Most of us have been on the receiving end of similar emails, and many have been caught out by fake adverts, dodgy apps and hoax updates. As we said, your antivirus (AV) can only do so much to protect you from these attacks – especially those that exploit your trust so cunningly that you simply wave them through directly into your hard drive, telling your AV that it’s all OK.

Your best line of defence, then, is knowing what not to trust. Here we outline the latest threats to watch out for.

Fake £1 iPhone adverts


The police and the National Trading Standards eCrime team recently began warning consumers about fake adverts claiming that Apple was offering new iPhones for £1 (www.snipca.com/18182).

The ads, which appear mainly on social networking sites such as Facebook, lead people to what looks like a BBC News page about how UK shoppers have discovered “a loophole to get the new iPhone for only £1”. It is, of course, a complete load of cobblers.

This particular scam is known as a ‘subscription trap’. Users are hoodwinked into parting with a relatively insignificant amount of money – such as £1 – only to discover further down the line they’ve actually signed up for indefinite ongoing monthly payments (often for much more significant amounts), which can be difficult to stop.

The fake iPhone ad is just one example of the many ways scammers try to tempt us with offers of cheap or free stuff. If a site or an email offers something at an unbelievable price (often with claims like “retailers hate this!”), then it’s likely to be just that – unbelievable. Similar scams involve notifications of sudden windfalls and HMRC tax rebates. Don’t click any of it. If it looks like it comes from a company that you recognise or regularly use, then follow it up with them directly, using the company’s official contact details – not phone numbers or links in the email or advert.

‘Homicide Suspect’ police emails


We all know not to click anything we receive in unsolicited emails, right? So fraudsters have to try harder, by catching you off guard or shocking you into clicking something that you’d normally give a wide berth.

Last month, for example, the City of London Police began warning of a spoof email claiming to come from – ironically – the “London City Police” with the subject line ‘Homicide Suspect’. The message is intentionally vague but looks official, and appears to suggest the recipient’s involvement in some kind of serious crime. The only way to find out more is to click the attached ‘bulletin’. But it isn’t a bulletin at all; it’s malware that immediately installs itself and allows hackers to gain access to your PC.

iOS alerts with phone numbers


Many people assume iPads and iPhones are safe from online threats, but this is not the case. Take the recent spate of fake iPhone and iPad notifications that users have reported. These pop-ups appear in Safari, looking for all the world like official device notifications from Apple and other companies.

One that’s currently doing the rounds comes in the shape of a crash report, telling you there’s something wrong with your device and advising you to call Apple Technical Support on an 0800 number. This number doesn’t take you to Apple – it’s a lure to get you to give away personal and financial information to hackers. Similar iOS pop-up scams include notifications about phoney (no pun intended) updates.

Thankfully, there’s a quick way to get rid of these. Tap Settings and switch on Airplane Mode. Tap Settings again, then Safari, then ‘Clear History and Website Data’. You should also make sure ‘Block Pop-ups’ and Fraudulent Website Warning are switched on. Turn Airplane Mode off and open Safari.

Apps from outside Google’s Play Store


We revealed that ransomware has leapt from PCs to phones and tablets. Android-targetting ransomware Koler, for example, locks you out of your device and displays a fake alert from the police or FBI telling you your device has been used for some kind of illegal activity (pirated software and child pornography are common accusations). The alert then demands that you pay a ‘fine’ to regain control of your device.

The only way ransomware like Koler can infect Android devices is by conning you into installing it, which it does by masquerading as an app. Google has been very vigilant about kicking illegitimate apps out of the Play Store, so the best way to avoid getting infected is to only install apps from the official store.

Similar warnings and demands for fines have recently appeared on iPhone and iPad screens. These can usually be disabled by blocking pop-ups using the steps above (see below). Suffice to say, never click, tap or pay any fines, no matter what device you’re using.

Facebook messages from strangers


Cyber criminals have long used ‘spear phishing’ techniques to target small businesses. They gather information about individual employees, then use this to send malware-embedded emails. Now, hackers are using the same techniques on everyday users, mainly through social networking sites.

Scammers don’t need a degree in rocket science to gather your personal details and craft a convincing scam that appears to be from someone you know. If you receive a Facebook ‘friend’ request from someone you’ve never heard of, or an unexpected request for help or money – even if it appears to come from a friend or family member – it may well be a spear phishing attack. Always treat any message asking for sensitive information with extreme caution.

Be careful what you reveal in public posts, tweets and status updates. Also tighten your security and privacy settings to limit the people who can contact you. In Facebook, go to Settings, Privacy, then click Edit under ‘Whose messages do I want filtered’ and click Strict Filtering.

WHY YOUR AD-BLOCKER WON’T SAVE YOU


Advert-blocking extensions such as Adblock Plus remove most adverts from web pages you visit – including fake adverts that might otherwise lure you into a phishing trap.

However, it’s important to remember that no ad-blocker is a silver bullet. For a start, even the most powerful tools can’t block all adverts – only those included in their built-in filters. Scammers are quick to adapt to such filters and find workarounds that ensure their adverts appear anyway. Worse still, some malicious adverts are designed to install their toxic wares on your PC even if you don’t click them.

Then you need to bear in mind not all phishing scams are triggered via adverts on web pages. Many are delivered via fake notifications, emails and more. And while your email provider or AV may block malicious attachments, a cunningly worded or convincing fake message is often all it takes to fool you into downloading a dangerous file.