Complete Transcript of Interview – Andrew Lee – ESET
Let’s Talk Computers Radio Talk Show
Host Alan Ashendorf
April 22nd 2006
Andrew: Alan, it’s good to back.
Alan: You get an official email from the IRS, stating that “there’s a problem with your tax return and you’ve got to sign into this address” because everything’s going electronic. And if you don’t do something that the IRS says, you can be in a heap of trouble, can’t you?
Andrew: You might think that. Unfortunately, if you do this and answer a lot of these emails you’re going to find that you’ve been phished. Phishing is really a technique, which is used by criminals to extract information. They cast out the line, which is the email and you bite on the hook. They are trying to fool you into doing something, which will reveal personal information, like bank account details or maybe a social security number, that kind of thing.
Alan: It looks so official. It even has the IRS logo on it. It has a link on there. How can you go wrong by clicking on a link that says IRS.gov?
Andrew: Well, you’ve got to look at is not necessarily what the link says in plain sight. But underneath that link, in the actual code that’s in the email (the html code itself) – that link, when you click it may not go to the IRS website. It may be directed to a completely different site that may look very much like the IRS website, but it really isn’t.
Alan: I just got something interesting today. It’s from eBay.com and it says, “question about an item” that I bid on that I won, that I haven’t paid for. And if I don’t click on here and take care of this immediately, they’re going to 1) cancel my account and
2.) turn me over to the police.
Andrew: The first question is always got to be. You may not be an eBay member. But, let’s say that you are. Okay, 1) Did I buy something on eBay? 2) Is this from the person that I recognize or is this related to an outfit that I recognize and has it come to my email address that I use on eBay? Very often what you tip is those conditions aren’t always true. Even if you use eBay regularly, one quick tip is “don’t use your email address as you eBay ID”. And if it hasn’t come to the email address that you use on eBay, then it’s almost certain that it’s phished. And what you’ll probably find is once again, that the links in that email won’t take you to eBay, even tough they might look like they
Are going to eBay, but when you click on them, they’re going to go somewhere else.
Alan: Because, once you look at this email and look at in Source Code you’ll see that well, the link basically says that you’re going to ebay.com, where you’re going is someplace, “Johnnymendoza.com” and I don’t think that has anything to do with eBay.
Andrew: Right, it doesn’t. If you get an email and it’s legitimate from eBay, it’s never going to ask you for your ID and for your password. EBay states categorically that they “will not ask you for your password in an email communication”. And the reason why is because it’s way to easy to get caught with these phasing attacks. I’ve seen this coming from, they look like they came from Chase Manhattan Bank, or they look like they came PayPal. Although there was a really clever one the other day. What they’ve done is they’ve registered the domain, “bank of americas.com” so that it has an “s” on the end and what they’ve also done is they’ve created a digital certificate, so that when you went to the site it appeared to be a secure website that you clicked on. You’ve got your certificate coming up.
And that makes you think, “Oh, I’m now on a secure site,” so of “course secure” site must be good, but it doesn’t mean that at all. If you’ve gone to that site, you’re going to be phished and once again, you have Bank of America or whoever, which ever bank it is that you’re talking about, whichever site that you’re talking about, like PayPal or eBay, or something like that, they’re never going to ask you for your password and your personal details, your credit card numbers, that kind of thing, through an email.
Alan: Most of us that are computer savvy, we understand about links and about hyperlinks and about redirection, but senior citizens and people that are just learning how to use the Internet, they’re the ones that are really usually get set up and become marks, aren’t they?
Andrew: Even as a reasonably experienced computer user, people can still get fooled by some of these attacks. They look very genuine. You always have to ask yourself the question. You know, I get email, myself that comes in and I look at it and I think, “Wow, that’s a really, really good phish.” But because I’m aware that my bank will never ask me for my password, and my credit card details, even if I did, I would never give them through a click-through in an email. But even so, you look at those things, and you think, “Wow, that’s clever.” It’s pretty convincing. And these sites, they can look exactly like the original website of the bank or of the site that you’re trying to be phished. And if they look absolutely identical, it’s really hard for a user to tell, but actually, it’s not the same thing.
Alan: I just got one from Wells Fargo with their emblem on it and they’re emblem is actually their emblem, because it’s coming directly from their site. And it’s saying that I have an “important online access agreement update”. And if I don’t do this right now, then they’ll just “turn off my bank account and I’ve got checks outstanding.” Plus the fact, I’ve got this about 9:00 at night and really, there’s no way to call the bank.
Andrew: That’s something that’s going to worry you. You’re to be thinking,, “Well, I don’t want that to happen”, and that’s what they’re preying on. It’s a technique of social engineering. And what it really does it kind of pushes your buttons, so that you react in the way that they want you too. So, they’ve kind of engineered the situation in which you will respond. If you think you’re going lose your bank account access or that your bank account’s to be closed down or something like that, you might be worried, but the one thing that’s really important to note is that your bank particularly if it’s going to do something like has to inform you in writing through the regular mail. You don’t need to worry about something that’s come in through an email.
Alan: I’ve got NOD32 installed and NOD32 does something that I really, really enjoy because it looks at every email that comes into my system and it actually puts a message down at the bottom that basically says that “this version of NOD32 has looked at my email and made sure that it’s okay”. So, it gives me that warm and fuzzy feeling.
