...they snatch their "presents" from gullible computer users!

As the holidays are quickly approaching, many people around the world plan to do some serious shopping for Christmas presents. Unfortunately, this time of year also means a peak in cyber crime activity. In shopping malls - and other crowded places - thieves are lurking around, waiting to get their hands on people's well deserved earnings. One mistake, one lost moment, and your wallet may be gone forever.

Most people have this in mind when browsing around in stores. However, this same awareness must also be practiced on the Net as this is the "new" and expanding marketplace, allowing for shopping without the usual congestion and elbowing. The increased movement towards Net-shopping is, of course, also noted by criminals that see a way to perform remote crime, stealing from gullible users without the risk of being caught with their hand in someone's pocket or purse.

So, how can these criminal, Christmas-robbing leeches reach into your pocket from such a distance? During public holidays, like Christmas, people are used to being hit by a large number of advertisements, a trend that nowadays is also visible in our e-mail inboxes. Many users are flooded by advertisements from companies that try to push their attractive offers. Some of these advertisements are, in fact, from legitimate businesses but, then again, some are not!

Cyber thieves constantly generate scam advertisments that are spread around to a great number of users with the help of certain tools, for example botnets. They try to trick the user to click links or e-mail attachments associated with the scam advertisement. Clicking such items may result in an automatic and stealthed installation of a keylogger object, or another type of malicious file, on the system. This may be done in order to get hold of the user's credit card and/or banking information. Executable attachments are sometimes blocked by e-mail systems. In order to make malicious attachments pass such filters, the attachments may arrive disguised as something trivial, like a document, zipped file or as another file format.

The attachments may be named something eye catching in order to entice users to click them. If a keylogger executable comes piggybacked in a document, the user first has to open the doc and then double-click the piggybacked executable in order to install the keylogger. So therefore, do not execute those attachments!

How Can You Protect Yourself?

The user may spot that the piggybacked file is an executable if  "Hide extensions for known file types" is unchecked in Folder Options, but this has to be done manually as it is checked by default. The folder options can be reached via the Tools menu in "My Computer" or "Windows Explorer". Unchecking the "Hide extensions for known file types" enables the user to view the file extensions in order to pinpoint if the file is an executable or not. The previously mentioned operation should be enough for most users but it does not enable file extension viewing for .SHS files, another executable format. If a user also wants to see the .SHS extension, he or she needs to remove the following registry value using Regedit (Goto Start, Run, Type Regedit and press enter). Remember to be extremely cautious when tampering with the registry as it could harm the system severely.

The following "hack" is therefore provided for computer savvy users on a "do it on your own risk" basis!

[HKEY_CLASSES_ROOT\ShellScrap]
"NeverShowExt"=   (remove "NeverShowExt"=)

This can also be accomplished by creating a registry file with the following content.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\ShellScrap]

"NeverShowExt"=-

Just cut and paste this in a empty Notepad file, save it as a "All Files" type of file, and name it (for example "shs.reg"). Then, doubleclick shs.reg and the "NeverShowExt"= value will be removed from the registry. After a system reboot the .SHS file extension should be visible. Omitting the "-" after "NeverShowExt"= would revert the procedure.
Another common scam is to use a folder icon for a malicious executable. If the user cannot see the the file extension (for example .exe), the file just looks like a folder. Double-clicking the harmless looking "folder" starts the installation process that may be totally hidden from the user. Disguised attachments is also a technique that is used to perform remote installs of commercial keyloggers. The icon images used by legitimate applications and/or the images used by Windows icons, are often used by criminals in order to get users to execute harmless looking files.

The Best Protection: Awareness!

So, when hunting for those cheap net-deals or absolute bargains, be aware that some of the advertisements that arrive by e-mail may be generated by criminals that feed on the mistakes of everyday computer users. All e-mail should be looked upon as suspicious until you are absolutely sure of its origin and of the sender's intentions. E-mail that comes from known senders may still carry infections as the sent e-mail message can be the result of an infection on the sender's system. Compromised machines may automatically send infected e-mail messages to the whole range of contacts in an address list - without the knowledge or consent of the affected user.

So, as a precaution, do not click links in suspicious looking e-mail messages and beware of those super-duper-almost-free-for-the-first-10-users types of bargains. These might turn out to be something totally different in the end! Clicking such links may start the installation of a malicious object or direct the user to a malicious site where malware objects can be installed automatically via browser exploits and/or Java- or ActiveX scripting; to avoid this, close down unneccessary scripting functions via the browser's security settings. Also, make sure that you can see the file extensions of attached or downloaded files in order to pinpoint if the file is an executable or not. The images in the left column of this article provide information about different executable formats. Do your Net-shopping on well respected and well known sites that offer adequate encryption for the credit-card and banking information. The security certificates of the shopping sites should also be valid. Running a firewall that controls in- and out-bound traffic and a anti-virus/anti-spyware application, with updated definitions, increases the level of security. A good craftsman knows his tools and it is therefore essential to aquire an adequate level of knowledge regarding how to operate the "power-drills" in your personal privacy toolbox, making the tools work to their full potential! Using dedicated systems, or dedicated virtual environments, for certain critical tasks are other security-increasing options for security conscious users.

Happy holiday shopping!

LS Pekka

Lavasoft Research