Triona's Tech Tips

If you get an email from Facebook saying there is a message for you, do NOT click on the link. Visit Facebook’s site directly instead to respond to any and all messages.

Like the Facebook update scam I dissected for you a few months ago, this latest scam tries to trick you into clicking a potentially malicious link by mimicking a legitimate Facebook message. Take a look at this screenshot and compare it to the Facebook update scam. You’ll see similarities, including the use of Facebook formatting and logo as well as a legitimate-looking link. However, the link actually redirects you to a malicious site. The site on this particular message has already been blocked as being harmful; it probably belongs to some innocent victim whose web site was hacked to deliver viruses or harvest passwords a la the Twitter DM worm. But there are plenty of other phony sites out there that may not have been blocked.

In my case I was alerted to the scam because I’d never heard of the people from whom the messages were purportedly sent, but that’s not a foolproof way to tell if a message is fake or not. Facebook accounts can be hacked, and false messages sent. This grants the fake messages an undeserved level of trust because they come from someone you know–and that’s the point. Cybercriminals know people are unlikely to click on unsolicited links and far more likely to click on something sent by someone they know. The best way, as I said, is to distrust all email links no matter who they’re from. You are far safer visiting the Facebook site directly and checking your messages from there.

A recent wave of viruses that propagate via Skype and Yahoo Messenger illustrate the principles of social engineering: how viruses bypass security precautions by tricking you into letting them in.

The Skype and Yahoo Messenger worms distribute themselves via messages like  “Does my new hairstyle look good? bad? perfect?” and “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?” The accompanying link appears to point to an innocent jpg, but when you click on it you are actually running the worm.

Don’t confuse social engineering with social networking. Social networking means interactive Web 2.0 sites like Facebook, MySpace, LinkedIn and Twitter. Social engineering is the art of tricking you into installing viruses or malware on your computer. PC and Mac users alike can be drawn in by social engineering scams.

Social engineering is a common tactic used by viruses and malware. The Twitter worm we discussed in February uses direct messages to entice users into visiting a pseudo-Twitter login page that harvests login credentials. Scams like the faux Facebook Update arrive via email, and contain links to malicious web sites. Rogue antivirus software is all about social engineering: make users think their computers are infected with viruses that can only be removed by purchasing the fake software.

How do you avoid social engineering scams?

• Links can look legitimate when they’re not. For example, I can spoof a link that says: http://support.microsoft.com. Now, before you click that, mouse over it without clicking and look at the status bar at the bottom of your web browser. (If you don’t see the status bar, go to the View menu and make sure Status Bar is checked. It may be under the Toolbars sub-menu.) You’ll note that the status bar reveals the true destination. In this case I used a safe example: my Tech Tips blog. But you can see how links can easily be redirected. The status bar trick works in email, too. It’s not foolproof (the status bar contents can be spoofed as well), but it is a good place to start.
• If you get a message from someone, try doing a web search on the text of the message to see if it’s a known scam. For example, with the Skype and Yahoo Messenger trick, a quick search for “Does my new hairstyle look good? bad? perfect?” reveals news of the worm, especially if you pair the search with the word “virus.”
• Don’t let your software protections lull you into a false sense of security. Yes, you need to run good security software and keep it up to date, but the point of social engineering is to get you to click, thus bypassing your protections.
• And, as always: when in doubt, don’t click.

Don’t forget, if you subscribe to my Tech Tips email newsletter you’ll receive tips like these, plus tech support tricks and other ways you can get the most out of your PC or Mac computer. Click here to subscribe or send email to techtips-request-at-guidryconsulting-dot-com, subject “subscribe”.

A lot of “Facebook update” scams are going around. These are emails designed to entice you into clicking links to malicious sites, thus divulging your login credentials and possibly infecting your computer with viruses and malware. I received several of these scams in a batch of legitimate Facebook emails, so I thought I’d dissect one for you so you can tell the difference.

The tactics used here are the same as the ones used by the fake Microsoft security bulletins I mentioned before. Again, the idea is to make you think the message is real when you are really being redirected to a bogus and potentially dangerous site.

First, note the use of the Facebook logo, fonts, and colors. The scam message looks almost identical to a real Facebook announcement, down to the mailing address at the bottom of the message. The trick is to mouse over the link WITHOUT clicking on it, and look in the status bar at the address to which you are being directed. In this case you can see you’re being sent, not to facebook.com, but to a scam site that may be waiting to harvest your login credentials or infect your computer.

