Cybersecurity expert breaks down 10 myths about data protection: Anyone with Internet access is a target

In recent years, cases of online fraud in one form or another have only increased: in addition to viruses and other malware, there are social engineering methods, which, unfortunately, sometimes work successfully. At the same time, a lot of rumors and myths have accumulated around Internet security, which only simplify the “work” of cybercriminals.

Contents:

• I have an expensive antivirus, which means there can be no viruses
• Antiviruses detect harmless files, so I don’t use protection, and everything is fine with my PC
• Why pay for antivirus when there are free versions?
• I don’t store anything valuable on my computer, which means there’s nothing to protect
• There are almost no viruses on macOS and Linux – then an antivirus is not needed for them
• I don’t use general flash drives, I don’t visit “bad” sites — there is no place to catch viruses, I don’t need an antivirus
• The privacy/anonymity mode of the browser will completely protect me from “spying” on my activity on the Internet
• I don’t save the card details in the browser – it’s safer if the account is suddenly stolen
• If an HTTPS certificate is specified in the URL string, the site is definitely real
• I am not a well-known person, which means that cybercriminals are not interested in my data
• 10 universal cybersecurity tips from an expert

“I have an expensive antivirus, which means there can be no viruses.”

“It’s not so much the cost of the security solution itself that matters, but its reliability,” – the expert immediately notes. When choosing an antivirus, you can rely on international independent tests: for example, AV-Test or AV Comparatives.

First of all, you need to look at the quality of protection, that is, how successfully the solution blocks known and still unknown threats. In addition, it is convenient when a vendor offers protection products for both computers and mobile devices.

Be sure to pay attention to whether the solution contains anti-phishing technologies, protection of online payments, and whether it can block malicious advertising banners.

“Antiviruses detect harmless files, so I don’t use protection, and everything is fine with my PC»

Not everything is so simple here: even if a file or program seems harmless, it can nevertheless hide malicious software. In addition, virus developers know how to lull the user’s attention.

In some languages, words are written from right to left. In “Unicode”, the standard set of characters, in this case, it is possible to change the direction of typing. This was used by the attackers. For example, such a scheme is known. A malicious Trojan file .js is created, and virus writers rename it, for example, like this: cool_picture*U+202E*gnp.js. Here U + 202E is the same “Unicode” character that will write letters and punctuation marks following it from right to left. As a result, the file name will look like this: cool_picturesj.png. Now it seems that the file extension is .png (normal picture), but it is still a Trojan. The scheme has been known for a long time, and many products have successfully defended against it. But the attackers are also aware that everything new is well forgotten old. In 2018, they first used this technique on Telegram, and many users again fell for this bait.

Also, scammers monitor trends in user behavior and understand what people can fall for. For example, attackers recently distributed malware under the guise of Netflix TV shows.

They added the names of popular shows to adware and malware. Among the files found were Trojans with all sorts of functionality, allowing, for example, to delete or block data, as well as spyware that can be used to steal photos and passwords from online banking.

“Why pay for antivirus when there are free versions?”

Another common opinion: for home use, a free antivirus is enough, which seems to be no worse than a paid one. If we have to choose between a free antivirus and no antivirus at all, then, of course, the first option is better, the expert notes.

But still it must be a licensed solution (not a pirated version) from a well-known, reliable vendor. An unlicensed version or free software from an unknown developer can be not only ineffective, but also dangerous. Another possible disadvantage of many free solutions that you should be aware of: often, such products collect a lot of data about the user.

In addition, it is important to study what exactly the antivirus developer is asking for money for. As a rule, the paid version offers more advanced protection and additional functionality: a password manager, online payment protection, a solution for online child safety.

“I don’t store anything valuable on my computer, which means there’s nothing to protect”

Such logic can be found in people who use a computer for routine household tasks: watch a movie, read news, compose a couple of documents in a text editor, start a game. However, everything is much more complicated.

Anyone with access to the Internet is a potential target for attackers. They may not be very interested in what’s on the device, but they can, for example, send a link to a phishing site to extract card details, use a Trojan to steal account credentials, or ransomware to demand ransom for returning access to the device. In this case, it will hardly seem to you that you did not store anything so valuable and important, – says the expert.

Moreover, in recent years, with the popularization of cryptocurrencies, hackers have adapted software for mining “crypto”. In addition, attackers can use the computer of an unsuspecting user for hacker attacks.

For example, some time ago we investigated the Loapi Trojan, which uses a smartphone to mine Monero tokens. This function is capable of overheating the device due to prolonged operation of the processor at maximum load. In the course of our study, two days after infection, the battery of the test smartphone swollen from overheating.

There are also such programs – stealers. They steal information, including from the browser, as well as data from crypto wallets, gaming platforms, and files from the desktop.

“There are almost no viruses on macOS and Linux – then an antivirus is not needed for them”

It is believed that due to its popularity, Windows is of the greatest interest to hackers, and therefore the most viruses for this system. And, they say, if you choose something less common – macOS or Linux – then you can be calm. But this is a big mistake, the expert is sure.