Andrew: One of the ways that we try and prevent attacks is by looking at it before it gets into you inbox, before you open it up and click on it. We have technology in the product, as well, which is able to discover these phishing attacks, (these common phishing type mails), that are also able to be detected by the products, because it scans the email and looks at it and decides whether it’s not genuine and so you can get rid of it in many cases.
Alan: Well, I know that you use your heuristics to protect us with viruses, because a virus could be just ever changing, I mean, it could never be the same virus twice, hitting to our system. But phishing is even worse, because it’s so easy to change the words around, it’s so easy to what the message is, it’s so easy to change where the site is going. How does NOD32 figure out what is good and what is bad?
Andrew: There are a few ways that you can really tell what we try and do with our heuristics is kind of put a virtual virus researcher on your machine. What we try and make the system do is kind of do the same common-sense checks that the normal person would do if they are experienced to know what the attacks looked like, they know that if they have to do those checks themselves. For instance we’re looking for did the header information and match the IP that it come from? For instance, each site is assigned an IP address, which is a numerical identifier if you like, of a particular system. And what you can do is you can check whether that IP address matches the address that it claims to have come from. So, for instance, let’s say, it’s coming from the eBay IP address doesn’t match, that’s one way you can tell that it didn’t come from there.
You can also check that there are things underneath the code, those url’s that we were talking about, the hyperlinks in the email, itself. When you click on those, it might look to you because it’s written out that’s eBay, but underneath it might be going to whatever url that’s under there. You can tell that the two things don’t match up, so the virus scanner will immediately alert that something didn’t match, it’s not right. That’s the kind of simplistic way of putting it, but really it’s the same idea of using the intelligence that we give to the program, to understand the threats and then to be able to block that threat because of it.
Alan: And you use what they call multi-level approach, because just trying to attack all these phishing attacks or viruses that come in through our email just one way, just doesn’t work anymore, does it?
Andrew: True. There’s a number of ways that you have be able to protect and the best way to protect something is to stop it from getting in the first place and that’s why we have that kind of multi-layer approach that’s in the scanning. If we can scan it and catch it while you’re browsing the Internet or while you’re downloading email, rather than waiting until it gets down onto your desktop and then catching it, it’s another layer of protection and it stops it in its tracks.
And one of the good things as ell, is it kinds of trains the user to be aware of these things because it we catch something in email, we’re going to put a notification in the subject like and you’ll see that, “oh, okay, NOD32 caught something here and it’s done something with my email, it cleaned it up for me. In a way, it highlights it again in the user’s mind it says, “oh, I need to be aware of these things.”
Alan: What does NOD32 do with a suspected bad email? Because all email that you catch may or may not be bad. We want to make sure that we can go back and look at it, don’t we?
Andrew: Different options that you can figure, but default, what it will do is Outlook creates a folder called “Infected” and it just puts the emails in there. The emails are still there and I can access them. And then if I go and click on that fold and look at one of the emails that NOD32’s got an alert for me and then I can make a decision from there if I really want to. I can make a decision as to whether I want view the rest of rest of that email or I can just set it to delete it.
Alan: Right out of the box, NOD32 is set up to just about catch everything that can be thrown at us and we can also customize it even further to make it even more secure, can’t we?
Andrew: We try and give a lot of configuration options in the product. We do give the same level of protection for the Home user as we would to an Enterprise user. A Home user might be too interested in being able to reconfigure things or to exclude certain directories or exclude certain file types, but in an Enterprise situation, there might be a reason that you don’t want a particular drive to be scanned or a particular area to be scanned. So you can exclude that particular, just as an example of the configuration options. It’s a very flexible and very configurable system.
But, the rally great thing about it, is it’s an integrated system, so you don’t have to have it set for an anti-trojan program, it’s set for anti-spyware programs, set for anti-phishing programs. Its kind of all built into that single unified engine, so it gives you speed advantages, but it also gives you that multi-layered protection in the single product.
Alan: Nowadays, that is exactly what you need, because these scammers and spammers are getting to be very sophisticated, because there’s a lot of money to be made in this, isn’t it?
Andrew: There is and that’s what we’re really seeing driving the creation of these new malware and new phishing attacks. What’s actually happened is just this kind of cat and mouse game where we’ve chopped off the easy access to the really simple ways and they’ve just come up with more and more inventive ways of perpetrating these attacks. But, what they’re doing is criminal groups are spending more and more money in investment and time in actually creating these new attacks so that they can try and be more effective. Of course, we have responsibility to keep our eyes and ears open to make sure that we’re up to the latest techniques and the latest things that are happening. Where our system, as you know is able to report back statistics to you, if you’ve configured in that way.
Alan: You can also get fully functional trial ware version of NOD32 on your website. And this is good for 30 days and it is not stripped down in any way, whatsoever. Where can we go to get that?
Andrew: You can go to eset.com. And anyone who’s been to eset.com before, will actually have a pleasant surprise. We just launched a new website. There’s a lot of information on there, a lots of really good information about different types of threats and about new malware that’s coming out. It’s got links into our virus radar system. And it’s got a link to the download page, where, as you say, you download a free 30-day trial of the product.
Alan: And Andrew, as always, it’s been our pleasure to have you as our guest here on LET’S TALK COMPUTERS and look forward to talking you about some of your other tips about keeping us on the Internet.
Andrew: Thanks, Alan. It’s been a pleasure.
