November marks the 30th anniversary of the ‘Morris worm’ and, with it, the first distributed denial of service attack. The ‘Morris worm’ was certainly one of the more interesting viruses partly because it was in a sense caused by accident: It’s source was a programmer who wrote it because he wanted to gauge how big the Internet was.
No harm was intended. Unfortunately, that’s not true of the majority of malware today – hence the term, a contraction of ‘malicious software’. It encompasses not just worms and viruses, but spyware, ransomware, Trojan horses and a range of other damaging programs.
From the early days of the Morris worm, the threat landscape has now evolved to include nearly countless numbers of viruses. But when it comes to putting a number to it, even the experts acknowledge that this is a challenge. In a Security Intelligence report, Microsofts’s own team of experts were quoted as saying. ‘Ever since criminal malware developers began using client and server polymorphism (the ability for malware to dynamically create different forms of itself to thwart antimalware programs), it has become increasingly difficult to answer the question “How many threat variants are there?” Polymorphism means that there can be as many threat variants as infected computers can produce; that is, the number is only limited by malware’s ability to generate new variations of itself.’
When you do look for the numbers, it’s hard to find a reliable figure for malware but, depending on what you include, some independent estimates put it as high as over 840 million individual variants and delivery methods. That’s partly because, not only are there thousands of new malware variants discovered every day, but many of them never die – particularly worms, which, as Morris discovered, tend to take on a life of their own.
As far as total malware attacks go the most recent figures estimate 9.32 billion malware attacks (excluding ransomware) in 2017 alone. That’s an 18.4 percent increase from 2016 – numbers not to be scoffed at.
And it’s often businesses that suffer. Not having the right security controls on your systems and devices can mean financial and reputational damage.
Even if most malware today is created with malicious intent, there’s often still something of an accident involved when it comes to actually getting on your computers. Few would deliberately install software that’s going to harm their business, so the key is to identify the sources of risk and educate staff to avoid them. In that context, we present a slightly alternative list of the five key sources you should be looking at.
As ever, this year saw more warnings about the potential for scams related to the Black Friday sales. Many of those affected will have suffered straightforward fraud, with fake websites stealing money or credit card details, but others will have infected visitors with malware – some simply by people visiting the site, without the need to click on anything.
It’s a reminder that not all compromised websites are adult orientated; when Norton compiled a list of the “100 dirtiest” websites a decade ago, it contained plenty of pornographic-sounding sites, but also more esoteric offerings, such as one focussed on ice skating. Celebrity websites can also be a big source of viruses – see McAfee’s top ten list of dangerous celebrity searches, for example. Good anti virus protection should help detect dangerous websites, and guard against them. Nevertheless, any business that doesn’t have strict policies on Internet use at work (and on work computers outside the office), as well as controls to enforce them, is asking for trouble.
Likes and friends
Social media is pervasive. Facebook alone has 2.27 billion active users – more than a quarter, and not far off a third, of the world’s population. Keeping it out of the workplace is a challenge, and in some businesses, all but impossible – and perhaps undesirable. For malware developers, the tools of some social media sites can be a powerful way to get around businesses’ defences – as well as a way of exposing people to phishing scams (see below). Educated staff might be cautious about opening attachments or even emails they receive in spam (which nevertheless remains a key source of malware); they are likely to be more trusting of messages received from those that are – by definition – “friends”. Last year, Digimine malware spread quickly around the Internet using Facebook’s Messenger tool, in part by taking advantage of people setting their accounts to log in to the service automatically. This enabled the program to send a link of the file to all the account holders’ contacts, without users doing anything.
Closely related to the popularity of social media is the ubiquity of smart phones, which are a potential risk in two respects. First, since most can be connected to PCs, if only to charge, they can introduce malware onto the network. In this respect, they can behave just like a USB drive or other removable media – the source of some of the most (in)famous viruses in history, and still a key problem today (no pun intended). Various technology solutions can mitigate that risk, enabling businesses to lock down USB ports on their work computers, for example. But that still leaves viruses targeting the phones themselves, which are a real issue, whichever platform – iOS or Android – you use. Where employees have sensitive information, such as contacts, emails or documents on business or even personal mobiles, virus protection is a must. Staff should also be educated about the risks of phishing and other social engineering scams, which can be easier to fall for on a mobile device where the identify of a message sender or caller is not always so clear.
Kids (big and little)
The UK computer games market is a serious business, and growing at double-digit rates to £5.11bn last year. That’s created growing opportunities for criminals and others to use games to spread malware viruses, as tens of thousands of players of popular games such as Minecraft and Fortnite have already discovered this year. Given the massive and growing smartphone games market, it’s not just PCs and laptops that can be affected, either. Last year, Google Play had to remove a range of popular games amid fears of up to 36 million Android phones could be infected. According Kaspersky Lab notes, viruses in games can be contained in the original download or, common with modern games, extras and add-ons that players can buy or unlock in-game. To mitigate the risk, users should always be cautious when downloading programs and avoid putting non-essential programs onto devices with business information. Businesses should also know what is being downloaded by staff – and anyone else who may have access to their devices. Special security appliances are available to interrogate downloads for safety on the fly.
IT support and fraud prevention
Tech support fraud continues to grow – rising by a quarter last year to 153,000 complaints reported to Microsoft from around the world. In the UK, Action Fraud says tech support scams cost victims £21 million last year. Fraudsters typically claim to be from Microsoft, or from the user’s Internet service provider. Last year there were reports of entire call centres based in India dedicated to attempting to defraud TalkTalk customers. Targets can be fooled into giving away passwords, allowing remote access to their computer or visiting a website that will download a virus onto their computer. They might be targeted by phone – or by email. The details vary widely because it’s really just a subset of the wider phishing or social engineering phenomenon. The fundamentals in all these cases are the same, though: persuading someone that a message or call comes from a trusted source to get them to lower their defences.
And defences are, of course, the crucial factor, because the attacks will continue to change and evolve as the role of technology and the tools we use change. Fortunately, a consistent approach will mitigate the worst of the risks.
First businesses need to make sure they have the appropriate technological defences – that means not just having in place good antivirus and other solutions (such as application whitelisting and USB port controls, where appropriate), but also keeping these up to date. Anti virus needs regular updates to remain useful, and software and operating systems need to have the latest updates and patches downloaded to plug vulnerabilities that arise over time. Much of that can be automated, but someone should still be responsible for checking that it’s done.
Second, education remains key to avoiding many of the risks. Most viruses require users to do something that they probably shouldn’t – whether that’s to click on a link (or advert), download a program, open an attachment or visit a website. Policies governing the use of company PCs, laptops and phones should provide some protection, but only if businesses make staff aware of the dangers and the importance and relevance of these safeguards. That will mean not only that employees are more likely to follow the rules, but also make them aware of the dangers when it comes to using their personal devices which can cause problems for them – and often the business – as well.