If you receive a Facebook update, go directly to the Facebook site by typing www.facebook.com in your Web browser. You’ll be able to see your updates there and respond to them.

Remember, these scams are not limited to Facebook. Every social networking site, including LinkedIn, Twitter, and all the rest, are vulnerable to these sorts of tricks.

A final note of caution: Don’t friend anyone on a social networking site unless you’re certain you know who they are. A good rule of thumb is to view their profile to see if you have any friends in common, or to Google the person to see if they’re real. There are fake profiles out there which exist only to friend you and thus have access to your privately-posted information.

If you enjoyed this article, subscribe to the email version of Tech Tips for bonus tips, tricks and product reviews. Through December 1st, 2009, new subscribers will receive a special gift: my Ten-Step Computer Troubleshooter (PDF). Just click here to sign up.

We all know the risks of computer viruses, but what do you do if you think you have one?

First, follow Douglas Adams’ advice: Don’t Panic! Run your antivirus and anti-spyware software to see if they can remove the infection. Windows users might try the free online virus scanners from McAfee and Trend Micro. Malwarebytes is a good Windows resource for removing spyware and other kinds of virus-like intruders. Mac users should try the free programs Avast for Mac or ClamX AV.

Some viruses are easily removed, but others embed themselves deep within your computer. The worst-case scenario is having to format and reinstall your computer from scratch, which is why backups are a must.

There are some commonly-held misconceptions about how to prevent computer viruses.

• Adding “aaaa@aaaa” to your address book doesn’t work. It was a trick from years ago that only applied to one particular virus… for about five minutes, until the virus-writers wrote a workaround. These days it’s the equivalent of fighting a wildfire with a squirt gun.
• Booting into Safe Mode also doesn’t work. Safe Mode is used to diagnose computer problems by starting Windows into a minimal version where only the basics are loaded. Most of your software won’t function and the virus will remain in the background, chewing on your system.
• Fake antivirus software and computer cleaners will only add to your woes. Ads for these run rampant across the Internet, especially when you’re searching for legitimate tools like the ones I mentioned above.
• Fake security bulletins claim to be magic cure-alls, but they’re far from it. They are scams out to trick you into clicking on malicious links and further infecting your computer.
• Fake pop-up Web windows pretend to scan your computer, but they are also scams trying to trick you into clicking them.

Your best protection is prevention. Maintain good backups and stay tuned to Tech Tips for the latest computer news. Through November 1st, 2009, new subscribers to the free email version of Tech Tips will receive a special tip sheet on Four Easy Ways To Protect Your Computer. Just click here to sign up.

In November I’ll teach you about Do-It-Yourself Tech Support. If you have any computer questions, let me know.

Apparently the phishing scam that netted usernames and passwords for thousands of Hotmail accounts was wider than previously thought. The latest news indicates that Gmail, AOL, Comcast, and Yahoo! users, among others, may also be affected.

My advice to everyone is to make today Password Change Day. Get out there and change the passwords for all of your accounts. Use a combination of numbers, letters and symbols (where allowed) and be sure to use a different password on every system. Again, you can follow my password tip sheet (PDF) for guidelines on creating strong passwords.

I am often asked, “what does it matter?” accompanied by the protestation, “I don’t have anything important in my email anyway.” I would like to respond that you should care if:

• You want to avoid identity theft. Many people use the same password or set of passwords for all systems. If someone gains access to your email password, even an old one, they will try to use it to get into your other, juicier accounts, like your bank. And they will probably succeed.
• You hate viruses. Most viruses are distributed through compromised computers (called zombies).
• You hate spam. Most spam is sent from compromised computers. Your email address book is a gold mine for spammers because it’s a list of guaranteed good email addresses.
• You want your computer to work properly. Nothing slows a computer down like being zombied (see above).
• You don’t want someone else surfing the Internet on your dime. If you use an email account from your Internet provider, the same password is used both for email and to authenticate you to your provider’s network. If you use a common dictionary word without symbols as the password–shazam! instant access.
• You don’t want to go to jail for someone else’s crimes. Take the above scenario and imagine that the person who’s hijacked your Internet account is dealing in pirated software or child pornography. Unless you can prove it wasn’t you (and that may be difficult), you could be held liable. People committing crimes on the Internet use other people’s accounts for exactly this reason.

