Checklist 28: Five Malware Distribution Methods and How to Protect Against Them

• Sites specifically created to deliver malware.
• Legitimate sites that have been hacked or hijacked.
• The phenomenon known as “Malvertising.”
• File-Sharing/P2P networks and untrustworthy sites.
• Deceptive downloads designed to trick you.

You know what malware is — but do you also know where it lurks on the web? While it’s not possible to avoid malicious software 100% of the time, you can drastically reduce your risk with the right habits. When you understand how and where malware is most likely to appear, you can take proactive steps to avoid it. From email attachments to hacked websites, there are many avenues of approach malware authors might take. In today’s edition of The Checklist, we’ll be discussing how malware is distributed: the means, the methods, and the most effective ways to mitigate the risks.

Sites specifically created to deliver malware. This is one of the most common ways to contract a malware infection, and it’s increasingly popular due to how easy it is to set up a domain name. Many times these sites serve no purpose other than to lure users in and eventually serve them malware. How these sites attract users can vary from hacker to hacker.

As one example, a malware-infested site might accompany a phishing effort. With an official-sounding pretense, users receive encouragement to visit a website and enter some type of personal information. This might be through a pop-up ad that looks like it came from Adobe, or it could be an email urging you to click on a link in order to get support. Upon clicking the link, the user might instead end up on a site that exploits known vulnerabilities to execute malware. Sometimes you might simply mistype the name of a popular website and end up on a domain that’s been set up by a malware author as a trap for unsuspecting users.

Staying away from these types of sites might seem easy, but it isn’t always easy to tell whether you can trust a page you’d like to visit. Ads might deceive you and direct you to a malicious domain, for example. In other cases, the air of legitimacy can be strong enough to fool even some veteran users. Overall, you’re more likely to encounter malware from another, less direct avenue — but these dangerous websites do exist.

Legitimate sites that have been hacked or hijacked. At times, malware reaches users not through sites intentionally serving it up, but through exploitation of vulnerabilities in otherwise normal sites. If there are exploits in the framework a site or server uses, it could potentially be a path to users. The popular web platform WordPress has seen quite a few security vulnerabilities over the years, which have lead to some serious issues. Since WordPress powers millions of websites, it’s an attractive target for hackers looking to hijack legitimate sites in order to distribute malware.

These flaws included the ability to run programs, or execute arbitrary code as we say, on a user’s machines. Over time, exploits have caused users visiting WordPress sites to suddenly contract malware. Other sites can be vulnerable in similar ways — like when pages using Adobe Flash suffered from that application’s security flaws.

If you are a blogger yourself or a webmaster overseeing a domain using a system like WordPress, it’s important to stay updated. That means two things. First, you must ensure that you upgrade the software on your servers to the latest version as soon as possible — especially for updates containing security patches. Second, you should take an active interest in the development of your platform. Watch for news about security holes or zero-day vulnerabilities. If you’re using a Software-as-a-Service platform, such as hosting your blog on WordPress.com, the vendor will likely automatically update the base software directly – but it’s still wise to be aware of platform updates and ensure your vendor is performing them in a timely manner! Vigilance in this regard can help protect you against one of the most common methods of dumping malware to unsuspecting users.

If you’re just a regular user, you’ll need to exercise some caution on your own. How do you watch out for a hacked site? There are usually a few clear giveaways. First, a site that tries to automatically initiate a software download or begins spamming you with pop-up ads is clearly not reliable. If you encounter these issues, navigate away immediately. Next, consider the content of the page. Does it seem like a page is full of unnecessary typos, or does it feel out of place compared to the rest of the site? Watch out for clear problems like these which indicate someone may have hacked the page.

Other times, you won’t need to look for warning signs at all: you’ll receive them directly. Google displays warnings whenever it suspects a hacked page appears in its results. Similarly, browsers like Google Chrome will automatically display an interstitial warning for insecure and potentially compromised sites. This gives you a chance to avoid visiting the page and exposing your machine to danger altogether.

The phenomenon known as “Malvertising.” With the huge number of ads present on the web, it would be nice if we could trust them all to be safe. Unfortunately, we can’t. Hackers realize that they can reach potentially millions of people if they can infiltrate an ad network — this type of malicious advertising is referred to as “malvertising.” How malvertising reaches a live webpage can vary. At times, a vulnerability in the ad network might allow an attacker to compromise ads and cause them to deliver malware to users. This was especially common back when many websites relied on Adobe Flash to play animated advertisements.

