Let's Talk Computers Interview - The Hidden Dangers of eCards and eGreetings

Complete Transcript of Interview – Randy Abrams - ESET 
 Let’s Talk Computers Radio Talk Show 
 Host Alan Ashendorf 
 July 21 2007 
 
 
 Alan: You get an email, saying a family member has just sent you an Ecard. Do you ignore it and risk upsetting someone in your family or do you open it and risk getting malware? Our guest, today, is Randy Abrams, Director of Technical Education with ESET. And welcome back to Let’s Talk Computers, Randy. 

 Randy: Well, thanks, Alan; it’s great to be here.

 Alan: Randy, this is just getting to be a royal pain. We get tons of announcements; we get them from companies that are supposed to be legit and if we open them up we can get all kinds of malware on our system and if we don’t open them up – well, I don’t know if the getting the wrath of my sister, telling me that I should have opened it up and that she spent all this time composing this card – I don’t know which one is worse!

 Randy: You can get an email that looks like it’s from hallmark.com and this is an important differentiation – it looks like it’s from hallmark.com - because, I can make an email to you to say that it came from anyone. I you want an email from Bill Gates? It’s not a problem; I can send an email from Bill Gates. 

 It looks like it’s from…this email goes on to say that “a family member” sent you an Ecard? If it’s a real Hallmark one, it’s going to say “which family member”. If it just says, “a family member”, “a class mate” or “a friend”, then it’s anonymous and you will have to assume that it’s a hoax, a scam, designed to steal information from you.

 If it says that, “your sister, Ethel” sent you a greeting card, then the next step is to contact Ethel and say, “You know I’m concerned because of the scams going around. Did you really send me a greeting card?” If she did send it, then go ahead and open it, but if she didn’t then you’ve confirmed that this is scam.

 Alan: But, everybody has a cousin Frank or a cousin Mary and if it says cousin Mary sent me an Ecard, then “oh, okay, that’s great and if it’s around my or if it’s around the 4th of July or some other holiday – the odds are that people who are not savvy about the Internet – and I’m talking about Senior Citizens and young kids – really are going to open these things, aren’t they?

 Randy: Oh, the whole age range will. And that’s why it’s important that even if you have a relative by that name, you contact that relative directly and verify it before you open the Ecard. 

 I mean, the very first time I say an Ecard a few years ago – the first that crossed mind was, “These are going to be used to trick people into running malicious software.” As obvious as Lucy’s putting down the football for Charlie Brown to kick, she’s going to pull it away. It’s a given; you know it’s going to happen. 

 Alan: Well, I know someone who got an email from PayPal, asking them to confirm their account information and since they just finished buying something on eBay, they thought this was normal. They clicked on the link in the email; they logged into their account; entered their name and their password; they filled in the information that was asked for; and signed off, thinking everything was fine. 

 It wasn’t until much later, when they got an email from someone else, saying that we just found your name, your address, your bank, credit card, and your pin number on this website. I thought l would let you know that you have just been scammed – did she start worrying. 

 And if somebody wasn’t nice enough to let his person know that they had been scammed, they could have been in a whole lot of trouble. In most cases, people don’t realize that they’ve been scammed until their bank account has been totally emptied.

 Randy: That’s a very, very common scam. PayPal, eBay, your bank – you’ll get all kinds of email, saying that “there’s a problem with you account”, and that’s not how these institutions deal with the problem. So, it’s absolutely critical that if you think you’ve gotten email – and remember, it’s not that you’ve gotten email from PayPal; it’s think that you’ve gotten email from PayPal – because someone says, “that’s who it is.” 

 If I write your return address on an envelope and send it from someone, did you send it? Of course, not - I did. I wrote your return address. An email is very easy for someone to write anyone’s return address on it. You don’t know whom the email came from until you validate it and you cannot use any of the information in that email to validate it. You have to use external sources. 

 If you go to paypal.com and then you type that in, yourself; don’t use a link in the email – contact their support people and say, “I got this email; is it legitimate?” They are going to send you back and say, “No, this is a scam; don’t give any information away.”

 Alan: She went to the site; it had the PayPal logo; it’s the same site that she had gone to an hour or so before; it had the same look and feel. They are so convincing!

 Randy: They are; and that’s why you don’t ever go in from the email. You don’t call phone numbers in the email. You use external forces to validate the information – because, it’s all a giant masquerade party. Anyone can put on any mask and it is as perfect as Hollywood gets at creating a fake. 

 Those of us in the Security space, see this daily. What people really have to learn and accept is that anything coming into your computer is suspect. You do not know from the return address; you do not know from the look of the website, whether or not it’s real. The computer does what it’s told to do; and if I tell the computer to send an email that says that it’s from PayPal, it’s going to do that. And your computer is going to say, “Hey, this is from PayPal.”

 Sandra: The thing that I don’t believe that the average user out there, perhaps, understands is that the speed with which things happen in the Internet World is mind-boggling!

 Randy: It’s virtually instantaneously. What you have to realize is that there’s a lot of bad people out there, (actually there’s just a very small hand full of bad people out there), but computers automate things so well that they get around extremely quickly. They can impersonate anything! If you get an email that says that you need to go to a website and divulge any information, whatsoever, then you cannot trust that email and don’t trust the website. In fact, you’re better not going to the website. 