Although some people advocate that you not write your passwords down, I say it’s okay as long as you keep the written record somewhere secure, like a locked drawer or safe. (NOT on a sticky note on your monitor or under the keyboard, please!) Excel spreadsheets and other computerized means of tracking passwords are not good ideas, because the first thing a virus will do is check for convenient lists of the rest of your passwords. You might as well hand out your passwords on your business cards. And no, password-protecting the spreadsheet doesn’t work either; those are cake to crack. Properly encrypted password managers do work, but I favor the old-fashioned paper approach, as long as it’s kept out of sight.

It really isn’t that difficult to maintain different passwords on every system. I’ve done it for decades. If we would all follow the basic, simple practice of secure password management, we could cut down on the viruses, spam and other problems that plague us all.

You should also be aware of the kinds of scams that caused these breaches in the first place. Try the SonicWall Phishing Quiz to test your skills on identifying phishing attempts, when a hacker emulates the login page of a site to con you into entering your username and password.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

Several of my readers have reported receiving fake Microsoft security bulletins via email. Like other scams, these are designed to deceive you into clicking links that will infect your computer with viruses.

This particular scam is quite clever. It uses the same terminology as a real Microsoft bulletin, down to a legitimate-sounding number for the purported patch, which in this case is supposedly for Outlook. But, note the provided link. The text of the link looks like it goes to Microsoft, but when you mouse over it, the actual link (see the status bar at the bottom) goes to the scammer’s site.

Fake links are easily created. Like so:

http://update.microsoft.com/realistic-sounding-link

What I did was type the realistic-sounding link, highlight it, and link it to a different address (in this case something innocuous: the address for this blog). Note that if you mouse over the linked text, you’ll see the actual address in the status bar at the bottom of your screen.

When it comes to fake security bulletins, bear in mind:

• Microsoft doesn’t email you security bulletins unless you have actively signed up for their security bulletin notification service. Which I wouldn’t expect most people to do: the bulletins are highly technical and not very helpful unless you know what to expect.
• If there are updates for your computer and you have Automatic Updates turned on (and there are reasons you might not want to), you’ll get them automatically without having to click on anything.
• Some of these scam emails come with attachments pretending to be the patch you need. Don’t click on them! It’s another way to infect you with viruses. Microsoft never sends updates by email.
• To find out if your Windows computer needs updates, go to update.microsoft.com and scan for them. Never click on a link in an email message.
• Scammers will say anything to get you to click on links, because it’s the easiest way for them to infect your computer.

In this case, you can see at the top of the screenshot that my email program, Mozilla Thunderbird, alerted me that this message might be a scam. Your email program may or may not do that, so caution is your best policy.

Thanks to everyone who sent this my way.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

A recent incident involving Google’s Gmail service and a Wyoming bank highlights the risks of business email and cloud computing.

A Wyoming bank accidentally sent information about 1,300 of its customers to the wrong Gmail address. The bank later sued Google for information concerning this wrong recipient. Google, rightfully, refused, and that’s where it gets ugly, because Google also suspended the account in question (an act that was quickly recinded).

As pointed out by Jim Rapoza of eWeek, among others, this could happen to anybody. How many of us have gotten phishing emails claiming to be some bank or other? We delete them and go about our business, because most of them are spam. Apparently just the act of receiving an email not intended for us is enough to get our email accounts suspended without notice.

This is a good reason not to rely upon free email accounts like Gmail for business purposes. But even using a paid-for email host, such as the one offered by your Internet provider, is no guarantee this won’t happen to you. I recommend you set up a custom domain for yourself (like me at mybusiness dot com). Then, if you do lose access to your email host, be it outage or any other reason, you can quickly establish a new email account elsewhere and forward your custom address to it without having to inform all of your contacts of the new address. Otherwise you could wind up losing business and reputation.

This also highlights the risk of sending confidential data via email. No email is secure, and especially not business email being sent to a freebie account. Confidential data is best encrypted and either transmitted via secured connections, if you have that capability, or sent the old-fashioned way: on a disk. Less convenient, perhaps, but ask Rocky Mountain Bank of Wyoming if the negative publicity was worth saving a few hours of time.

