As technology has improved, the risks have changed.
As I was reading a report of yet-another-vulnerability in some application or operating system, something struck me: almost all recent vulnerabilities rely on one specific thing to be able to inflict their damage. If that one specific thing doesn’t happen, the vulnerability has no impact.
The software should still be fixed, of course, mostly because that one specific thing can’t be fixed.
But you should be aware of it.
Become a Patron of Ask Leo! and go ad-free!
The biggest risk to your security
Phishing attempts have become one of the most common ways that malware spreads and account compromises happen. Be it a malicious download or a fake sign-in page, it’s critical to be on your guard.
The biggest risk to your security is phishing.
In the past, it was malware that spread in some automated fashion without your interaction, or was included in software you downloaded and installed.
While both still exist, as do other threats, successful phishing attempts have leapt ahead in terms of successful malware installation and account hacking.
A successful phishing attack can sidestep all the greatest and most up-to-date security software and protections. Couple that with an unpatched software vulnerability present on your machine, and all bets are truly off.
There are two broad classes of phishing: phishing for malware and phishing for credentials.
Phishing for malware
In phishing for malware, the goal is to fool you into running malicious software on your machine. Malware, of course, can do anything, so you might be exposing your data, installing a bot or keylogger, or opening yourself to perhaps the worst form of malware, ransomware.
Hackers use two techniques: attachments and links.
Malicious email attachments
You receive a message, often urgent, indicating you need to open an attached document for more information about something. A common example is a notification of some kind of shipment awaiting your instructions. Sometimes the document is encrypted and password protected — for your security, of course — but the password is right there in the email. All you need to do is download and open the document.
Except the document’s not a document at all. It’s malware. When you “open” the document, the malware runs and infects your machine with its payload.
The same result can happen from malicious links in phishing emails.
Just clicking a link usually doesn’t cause a problem, since most of the time it simply downloads, but does not open, the malware. Sometimes browsers automatically open what they download, though. Whether the browser opens it or you take the extra step of opening what you just downloaded, the result is the same: the malware runs and infects your machine with its payload.
Phishing for credentials
The second broad class of phishing is what I refer to as phishing for credentials.
You receive an email that attempts to get you to click on a link. For example, the email might look like it came from Microsoft, or your bank, or some other service, and includes a link you need to click to confirm or otherwise resolve an issue with your account. Another approach appears to confirm your purchase of something from a retailer, with a link to click for more information or if you need to cancel the order. Of course you never placed the order, so you click on the link to cancel it, right?
The common theme here is: click the link.
When you do, you’re greeted by a sign-in page for the service that sent you the email.
Except that service didn’t send you the email, and that login page isn’t from that service at all, but a cleverly crafted look-alike page.
So far, if all you did was click the link, you’re probably still safe.
If you don’t notice that it’s fake — by the displayed URL in the browser’s address bar not being correct or other symptoms, like your password vault not auto-filling the credentials when normally it would — and you do proceed to sign in, you’ve not signed in at all.
You’ve just handed your login credentials to a phisher.
How headlines mislead
I came to this conclusion about phishing based on what I consistently see in announcements of new vulnerabilities and zero-day attacks.
Many, if not most, describe a serious vulnerability somewhere — in an application or an operating system — and go on to detail how, once exploited, it can be used to do all sorts of nasty things. Even in the most serious tech press reports, the wording is often quite sensational.
And yes, vulnerabilities are important to be aware of and to resolve. It’s why everyone keeps telling you to keep your system as up to date as possible. As soon as a fix is available, you want that vulnerability off your machine.
However, often buried deep in the news article is a phrase describing how malware gets in to exploit the newly found vulnerability in the first place. The vulnerability rarely causes problems simply by existing. It requires a trigger to do its dirty work.
That trigger? Malware.
How does that malware arrive?
For that vulnerability be exploited, someone has to be fooled into falling for a phishing attempt that installs the malware onto their system.
Without successful phishing, the vulnerability, while present, would never cause a problem.
Hopefully the takeaway is clear: you and I are the weakest link. Without us “biting the hook” of the phishers, many of the vulnerabilities we keep hearing about so urgently are completely ineffectual.
The single most important thing you can do? Be skeptical.
The next most important? Learn to recognize phishing attempts, and don’t fall for them.
And, of course, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.