In the first week of June, Bengaluru-based make-up artist Dipthi Aashok opened a video link on Facebook, “What my sex”, that a friend had posted on her timeline. Before she knew it, the video had been posted on her friends’ timelines. “I was shocked,” says the 37-year-old, “the video didn’t even open and I was getting angry messages from my friends on what kind of stuff I’d posted on their timeline.”
She didn’t even realize that her Facebook account had been hacked. Aashok was a victim of phishing.
Phishing and spamming are both malicious activities. Phishing’s main task is to steal a person’s sensitive data (such as password, account login authentication, etc.), while spamming is designed to entice a user to fall for a trap (such as the “Mr XYZ has left you a will, please share your bank account details” routine) or just bombard you with offers.
According to software security firm Symantec Corp’s “Internet Security Threat Report 2014”, India’s growing social media population provides a ready base for cyber criminals, making it the second most targeted country in the world for social media scams. “People voluntarily and unwittingly share enticing videos, stories, pictures and offers in order to gain access to a sensational video or enter a lottery, without realizing that these could include links to malicious or affiliate sites,” says Ritesh Chopra, country manager (India), Norton by Symantec.
“Fake notifications from Facebook and other social networks, the promise of explicit photographs attached to messages, Valentine’s Day discounts, news about Ukraine, a health scare, the spammers try it all to get you to click,” says Altaf Halde, managing director (South Asia), Kaspersky Lab, a software security group with a presence in 200 countries. Once you do click, the malware enters your computer or phone, and either steals all your document files, encrypting them, or tries to multiply by making copies of itself and sending it to all your contacts. According to Kaspersky Lab’s May report, “IT Threat Evolution Report For Q1 Of 2015”, which analysed the spam and phishing threats landscape, India ranked among the top 10 spam-recipient countries. The list includes Russia, Uzbekistan, Germany and the UK.
And with more people accessing Web services and social media on their phones, cyber criminals are following suit, to steal or coerce information.
Indian mobile users are still new to mobile-based transactions. “Most criminal incidents are not reported, hence awareness is low,” says Pune-based Ajit Hatti, co-founder of Null, a non-profit community of experts working to enhance information security awareness. “Also, people trust everything they receive on WhatsApp or email and religiously forward junk and posts with malicious links to 10 other users to either avoid bad luck or get a freebie.” The limited size of a phone screen makes it difficult for you to determine whether the site you’re going to is secure or real, since the real website address is shortened or hidden.
There’s growing concern within security circles about attacks on payment systems, be it banks or payment gateways on websites. “With the rise of more public information about users on the Internet, cyber criminals are able to craft more sophisticated spear phishing attacks and social-engineer your profile and things you’re interested in,” says Ponnurangam Kumaraguru, an assistant professor and founding head of the Cybersecurity Education and Research Centre at the Indraprastha Institute of Information Technology in New Delhi.
Constant vigilance is the need of the hour—here are some new tricks that cyber criminals deploy, and ways to protect yourself.
Injecting a malicious script in your browser
In May, researchers from Google and Stanford University, US, released a report on how spammers have been hijacking your browser to inject ads, those irritating pop-ups you don’t think twice about. They flagged 50,870 Chrome extensions as unwanted ad injectors; 38% of them were malware. “Many of the legitimate sites are hacked and also contain invisible frames,” says Hatti. “When users visit these sites, the malware installation is initiated and your system gets infected.”
Stay safe: A genuine website should have a “https://” before it. If you’ve gone to a site which is not secure (it will have “http://”, without the “s”), don’t click on anything there. Most browsers warn you, “This site may harm your computer”. Follow their advice.
Attacking your wearables
Love that new smartwatch or thinking of buying a connected car? Spammers are increasingly aiming malware at the Internet of things (IoT) and online devices. “Soon all connected devices will be victims of such attacks, where devices will be held hostage by hackers rather than PCs,” says Amit Nath, country manager (India and Saarc), F-Secure Corp., a Finland-based computer security company. In other words, a hacker could lock you out of your latest smart car, make your refrigerator or washing machine act funny, all to extort money from you.
Stay safe: We would say keep your gadgets disconnected from each other, but that won’t be so much fun. Instead, make sure you become extra careful about your Internet security, update to the latest versions of software, and think twice before you click on anything from anyone.
It was only a matter of time before spammers figured out that they could make money from their tricks. So through rogue links over social media, on email, through malicious apps, torrents or porn photographs, they try to install a Trojan program into your computer. “The program blocks your computer access and demands a ransom from you for decrypting it,” says Halde. According to a study by F-Secure, the past six months have seen a ransomware infection in Asia, including India and Hong Kong. “Ransomware is very profitable because your data is encrypted with a key and you will have to pay the hackers a large amount, up to $300 (around Rs.18,900) to get the decryption key back to retrieve it,” says Nath. The trend is already moving from desktops to mobile devices.
Stay safe: Be suspicious of what you’re clicking on or downloading. If you’ve clicked and the spammer has encrypted your documents, there’s nothing much you can do , except negotiate to get the encryption key. And always keep a backup of data.
Emails—genuine or traps?
The line between spam and not-spam is blurring continuously. You get a genuine email from a friend or colleague with an “important document” link which is stored on Google Docs or Dropbox, with their signature at the bottom and no wrong spelling. You click it without batting an eyelid, adding your login details. But it turns out that your friend’s account has been compromised and the link takes you to a fake page without your realizing it. “You put in your username and password and the scammer has you by the neck,” says Kumaraguru. Since the mail looks genuine, you don’t question it and your spam filters don’t activate themselves.
Stay safe: Don’t assume that a genuine email has a genuine link in it. “Before you give any information to the landing page, check if the domain name is corrupted or if the site has a valid SSL certificate,” says Halde. If the site is corrupt, it won’t have the SSL certification or will be “http://” (minus the “s”). SSL is that little lock icon on the corner of the website which tells you it is secure to browse.
In a shortened link over WhatsApp
Just got a link from your friend on WhatsApp or a message which offers you a free gadget, funny video, porn or alarming news? It will most probably be malware. Click it and it will spread to your friends’ accounts. “Social media is being abused by spammers for the last few years but, in particular, chat applications like WhatsApp and WeChat have made it quite easy,” says Hatti. “It has erased the boundary of nations. Sitting in Russia, I can find Indian phone numbers and check whether the number is on WhatsApp and push malicious links to you.”
Stay safe: “There is no free lunch,” says Nath. “When something is free, you yourself are likely the product. In many cases, be wary of links to free products.”
Pop-ups of anti-virus apps
You visit a popular website and a new browser window pops up suddenly, warning you: “You have been infected! Download this anti-virus right now to protect your computer.” Don’t panic and don’t click download, it could be a malicious advertisement, says Kumaraguru. Spammers are trying to play on your fears.
Stay safe: Don’t panic and don’t download anything on to your computer from that advertisement.