Now, imagine you’re using cloud computing and ALL of your programs and data are on the Internet. Can you afford to lose access to them because of something beyond your control? Is it worth the tradeoff for convenience and a less expensive computer? I’m not sure it is.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

Social networking sites such as Twitter, LinkedIn, FaceBook, and MySpace have become wildly popular for both personal and business use. But whether you use Windows or Mac, there are some risks. Social networking sites do not guarantee your safety, so it’s up to you to protect yourself.

Fake profiles are often used to deliver viruses and scareware. They lure you in with a realistic-looking personal profile in order to get you to click links to malicious sites. Don’t accept “friend” invitations unless you actually know the person or can verify who he or she is, and restrict your profile so that only your friends can see it.

Scammers also break into social networking accounts to steal personal information and send spam to your contacts. Use strong passwords (see my PDF tip sheet), encourage your friends to do the same, and check your security protections to make sure they are current and working properly.

Similarly, phishing scams may use information from your social networking profile to send you spam emails. By targeting you with specific information, such emails are harder to detect. Again, use good security practices and practice your anti-phishing skills with tests like this one from SonicWall.

Fake advertising, or malvertizing, uses realistic-looking ads to get you to click on sites that will infect you with viruses. These ads are often served by third parties and not necessarily by the social networking site. We’ve seen this before where news sites are infected with bad ads. Be wary of any advertisement offered to you, even if it’s on a legitimate site.

Real-life criminals are also using social networking sites to their advantage. Burglars are using them to find out more about who you are and where you live, and even when you’ll be on vacation. Be cautious about sharing pictures or information about yourself and your family online.

Another way to avoid problems is to expand short addresses before clicking. Twitter users often abbreviate using services like tinyurl.com or bit.ly, but such abbreviations can hide malicious sites. Use a program like ExpandMyURL or UnTiny to expand those abbreviations, plus McAfee SiteAdvisor or LinkExtend for Firefox to check out the expanded sites before you click on them.

Subscribe FREE to the email version of Tech Tips between now and October 14, 2009 and I’ll send your special gift: a tip sheet on Computer Housekeeping for PC and Mac.

Your computer, like your house, needs to be cleaned regularly. These tips will help you get better performance out of your PC or Mac.

The number-one rule of tech support is: When in doubt, reboot! Turning your computer off and back on will give better results than simply restarting. I also recommend you shut down your computer overnight, unless you need to leave it on for backups. This gives your computer a cool-down period and less opportunity to confuse itself.

Keeping your desktop clean will help maximize memory. The more files you store on the desktop, the more memory they will consume. Maintaining your computer’s security protections and junking spam are other ways you can reduce the possibility of computer problems.

SPECIAL GIFT: If you subscribe to the Tech Tips email list between now and October 14th, 2009, I’ll send you a free tip sheet (PDF) offering more details on how to keep your computer in shape.

And if you’re interested, I’ll be teaching a class on Computer Housekeeping for the Cary (Illinois) Park District on Wednesday, October 21, 2009 from 9:30am-11:30am. You can find registration details on my web site. I hope to see you there!

In October we’ll talk about What To Do If You Get A Computer Virus. If you have any computer questions, let me know.

Do you despair over your email? Many of us store everything in one great big Inbox, but that’s not very efficient. You can use a combination of folders, rules, and spam filters to pare your email down to manageable size.

Folders let you sort email any way you like. You might want to create one folder for business and another for personal correspondence. Create subfolders for each person and voila! organized email.

Rules redirect messages to folders, keeping your Inbox clear for the most important emails. I subscribe to many mailing lists, but don’t have time to read them every day. I use my email program’s Rules option to direct these messages into subfolders. I can see when these subfolders have new unread messages, but I don’t have to weed through them until I’m ready.

Spam filters, like puppies, behave best when trained. Check your email program or provider’s Help for your settings. Once your spam filter knows what you consider spam, it’ll do its best to redirect to a Junk or Spam folder. You’ll still get the occasional spam sneaking through, but if you keep marking as spam your filter will continue to improve.

Next month I’ll answer a frequently asked question: What Is Java? If you have any computer questions click Comments below this article, and don’t forget to subscribe to the email version of Tech Tips for bonus tips and product reviews.