Protect yourself against the trickery of a well-forged e-mail.
Hardly a week goes by without a company, an organization, or a hospital falling victim to a ransomware attack. Their computer systems have been attacked by an extortion virus that encrypts all files and only releases them again upon payment of a high ransom. Yet the computers of almost all victims are protected by an antivirus program. How can this be?
1. Sheer quantity of attacks
Back in 2023, we asked anti-virus expert Andreas Marx of AV-Test how so many infections escape antivirus software, even though it actually protects well. His answer: “Many programs successfully fend off around 99.9 percent of attacks, but that also means that one in 1,000 attacks is successful. And with over 100 million new malware programs a year and several billion Windows PCs, there is thus always a residual risk.”
In other words, the masses do it. Criminals spread viruses by the millions, so in the end there are still many who can slip through the security gaps of a computer system. Peter Stelzhammer, security specialist and co-founder of AV-Comparatives, also sees the mass of distributed viruses as a reason for the success of malware. But he also mentions other reasons and gives tips for good protection. You can find the interview with Peter Stelzhammer at the end of the article.
IDG
Most malware is spread by e-mail. Either the malicious code comes directly as an attachment or a link in the e-mail leads to a virus. To a much lesser extent, malicious code also comes via messenger or SMS. In these cases, a link is almost always sent that refers to the malicious code or an infected website.
Basic protection is provided by an installed antivirus program. Your PC also must not have any security vulnerabilities open. You can ensure this by always installing all program and Windows updates. These patches close newly discovered gaps in the system. In addition to these technical requirements, you must become a security guard yourself. Always be extremely suspicious of e-mail attachments and links you don’t recognize.
If in doubt, refrain from opening the attachment. If this isn’t an option, open the attachment only in a secure environment, e.g. in a sandbox under Any.run.
2. Targeted attacks on security flaws
Security researchers repeatedly find security flaws in the standard configuration of programs. Not often, but often enough, these are also vulnerabilities that can initially be exploited without typical PC viruses. This is the case, for example, when remote access to a company’s PCs is only protected with a standard password or simple passwords. This is virtually an invitation for hackers to take possession of these systems.
Once they are logged onto a system, they can cause further damage by, for example, disabling the installed antivirus program and sneaking their malicious code into the system.
Detecting vulnerable systems is easier than one might think. After all, scanners can be used to search large parts of the internet for vulnerable systems. In the simplest case, the attackers use search engines for security vulnerabilities such as Shodan.
Use very complex and unique passwords for all services where someone can log on to your computer. It’s best to activate two-factor authentication. Typical home networks are affected in two places here. The first place is the router (if remote access is enabled for it) and the second is the computer itself (if a remote desktop service like Windows’ is used there).
IDG
3. Credential Stuffing: Stolen log-in data
With this method, the attackers do not have to wait for someone to find a security hole in a software or standard configuration (see above). Instead, the attackers obtain the credentials of hundreds of thousands or millions of users from underground forums and attempt to log in with those credentials. These attacks are called credential stuffing and primarily target online services such as the mailbox or a shopping website, but can also be applied to remote desktops.
With tools like Sentry MBA, credential stuffing works automatically. They test username and password combinations on a variety of websites simultaneously. For some online shops, a large part of the login traffic already comes from such tools.
All users who use the same password for several accounts are at risk. On the other hand, those who create a separate password for each service have little to fear.
4. Targeted attacks via social engineering
These attacks mainly affect employees of companies, but also at home on a private PC. This is shown by the attack on the private laptop of a LastPass developer. After hackers gained access to this laptop, they were able to penetrate the LastPass company network and steal a considerable amount of customer data.
One possible form of attack is spear phishing. In this hacking method, the attackers find out very detailed information about the victim before the attack. For example, the hackers find out which employees are responsible for accounting or work in the human resources department. These people then receive an e-mail with an invoice or an application attached. Of course, the employee will open the attachment because the e-mail is addressed to them personally, speaks directly to them, and thematically falls one hundred percent within their area of work. The attachment usually contains a PDF file with malicious code that exploits a new vulnerability in the company’s PDF viewer.
Good protection against spear phishing is particularly difficult because the attack is tailored to the victim. Good technical measures, such as only allowing e-mail attachments to be opened in a protected environment (sandbox, virtual PC), will likely help.
5. Attacks with new tricks like SMS and video
A virus can usually bypass an antivirus program when it is still very new. The protection program does not yet recognize the virus. The attacker can make sure that the virus is new because new viruses can be bought in underground forums. However, the attacker must then get their new product onto as many PCs as possible as quickly as possible. This can be done via mass e-mails (see point one) or via new tricks. These include, for example, messages sent by SMS containing a link to the new malware.
The State Criminal Police Office of Lower Saxony, for example, warns against such phishing SMS messages. The criminals often pretend to be DHL support. With fake parcel SMS messages, they try to get their victims to divulge private data. These are later used by the fraudsters for identity theft. But, of course, this scam can also be used to spread malicious code.
The very latest is the use of videos created with the help of artificial intelligence. The videos show how expensive software like Adobe for example can be used for free with a crack. This link, which leads to the crack, contains malware. Alleged cracks for expensive software have been used for decades to infect other people’s PCs. What’s new is the elaborate packaging in the form of an explanatory video.
What protects against spam by SMS also helps against spam by e-mail. Be very suspicious of links in a message. This mistrust should also be extended to other approaches such as elaborately made videos or extensive messages.
Interview with a security expert
We talked about this topic with Peter Stelzhammer, security specialist and co-founder of AV-Comparatives (www.av-comparatives.org). Check out our interview below.
PCWorld: How can it be that antivirus programs detect 99 to 100 percent of all PC malware and yet so many computers are infected?
Stelzhammer: The problem is that antivirus programs are still partly reactive. The cyber criminals, on the other hand, usually take a proactive approach. This means that the criminals look for and find gaps in the antivirus programs and exploit them. The manufacturers of the antivirus tools can only react afterwards, i.e. be reactive and close the gaps within hours or days. This can also be seen in our tests of antivirus software. Many tools protect a good 99 percent against all current viruses. So, a few viruses still get through. And with the mass of viruses, that explains some of the infected systems. By the way, the programs with one hundred percent detection in our test do not manage this in every test either.
PCWorld: So is virus protection pointless?
Stelzhammer: No. It’s already the case that I’m well protected against pests with a computer with a good anti-virus program and all updates. Especially as a private person. But it is important that the antivirus program and all other installed programs and, of course, Windows are up to date. And to be well protected in case of an infection, you also need a backup. This should not remain connected to the PC. Because then it could also be encrypted by ransomware.
PCWorld: Do attacks focus more on companies or private PCs?
Stelzhammer: Companies. That is more lucrative. Infected private PCs are collateral damage.
PCWorld: What’s the most frequent type of attack?
Stelzhammer: Phishing by e-mail or other messages and fake websites are the biggest entry vector. The criminals use sophisticated tricks. One example is the domain www.poIizei.com. The letter L in the address is actually a capital I. In this way, criminals can forge almost all web addresses in which the letter L appears.