GCINFOTECH

One of the most frequent threats on the Web today.

Since we wrote an article on the imminent threat posed by rogue security software (scareware) and cyber criminals, we have received numerous inquiries requesting more information on how to protect computers and networks from these elusive intruders. We would like to share notable examples of fraudulent system alerts and expand on a few known malware manifestations in order to help you better identify security risks. 

Critical Security Measures

  • Keep Java & .NET up-to-date, as both are used in almost all platforms.
  • Schedule Windows Updates to install automatically, or periodically check your system to ensure there are no critical patches requiring action (Start Menu/ Control Panel/ Windows Update).
  • Maintain Anti-Virus & Malware protection.
  • Install a firewall and keep it turned on.
  • Use caution when you click links in email, on social networking websites, or on pop-ups.
  • Make sure you and your fellow co-workers are familiar with common phishing scams.

Fake Virus AlertCiti Phishing Scam

Windows Security Alert  This fake security alert is deceptively similar in appearance to a legitimate system alert, though pay close attention to its language. Are words misspelled? Are there errors with basic grammar? It’s important to examine these alerts for telltale signs of fraud.

Citi Email Phishing  Common phishing scams frequently appear to come from financial institutions and can be difficult to identify especially if you happen to have an account with that institution. Again, look for language inconsistencies and examine the link provided to determine where it actually goes. As a general rule, banks will never ask for personal information in an email, so the best defense is to use common sense.

Spyware Software WarningFake task bar security alert

Common fake task bar alerts  Learn what security software you have installed on your computer. This will help you determine the validity of pop-up alerts warning you of infections on your system. Remember, they’re designed to scare and lure you into a fraudulent scheme that ends with you inputting your credit card or other personal information.

If you have any questions or concerns regarding the safety of your computers and networks, or scareware in general,  do not hesitate to give GCInfotech a call today and one of our technical consultants will be happy to assist you.

GCINFOTECH

Beware of Scareware

Fake Anti-Virus and Rogue Security Software – One of the most frequent threats on the Web today.

Have you ever experienced a random pop-up on your computer warning you of an egregious security risk to your system? It may even appear disguised as one of the legitimate Windows security updates that you’re accustomed to seeing. That’s exactly the illusion that cyber criminals intend to create.

What is fake anti-virus?
Also known as scareware or rogue security software, fake anti-virus is a form of social engineering that lures users to malicious sites and scares them into purchasing fake threat removal tools. This brand of trickery garners big bucks for cyber criminals. Once your system is infected, common manifestations include incessant displays of false alert messages that won’t cease until payment is made or the malware is removed, fake Facebook application invitations, 9/11 scams, and ads for fake comprehensive anti-virus packages. In most cases, the malware pretends to find dangerous security threats on your system and offers a free scan while simultaneously compiling folders of junk on your hard drive that the scan can then detect. From the authentic looking pop-up warning to the professionally crafted website it directs you to, it’s an elaborate ruse to scare you into purchasing a fake anti-virus software.

What can it do to my computer?
Malware authors program certain behaviors to make your system errors seem real and believable, which increases the likelihood that you will purchase a fake anti-virus program. Some of those behaviors include:
  • Prevent anti-malware programs from running
  • Disable automatic system software updates
  • Block access to websites of anti-malware vendors
  • Download other types of malware, like banking trojans
  • Interfere with or corrupt normal system activity and critical processes
  • Disable the task manager and make use of the registry editor
  • Redirect web requests from legitimate websites to error pages or malicious websites
  • Deny access to certain programs
  • Disable parts of the system to prevent an uninstall

How can I protect myself?
Cyber criminals employ a huge variety of tactics to compromise your system– to name a few, SEO poisoning, imbedding code in legitimate websites and advertising feeds, and email spam campaigns (i.e. “you have received an e-card”, account suspension and password reset scams). According to a 2010 study by Google, 11,000 domains hosting fake anti-virus software were found, which accounts for 50% of all malware that’s delivered via internet advertising. These lucrative criminal networks grow daily and their contrivances will only continue with time.

Protection begins with a comprehensive and layered security solution. Whether you’re an individual user or a network of users, always adhere to internet use best practices. Keep your browsers and version of Windows up-to-date. Configure your pop-up blockers and familiarize yourself with what anti-virus solution you have installed so you’re able to recognize inconsistencies.

