Beware of electronic cards, invitations, links, and attachments


It is the season where we get electronic cards and invitations that sometimes consist of just a link or an attachment. I also get emails from friends that contain just a link or attachment. I never click on any of them, not only at this time of year, but always. This is because malicious people use those as vehicles to send malware. If somebody hacks into the computer of someone you know, they can then send virus-embedded stuff to everyone in their address book. People think it is safe to click the link or open the attachment because it appears to come from someone they know.

A person I know got an electronic invitation from a neighbor for a party but when she clicked the link, it turned out to be fake and instead was a vehicle for a ransomware attack. It shut down her computer and demanded that she pay a ransom in cryptocurrency if she wanted to get the key to unlock her computer. She had a hell of a time trying to fix all the damage that it caused, needing to enlist the help of computer professionals to fix her computer as well as change all her banking, credit card, and other information.

In general, I never open any links or attachments that arrive without an accompanying message by the sender that could not have been generated by a spam bot but instead has some content that tells me definitely that the sender is real. I always look for a message in the text that requires some specialized knowledge that a bot would not know. If it has no message or is just generic like, “Hi, I thought this would interest you”, I ignore it. If I am not sure, I email the sender to confirm that they sent it and also warn them not to click on such links.

This is tedious and does not completely eliminate all threats but I think it is worth the effort.

What surprises me is that even after I warn people of the dangers and tell people not to send me unsupported links and attachments, after some time some of them revert to the practice. It is as if my warning never registered. I suspect that they continue to click on those things. People tend to ignore danger signs until something bad happens to them.

Comments

  1. sonofrojblake says

    even after I warn people of the dangers and tell people not to send me unsupported links and attachments, after some time some of them revert to the practice

    Yeah, over the years I’ve had a couple of people persist in doing that to me. They were added to my spam filter and now all mail from them goes automatically into my junk folder, where it gets deleted after 10 days. Problem solved. Now I never see anything they send.

    Important: don’t warn them you’re going to do this. Don’t tell them you have done this. They are actively endangering the security of your personal data, you don’t owe them continued access to your inbox.

  2. says

    I always look for a message in the text that requires some specialized knowledge that a bot would not know.

    And even that can be enough to be infected when using Outlook. There have been several 0-day attacks that only need you to view a message in a preview pane. Search for “outlook preview attack” if you want details.

    If you can, use a text-based e-mail client like alpine or mutt. That eliminates the attack surface. You can still view HTML-based mail with those programs, but they will simply ignore embedded scripts.

  3. EigenSprocketUK says

    If I am not sure, I email the sender to confirm that they sent it…

    Good advice, but often wasted effort. A couple of clicks to view the email headers can reveal if it came from their legitimate email system. If not, then your reply gets ignored (but marks your own email address as a real person). If it genuinely was generated by their email servers then their email account has been suborned and your question is likely to be deleted before your intended recipient has a chance to see it.

    This results in a high likelihood that your reply will frustrate the genuine sender but cause no effect on a spammer.

    Sad commentary on email these days: all you can do is protect yourself and your own system.

  4. mastmaker says

    Mano,
    The example you have leads back to one of the most egregious mistakes that Microsoft made. By default the first user is an administrator. So, when you click on a ransomware link, and that code runs, it has complete control over the machine. If you’re not an administrator, then any operation by the ransomware will trigger administrator password screen and the user may pause to think “why does a party invite need admin access”?
    Linux/Unix does it best. If the user belongs to ‘sudo’ group, they have admin access, but you still need to type in password to get admin access and the access is granted typically for just a few minutes before needing to type the password again. Windows TRIED to implement something similar in Windows Vista but general disdain of the users and aggressive marketing campaign by Apple (making fun of access requests) made it backtrack most of the changes in Windows 7.
    Whenever I get a Windows machine (if I must use it), I demote the user to a regular user and set up a local administrator with a difficult password. The system becomes much safer that way.

Leave a Reply

Your email address will not be published. Required fields are marked *