 You know paypal.com. Type it into your browser. Type the actual address. If it’s your bank, type your bank’s address; if it’s eBay, type eBay’s address; do not use any information in the email, at all. Know that you’re actually dealing with the company; you don’t know that from the email that you get.

 Alan: Now, if somebody has your credit card information, they can use that credit card at different vendors all over the world. The only time that you would realize that things were being charged to you is when you got your monthly bill and when you looked at it and you would say, “I didn’t buy that $5,000 product!”

 Randy: And there’s more to it than that, even. Depending on how much information they tricked you into giving, they can actually open up credit card accounts in your name, that you never even signed-off on. 

 And one of the most over-looked items when this happens is the password. If they tricked you into giving a password, a lot of people use the same password for a variety of accounts. You need to change your passwords for all of your accounts. You really should change your account password on a regular basis.

 Alan: Oh, absolutely.

 Randy: And, it’s not a good idea to use the same password for multiple accounts, especially if they’re related to money.

 Alan: I know that you have been working on this problem forever, I guess – because it just keeps getting to be more. It’s not going to be going away. What is ESET doing to help us, as a consumer, to keep this from happening to us?

 Randy: At ESET, we try to stay on top of what the latest phishing attacks are, so that the software can intercept emails that have phishing attacks; it’s a very tough proposition. Microsoft has a very vested interest in protecting people against this kind of thing, because it decreases trust in computers. And Microsoft’s bread and butter are on people using computers – and Microsoft has not been able to wrap their hands around the problem, either. And law enforcement communities across the world; anti-virus vendors across the world; specific anti-phishing groups across the world, are all working on this. 

 The truth of the matter is that this is a social problem. Technology can be used to help to mitigate it. But, what’s going to be required, truly, is education. People have to become familiar with the ways that they can be attacked and then understand that they can’t trust what they see on their computer. 

 Alan: If we go to these sites that look exactly like PayPal or your bank and just the fact of going to those sites can put malware on our system. And this is where ESET really shines, because that’s where “heuristics” is better than anything out there. Because, you don’t even have to worry about a “definition file” to catch these beasts; your heuristics stops it dead.

 Randy: One of the recent scams has been a variation of what a lot of people know as a Storm Worm. People started getting these emails, saying that a friend has sent you an Ecard – and it wasn’t an Ecard, at all. It was a variant of the Storm Worm. ESET has very advanced heuristics, which means that we are able to, based on behavior, detect threats that we haven’t seen before. 

 And, what we were seeing was that every minute the malware was being changed. So, every minute, a new form of this malware was coming out, posing as an Ecard. And ESET was able to detect all these different variants of the Storm Worm.

 Sandra: What are heuristics?

 Randy: Heuristics is basically, a rule-based approach to solve the problem. The problem is that there are these brand new threats that we have never seen before. If you have seen me before, it’s like a “signature.” 

 If I say, “Can you pick me up at the airport?” and you’ve seen me before, you can go to the airport and find me and pick me up. But, if you’ve never seen my sister and I say, “Go pick up my sister.” You don’t have a pattern, or a signature to match with that. 

 So, how do you solve the problem? I then give you information about what she looks like or what she acts like; you can use that information to figure out whom the right person is.

 We’ve seen enough malicious software that we are able to look at behaviors and say, “If the program acts like this – it’s bad.” And so, we don’t have to necessarily to have seen the program; we don’t have to have the signature in order to detect and say that this is a bad program. And that’s heuristics are. It’s programming so that you can detect unknown threats.

 Alan: And that’s the only we are going we are going to catch these worms that are constantly changing who they are; where they’re coming from; how they act. That’s the only way we’re going to catch those.

 Randy: And it’s important to realize that there’s no single silver bullet; you have to use what we call “defense in-depth”. In addition to using a very high quality anti-virus software that has good strong heuristics, you also need to use other security mechanisms. The most important one is in understanding that you can’t trust the email coming in. But, also using a current browser, like Internet Explorer 7 or Firefox 2.0. They both have enhanced anti-phishing capabilities. And that helps protect you, as well. 

 Alan: If somebody would like to find more information about what ESET is doing to combat these malware threats and the Ecards and these Egreetings, where would they go?

 Randy: They can go to http://www.eset.com and look in the Threat Center.

 Alan: Plus the fact that you have a true 30-day trial, full-featured Nod32 that people can download and put on their system; get updates; and they can see exactly how effective this is.

 Randy: There have been some scams lately, where you go to a webpage and something pops saying, “You’re infected with all kinds of viruses or whatever” and that “you have to buy” this product to deal with it. At ESET, we give you a fully functional 30-day trial. We don’t pop up, saying, “You’re infected with something”. We let you try us and if we find something we will let you know about it and we’ll take care of it; we don’t say, “You’ve got to come back and buy the product to get that functionality.” – because we believe that if we show you what we can do, (and we do it very well), that you will be impressed enough that this is the product you want to choose.

 Alan: Randy, as always, it’s been a pleasure to have you as our guest here on Let’s Talk Computers, talking about these Ecards and these Egreetings and email scams that are trying to get our identities. And we hope to talk to you, real soon.

 Randy: Thank you, Alan. It’s always great to be here.

Eset on the Radio

The Hidden Dangers of eCards and eGreetings