My computer was hacked!
In the summer of 2013, I was working when my screen was filled with a message that claimed to be from the RCMP (Canadian national police). The message said that my computer was locked because of illegal activity and that I had to pay $100 to unlock my computer. What? Panic! Unrepeatable words. I tried to close down the message. Nope. I tried rebooting the computer. No luck. The message came back up and I couldn’t do anything.
I turned off the computer and tried to think. I went to a different computer to research this attack. It was obviously a scam and there must be a way to defeat it. I was logged into the system using a general user account when the attack occurred. I started up the computer and logged in as administrator. The lock screen was not present! I was then able to scrub the system and remove the virus.
How did this happen? I’m very careful when it comes to security. I was attacked by drive-by. I didn’t download anything. I didn’t run anything. My computer was infected just by visiting a web page. The page appeared benign – perhaps a programming resource or WordPress plugin review – but it was infected and then I was infected.
I promptly uninstalled the anti-virus/firewall software that had failed me (ZoneAlarm) and installed AVG Antivirus. I installed Malware Bytes and other scanners to root out the malware.
I even went to the point of running a virtual machine ( a kind of computer within a computer) to browse the Internet. This worked but was very cumbersome particularly when downloading from or uploading to the Internet.
Eventually, I formatted my entire computer and re-installed everything from the ground up to be sure that the infection was eradicated.
What have I learned and what actionable steps can you take to protect yourself online?
Safe Browsing Tips
Install a Firewall – I’ve had good success with AVG and I’ve read good things about Kaspersky. Pay for a license to get maximum protection. Firewalls are less of an issue on mobile devices as there are less access points than PCs. Blocking inbound traffic isn’t as much of a concern with mobile devices. However, Firewalls can also block outgoing traffic from your device. A Firewall could block a malicious app that is sending your personal data from your device. There are Firewall options for Android but I haven’t seen any for iOS devices.
Use a trusted browser – There are known exploits/vulnerabilities with some specialty browsers. Stick with the big guys (Chrome, Firefox, Safari, Edge [if you must]).
Use a different browser for financial activity – My go-to browser is Firefox for day to day work. When online banking, I open a completely different browser (Internet Explorer) and I only use it for that. I also have no extensions installed in Internet Explorer. That way, if Firefox is infected, then I’m still safe in Internet Explorer.
Install minimal browser extensions – Yes, extensions can make your life easier but they can also spy on you, leak your personal information, or even inject ads into web pages. Learn more here. So vet those extensions carefully before installing them.
Pay attention to browser warnings – Your browser may warn you if there’s something fishy about the site you’re about to visit. Legitimate sites get hacked or you may have miss-typed the address. Taking 10 extra seconds to review the warning may save you days trying to recover your machine.
Expand URL shortened links – Short URLs are very convenient but they can also be used to take you to malicious websites. You can expand them using Unshorten.it to see where they go.
Check for the lock – Your bank uses HTTPS to communicate securely with you and that’s indicated by the lock icon. If that’s missing, then you are in the wrong place! Many other services (like Google) use HTTPS, so check for the lock to make sure you’re where you want to be.
Check for misspellings – Hackers register misspellings of popular site addresses and create bogus sites so that they can capture your credentials or personal information. Check the site address for banking and other sensitive sites before entering your password.
Safe Browsing Tips (Advanced)
These changes provide even more security when browsing but they require more work and more technical savvy to implement.
Install the No Script extension – JavaScript is a powerful programming language that enables most of the cool things you experience online. Unfortunately, hackers use JavaScript maliciously. The drive-by attack that infected my machine was delivered via JavaScript. You can disable JavaScript in Firefox using the No Script plugin and then selectively enable it for trusted websites. WARNING: Disabling JavaScript takes much of the fun out of the web, breaks web pages, and is inconvenient. I do use this plugin and then enable JavaScript as needed.
Modify your HOSTS file – The HOSTS file in Windows is a type of address book for the web. Typically, when connecting to the Internet, your computer asks your Internet Service Provider for instructions on reaching different sites. The HOSTS file can be modified to override those instructions and thereby block your computer from going to malicious sites. I downloaded this file which blocks malicious sites (and advertising sites). I was concerned that this might block me from legitimate services but that’s only been a problem for one service. Otherwise, it’s protecting my computer. Some advertising networks have been infected with malware so blocking advertising sites also potentially protects against malware.
Browse using a Linux Virtual Machine – This is the most extreme security measure I’ve tried. In running a Virtual Machine, I have what appears to be a completely different computer. I can run a different operating system and different applications. The idea is that it’s isolated from my machine and can’t affect it so that if there’s a problem in the Virtual Machine, then I can just shut it down. I installed the free VMWare Player, and then created a Linux virtual machine. I chose Linux because it’s more secure and less popular than Windows which means that there are less exploits aimed at Linux. I chose Linux Mint, because of its user-friendly interface. The Virtual Machine worked but was awkward as I mentioned above so I’ve since abandoned it. I’m still convinced it’s the safest solution short of browsing on a completely separate physical computer.
Safe Email Tips
Check the sender – I recently sent an email alert about a phishing scam and a few people (even my own brother) questioned the legitimacy of the message. This was asked mostly in jest but it was a good point since the email I forwarded contained some odd-looking links. Many phishing scams appear legitimate but the sending address is bogus.
Check the links – The text you see and its link can be different. So even if there’s an url appearing in the body of the message, the link can be something else. To check the location, on a computer, hover your mouse over a link in an email. The target address will appear at the bottom of your email email software. On a mobile device, press and hold on a link to see the actual address. If unsure about the address, you can copy the link address and plug it into Google to see what comes up.
Type in the address yourself – Be very wary about any email that redirects you to your bank or a login page. These may be a scam trying to trick you into revealing your password. Instead of clicking the link, type the address into the browser directly. This is especially true when it comes to online banking.
Protect your email address – Have at least two email addresses. Use one for trusted communications (like friends and banking). Use the other for services and untrusted websites. In this way, you can have more confidence about messages in your first account. If you see an email supposedly from your bank in the second account, then you know that it’s fake. You can redirect and automatically forward and filter emails to simplify email management. I’ve created hundreds of email forwarders to protect my core email accounts. If I start getting spam or phishing emails on a forwarder, I just delete it and that spam stops instantly. You can also use the Gmail + trick to create unlimited email aliases using the same Gmail account.
Share passwords securely – Email is inherently insecure and you should never send sensitive information over it. I’ve been using LastPass for some time now to share passwords and it’s a great platform. There is a free tier with lots of functionality. Checkout 1Password for a Canadian option. (** Update from January 25, 2023: After the LastPass breaches of 2022 and their poor handling of it, I’ve now switched to 1Password and am very happy with it.)
Tell me in the comments, what works for you. I’m interested to hear about your experiences!