Information Technology Services

Clean up your IT strategy.  Spring is a perfect time to revisit your plans for those critical IT systems you use to keep your business data safe and secure. Review key procedures and plans like network failover testing, disaster recovery, business continuity, and data backup. Loss of data interrupts your business continuity and can be very costly. Studies show that 1MB of data is worth approximately $10,000 and the cost of having to rebuild 20MB of data could be more than $17,000 and could take up to three weeks to complete (For an integrated, online backup, storage and sharing application, tryIBackup). For those of you with an on-site backup solution, now is the perfect time to run those backups with a test recovery.

Clean up your data storage.  Consider adopting a plan utilizing Data Lifecycle Management (DLM) to remove the day-to-day and budgetary headaches:

  • DLM is the comprehensive approach that organizations use to deal with data throughout its lifecycle, from creation and initial storage to eventual archival or disposal.
  • Options vary depending on need, but some useful storage systems to consider include Storage Area Networks (SAN), Network Attached Storage (NAS) and Hierarchical Storage Management.


Clean out the bugs. 
To be sure  your computers, tablets and smartphones are protected, optimize your security this spring with new or updated Anti-virus, Spyware and Malware software. (For an easy-to-use, simple, and effective anti-malware application, try Malwarebytes)

Clean out your Email. Email mismanagement costs you money. Email is the 3rd largest culprit of workplace interruptions, which cost the U.S. economy $900 billion per year. Take charge and clean up that clutter!

Clean your keyboard. Get yourself an ozone-friendly compressed gas duster and give your keyboard the deluxe treatment it so desperately needs. (Warning: Keyboards are not dishwasher safe.) Your mouse and phone handset can be cleaned with a paper towel and some window cleaner!

 

security

Password security is an increasingly important matter among technology experts as they debate the issue over usability, security and privacy. Ideally the three fields would work more compatibly, providing us with easier systems to use while still maintaining that rock solid security we need. There may always be a degree of inconvenience to the end-user when it comes to creating new passwords and upholding the expectations we set for impenetrable security.

Perhaps a little inconvenience is worth it– as Cory Visi, Managing Partner at GCInfotech, points out, “Millions of computers all over the internet (some hacked, some not) are running programs that scan other computers and servers for weak and empty passwords 24 hours a day, 365 days a year. If your password is simple and short, your account is likely to be hacked.”

It’s a dangerous world out there, one where technology experts have to battle the savvy hacker looking to gain access to your personal or company data while still considering that the legitimate user, you, demands accessibility with nothing more than a few keystrokes. It’s striking that balance between security and usability that ultimately determines how reasonable password requirements really are, and our willingness to comply with them.

It begs a couple of key questions– the more security measures we introduce, the harder it is to use a system? The more security a system has, the less secure it actually becomes? Fundamentally, people understand the need for security and are typically willing to comply because it seems necessary, but it’s really about the effort required to comply that make security measures successful or not. If a system is unusable because of overbearing security protocol, people will invariably create the necessary workarounds in order to get their job done. However this occurs, whether it’s posting a sticky note on the monitor or using “password” as your password – it all boils down to the fact that you just may be sacrificing security for convenience.

Overly restrictive password requirements could in fact decrease security and even increase your costs. Decreased security due to the methods people employ to recall a password, and increased costs due to the resources you may have to redirect toward helping users when they get locked out of their systems recurrently. In essence, the good guys are kept out while the bad guys aren’t affected, because, after all, they have other ways for penetrating your system, including phishing scams and key logging for example.

It’s very important that you have someone, if not the entire IT staff, who understands the intricacies between the systems you run, any new developments that exist for enhancing security measures, the needs of your end-users, and the psychology of illegitimate users. These factors will indeed play a meaningful role in securing your systems. And, of course, engage a mandatory password change policy for your employees.

Cory Visi further explains the need for such a policy by saying, “Even the owners and partners should comply. Password security policies should balance the frequency of changes with the complexity of the password. Passwords that are changed more often don’t have to be as complex. However, high security passwords should always be complex.”

Experts may provide different parameters for password creation, but always remember that the best password is both highly secure and easily recalled by memory. Here are some helpful tips:

  • Use long, non-word combinations
  • Don’t use personal info or follow any discernible patterns
  • Use different character types (i.e. symbols, numbers, upper and lower case letters if permitted by the system)
  • Use a passphrase (i.e. “I Love to eat Carrots and Dip 4 Snack!” = ILteCaD4S!)
  • Use a password management tool
  • Use different passwords for different sites, especially for those you want to keep secure
  • Change your passwords frequently and don’t reuse them for at least a year

If you don’t have a comprehensive plan of action for ensuring the maximum security for your systems, it’s time to have that discussion with your IT consultant. If you need help understanding what options are available or need to know more about password and system security, one of our expert technicians at GCInfotech can help you.