Where Evil Lurks

by Tom McNichol

If anyone needed further proof that no one is safe from computer hackers, the recent attack on Google by cyber-invaders based in China should suffice. The fact that the world's most successful search engine company can have its corporate computers breached is stark confirmation of the ubiquitous dangers. The best you can hope for is to be safer.

Several new variations on tried-and-true hacker strikes have emerged, and the most clever among them require special vigilance.

A Perfect Day for Spear Phishing
Hackers have developed a more sophisticated version of the old email attachment ruse, known as spear phishing.

Spear phishing is a targeted form of hacking in which an email message is crafted to look as though it comes from an employer, colleague, friend, or other seemingly trustworthy source. Rather than spam the Internet with a million dubious emails from the odd Nigerian requesting money, hackers are putting more work into the front end of their exploits, finding out the names of people or organizations you already communicate with via email. The hacker then crafts a targeted email message that uses those names to lull the recipient into thinking the accompanying attachment comes from a trusted source. (In 2009, thousands of computers were infected with a virus carried out by emails with subject lines relating to "Dalai Lama" or "Tibet.")

In all cases, the same rule applies: Never click on a link inside an email, and never open an email attachment from an unknown source. Legitimate companies won't ask you to send passwords, login names, Social Security numbers, or other personal information through email, nor will they ask you to "verify" your personal information that way.

Scareware Is Scary
Hackers know that many users are deathly afraid of infecting their computers with a rogue virus. Bad guys turn this fear to their advantage by offering fake antivirus products, dubbed scareware.

In a typical scareware scam, a user is presented with a pop-up window that says the computer has become infected with a virus, and offers an antivirus program to fix the bug. The purported cure is, in fact, the disease itself: an attempt to extort money or access personal information.

Remember: No website can "detect" viruses or other problems in your computer on the fly. Never buy any anti-virus software directly from a Web offer; go to the company's home page and research what other people are saying about the product. Never accept the offer of a "free" virus scan that suddenly appears on your computer screen. If you didn't already have a virus before you clicked on it, you will shortly.

Social Networking Diseases
Social network attacks usually come in one of two varieties - either viruses that take advantage of the networks' liberal rules for information sharing; or identity theft, hijacking users' posted personal information to impersonate them when making purchases. Alternatively, hackers may use the information they've gathered to personalize an additional attack ("Hey, check out these pictures from Stanford Law's Class of 1985!").

To protect yourself, lock down your personal information on sites such as Facebook, Twitter, or MySpace. Limit access for all but your "approved" circle of friends, leaving only bare-bones information available to strangers.

Remember, hackers will always be looking to piggyback on a popular Web trend, in this case the growing number of social connections made possible by online communities. Just because the sender of an email seems to know a lot of personal information about you doesn't mean he or she is truly your friend.

---