The number of macOS threats is growing from year to year. Moreover, we are talking not only about viruses, “Trojans” and other malicious programs, but also about online fraud, including phishing and unwanted advertising. It would seem, what is so bad about advertising? Unwanted advertising applications (adware), firstly, can greatly slow down the device, and secondly, they collect large amounts of data secretly from the user, which then may well settle on third-party servers.

With Linux, the situation is the same: according to the expert, in recent years, cybercriminals have been paying more and more attention to this operating system. Plus, do not forget about scam and vishing: not a single operating system is immune from them.

The expert also recalled another myth: it is believed that there are no viruses on iOS. However, this is not the case, and malware can be found even on a very closed platform. Most often, hackers steal Apple IDs. Having obtained it, you can arrange very unpleasant things for the account owner: block the device and demand a ransom for unlocking, or gain access to personal data (photos, notes), as well as to other devices to which the Apple ID is tied.

“I don’t use general flash drives, I don’t visit “bad” sites — there is no place to catch viruses, I don’t need an antivirus»

This is another common misconception: the fact is that, in addition to viruses with Trojans and other “bad” software, methods of social engineering have become widespread. And even if you do not download anything, it is not the computer that remains at risk, but the person himself – vishing is aimed specifically at psychology.

No one is immune from the traps that exploit ordinary human emotions – fear, shame, curiosity. And, unfortunately, attackers use them very skillfully. Let’s remember the same telephone fraud, the turnover of which is not decreasing. As for online threats, last year, for example, phishing emails and pages about various social benefits, including those related to the coronavirus, were very common.

A scam is understood as a fraud when a user is offered a monetary reward for little effort: take a survey, take part in a promotion. At the same time, the amounts are not too small and not too large for the prize to seem believable. After passing such a survey or questionnaire, they are usually asked to make a “fixing payment” (about 10 cents), after which the fraudsters disappear.

“The privacy/anonymity mode of the browser will completely protect me from “spying” on my activity on the Internet”

In fact, incognito mode is far from being as “incognito” as the name suggests: indeed, the browser does not save the history of searches, website openings and cookies. However, your ISP still sees all the activity, so there is no question of complete anonymity.

“I don’t save the card details in the browser – it’s safer if the account is suddenly stolen”

In part, this method can be considered effective, but it in no way guarantees complete safety. The fact is that the creators of browsers by default assume: you have well protected your device and account. Therefore, Dmitry says, a program launched from your account on your own computer can potentially get and decrypt data, because it acts on your behalf. However, this is a malicious software called stealer – it steals information even from the browser.

The specialist’s recommendation is as follows:

• It is better to use special solutions for storing valuable files, such as password managers.
• some have such functionality. If you still use passwords in your browser, then set a master password to protect yourself, and also use different passwords for different accounts.

“If an HTTPS certificate is specified in the URL string, the site is definitely real”

The materials on network security advise you to pay attention to the HTTPS connection, which supposedly means high security. But this is a misunderstanding of the principle of operation and the issuance of the protocol.

It only means that the site has been issued a certificate and a pair of cryptographic keys has been generated for it. Such a site encrypts information transmitted from user to site and from site to user, that is, information exchanged between the browser and the site cannot be obtained by third parties: providers, network administrators, attackers who decide to intercept traffic, and so on. But the green lock and the issued certificate say nothing about the site itself.

That is, a phishing page can also be with an HTTPS certificate, and it will encrypt all your interaction with the site. The login and password you enter on such a page will be stolen if the site itself is fake.

“I am not a well-known person, which means that cybercriminals are not interested in my data”

Remember the iCloud movie star personal photo theft scandal? Then many public people were under attack. But an argument may arise: if I am the most ordinary person and take standard family pictures from vacation, then why would the intruders need them? In fact, any personal information is very popular on the darknet.

At the end of last year, we researched offers on the darknet and found that, for example, bank card data cost $6-20 on the black market, and passport scans – from $6 to $15.

Moreover, the data may not sell. Doxing is becoming popular – the search and publication of personal information about a person without his consent. Attackers do not blackmail a person by demanding money, but simply disseminate their data for the sake of causing harm to the victim.

10 universal cybersecurity tips from an expert

1. Do not click on questionable links in mail, instant messengers or social networks, and do not click on advertising banners on suspicious sites.
2. Carefully check the website address in the address bar before entering payment details.
3. For online shopping, it is better to get a separate card, for example a virtual one, and keep small amounts on it, as well as set daily withdrawal limits.
4. If the online store is unknown, it is better to check the information about the domain on special whois services: if it is completely fresh and registered as an individual, you should not buy anything there.
5. Update your installed applications and operating system regularly.
6. Use unique, strong and different passwords for all your accounts (at least 12 characters with letters in different case and special characters), it is better to use password managers to store passwords.
7. In services that allow this, set up two-factor authorization.
8. Download apps only from official stores and periodically check what programs are installed on your device.
9. Pay attention to which applications on the smartphone have access to personal information and what permissions have been given to them, do not give applications permissions that they do not need. For example, a flashlight app clearly doesn’t need access to photos or contacts.
10. Update your social media privacy settings.