In other cases, the ads themselves are poisoned intentionally. By disguising themselves as legitimate ad providers, malicious actors purchase ad space on major networks by providers like Google, Yahoo, Microsoft, and others. Built into the ad, though, is code created to exploit browser vulnerabilities to deliver malware to users. This approach is growing year after year, and even popular, mainstream websites have suffered from events where their pages served malvertising.

While avoiding shady websites can help you avoid most ads which are outright harmful to your Mac, it’s not always so easy to know when it will strike. Widespread malvertising campaigns demonstrate that security weaknesses remain a major problem across the Internet. An ad-blocking or antivirus program is your best protection here; we’ll discuss more about that a little later on.

File-Sharing/P2P networks and untrustworthy sites. There is a certain category of site out there that has always had a reputation for being a hive of malware. We’re talking about websites (and software) focused on filesharing. While one shouldn’t engage in copyright infringement at all, the threat of malware should be an added incentive to stay away from illegal torrent trackers, disreputable filesharing websites, and other similar places on the Internet.

When you download files anonymously from another user, how can you ever really know you’re receiving what you expect? A file might have an innocent label or filename, such as “sample” or “screenshot”, but turn out to be a potent malware package or a ransomware attack. Filesharing websites also often play host to many of those malicious ads we just spoke about, making them dangerous to visit in general. You’re far more likely to encounter pages that fall into one of the first two distribution categories we’ve discussed.
One popular method of malware distribution targets users looking to watch popular movies or tv shows for free online. The malicious site will tell the user that they need to download and install a plug-in or special piece of software in order to watch a video. When the user does so, they’re actually infecting their machine with malware — and the malicious site never actually plays their movie! This type of scam is very common, and goes to show that there is definitely no honor among thieves.

When you’re searching for illegitimate copies of movies, music, or software, you’re exposing your Mac to a ton of risk — and potentially inviting malware into your machine through an open door. Generally, if a website offers free downloads of data that you would otherwise have to pay for, don’t place your trust in that site. In fact: don’t visit it at all! That’s simply the safest and most effective way to avoid the threats they represent.

Deceptive downloads designed to trick you. The last method we’d like to touch upon mixes in a few elements of several of the attack vectors we just discussed. Sometimes, a malware author creates software that looks legitimate — perhaps even masquerading as another popular program. Hidden beneath the surface, is a payload of malicious code waiting to launch when you run the software. This is a classic way to attack users, especially if a hacker can develop a false sense of trust.

Where will you find this type of malware? It could show up in many places. One of the most likely is simply inside an email attachment. While spam filters catch many of these emails today, some can still slip through. This is why you should never download and open an attachment from an unknown sender — and why you should be careful even with attachments from people you know. It’s all too easy to trust that something sent to you by a friend is safe.

In the same vein, an email could contain a bogus link that sends you to a site for downloading malware. One popular ruse in the past was the “e-card” gimmick. An email would claim that a friend had sent you an e-card to mark a special occasion. Upon visiting the link, the site would encourage you to download and run software to view the card. Upon execution, though, it becomes clear you’ve been tricked into running malware.

Other times, malicious software pretends to be something you need to successfully complete an action on the computer. This might be a codec to play a particular video or a font necessary to view a certain website. In practically every case, that’s not true. If a website asks you to download something in order to continue using it, beware: it’s probably not what it seems.

How to protect yourself from these threats. With so many ways for malware to reach your Mac, it can feel like you’re facing down a storm alone. However, there are ways to protect yourself and stay safe even in a world of evolving threats. First, watch out for the warning signs and observe the precautions we’ve talked about today. That includes everything from watching out for strange pop-up ads to avoiding unknown email attachments.

An active attitude towards security can help you spot and avoid almost all the most common distribution methods. Be especially wary about pop-ups which claim that malware already exists on your machine! This is a popular scam; fake antivirus software is a class of malware in its own right, and its designers can be quite devious. Never trust a pop-up that claims you have malware or must run a scan.

With that being said, you should make sure you have some form of anti-malware/antivirus software installed. This is both a preventative and protective measure. If you perform scans regularly, it’s easy to avoid an infection, or at least catch it early. When you do have a real malware problem, you’ll need a solution to remove it from your machine.

SecureMac’s own MacScan 3 is an excellent option. It’s speedy, robust scanning engine coupled with malware definitions constantly kept up-to-date means your Mac is always safe from the latest threats. Remember how we talked about regular sweeps of your system to find and stop malware before it does damage? You can choose exactly when and what to scan for within the program. You can check out all the details for yourself and download a free 30-day trial from the MacScan 3 webpage.

If you’d like more information on this topic, or if there’s a specific one you’d like to see us cover on a future episode, send us an e-mail at checklist@securemac.com!