Mitigating Malware in a Modern, Mobile World

Banking Trojans, malicious programs, phishing and other forms of internet-borne malice are ever-evolving risks that keep escalating in numbers and sophistication.

With that, most threats still need user interaction to help usher them into a PC or mobile endpoint. This is where anyone can apply some extra precautions to safeguard against the latest cybercrime schemes.

 

Mitigating Malware for PC Users

Most cases of PC malware infections begin with spam email that tricks victims into navigating to a spoofed URL or opening a malicious attachment. If you are not expecting a document, such as an invoice, package tracking link or fax, your best bet is to immediately delete the unsolicited message and alert your IT department as well as your bank or other service provider.

Those who frequently conduct online banking away from home should never access personal accounts from public computers. Online banking should be carried out from trusted or secured Wi-Fi networks, over a secured VPN connection and through devices protected by security solutions.

Email Awareness

Stay away from unsolicited email. Seriously. No matter how tempting a subject, if you did not solicit it, did not make a purchase and were not expecting an invoice or package, report it as spam to your IT department. Then send it to the abuse mailbox of the applicable service provider and delete it from both your inbox and the trash folder.

Be especially wary of attachments and examine them for their true extension type. Most malware is actually an executable, like an .exe file; a container file, like .zip or .rar; or an Office spreadsheet or document with macros that, in some cases, run automatically. Don’t let that happen.

Email is not a bulletproof communication method. In fact, it’s the favored method by which phishers, spammers and other cybercriminals spread their malicious schemes. These bad actors are determined to come up with a way to make you open and click, so don’t take the bait.

More Computing Hygiene Tips

Some additional computing hygiene tips can go a long way toward helping users protect themselves from run-of-the-mill malware:

  • Don’t unsubscribe from spam. Instead, mark it as spam or junk and keep your email address private. Spam botnet operators look for unsubscribers to reply so they can verify that the address is active.
  • Always update your operating system as soon as new updates and patches are available. Set your endpoint to update automatically.
  • Delete software you no longer use. Duly update all programs you do use.
  • Disable online ads on the PC you use for banking and payments. Unfortunately, cybercriminals often compromise and repurpose ads for the covert delivery of malware. Known as malvertising, this is one of the most popular methods for malware looking to leverage exploit kits and infect new victims.
  • Ignore free offers. There are no free meals on the internet. Whether it’s a free game, free software or free adult content, you’re likely giving out something without knowing it. Free stuff in the digital realm can easily contain a backdoor to your endpoint, make you part of a botnet, and push adware, spyware, ransomware and banking Trojans to your endpoint.
  • If you are using personal email at work, never open attachments on your work endpoint. Refrain from sending sensitive work data to and from that personal email box.

Mitigating Malware for Mobile and Smartphone Users

The average person looks at his or her phone 46 times every day, according to Time. As for banking with our phones, Payment Week reported that 38 percent of consumers interact with a bank primarily via a mobile device, and 63 percent use phones to carry out standard banking tasks. That means mobile banking is being used more than ever before.

With users migrating their everyday banking to mobile devices, cybercriminals are taking advantage of the increased opportunities to dupe them into opening malicious messages and emails, clicking on evil links or downloading innocuous-looking apps from dubious sources. Users can foil most of these attacks by keeping in mind some familiar tips for mitigating malware:

  • Email spam and unsolicited messages pose the same threat to mobile device users as PC users. Mobile devices are especially vulnerable to phishing attacks and identity theft schemes.
  • Treat unsolicited SMS messages and emails as spam and never open them. Never follow links, open attachments or heed instructions contained in these messages.
  • Criminals like using stressful ploys, such as sending text messages to users claiming their bank or credit card account has been disabled. Don’t take the bait. Call the number provided in the SMS, the number on the back of your credit card or dial the bank directly using a number you know to be genuine.
  • Update your phone’s operating system as soon as a new update is available.
  • Delete apps you no longer use and always update those you do.
  • Enable a screen-lock password for your device.
  • Don’t enable sideloading on your device.
  • Don’t root or jailbreak your device.
  • Don’t download apps from unofficial app stores.
  • Get links to banking and payment apps directly from the service provider’s website.
  • Don’t grant applications admin permissions. If an app requires that sort of control, it is likely something you do not want on your device.
  • Malicious apps often ask for your location and access to SMS, calls and services that cost money. If you downloaded a legitimate app that needs all the above, make sure it actually uses this access for the services it offers.
  • Be vigilant for any odd behavior the device may exhibit. A mobile malware app can lock the device for a ransom or to keep users out while it conducts fraudulent activity. If your device is suddenly inaccessible, check for ransomware and then check your bank account.

Share this Article:
Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. Limor is considered an authority on emerging cybercrime threats. She participated as a highly appreciated speaker on live InfraGard New York webcasts (an FBI collaboration), spoke in RSA events worldwide, conducts live webinars on all things fraud and cybercrime, and writes a large variety of threat intelligence  publications. With her unique position at the intersection of multiple research teams at IBM, and her fingers on the pulse of current day threats, Limor covers the full spectrum of trends affecting consumers, corporations, and the industry as a whole. On the social side, Limor tweets security items as @iCyberFighter and is an avid Brazilian Jiu Jitsu fighter.