Avoiding Browser Scams

By | August 4, 2020

The end of the semester is a great time to update your browser.  Here are some guidelines and what you should know about three browser-based scams to avoid.

The most important point of this edition of Tech Tuesdayfollow these Duke guidelines for browser security.

Please note:  This is the final Tech Tuesday of this semester.  We will resume the week of fall semester orientation.


But first, here’s our Tech Tip of the Week

Do you use Excel?

Sure.  Everyone does and we all share files.  All different types.  For example, MyFile.xls or MyFile.xlsx.  Or maybe MyFile.xltm or MyFile.csv.  Ever wonder what those different file extensions mean?  Wonder no more –

Excel Version prior to 2007:        .XLS

Excel Version 2007 onwards:      .XLSX

Interesting fact.  Microsoft changed the file format from an internal one to a more useful XML format.  This offered many advantages, including sharing between applications, smaller files and security features.  Given the choice, always save as .XLSX.

Other extensions allow macros.  Be careful of these – they can contain malware:  .XLSM, .XLSB – and template files:  .XLTX, . XLTM

Other key extensions used in file sharing and data transfer:

  • .CSV      Comma-delimited – commas separate the columns
  • .TXT      Tab-delimited – tabs separate the columns
  • .XML     Any spreadsheets from applications that store in the XML spreadsheet format.
  • .ODS     Opendocument spreadsheet (Google Docs, etc.)
  • .PDF      Adobe’s format.  You can retain .PDF formatting of data

Yeah – accountants aren’t the only ones who geek out with Excel.


Do this first for browser safety!

 Check out this page from the Duke Security Office on Browser Security.  Follow these guidelines and you’ll be in good shape.

TypoSquatting & URL Hijacking –

We’ve all done it.  Accidentally typed “goigle.com” when we really meant www.google.com.  Easy mistake.

Someone actually expected you to do that, so they purchased URLs similar to Google’s URL and set up fake websites that look like the real thing.  They hope that you’ll enter your UserID and Password in their fake site.  Then, if you’ve used the same password on other sites, they’ve got you!  Yep – just another way to phish for your data.

Heads up – Pretty soon, you’ll be seeing some typosquats related to the upcoming election.

It’s not all bad.  Some are not malicious – they just try to sell you something.  Some are actually just having fun with it – try www.microtoft.com, a typosquat of Microsoft.

How to protect your data?

  • Type carefully when entering a web address
  • Use your favorite search engine as your homepage

Drive-by Downloads

A drive-by download is an attack where a site you visit installs malware or adware on your computer without your knowledge.  You don’t have to click anything or press a download button.  Hackers use these attacks to:

  • Spy on you
  • Steal your identity
  • Ruin your data
  • Hijack or disable your device
  • Bombard you with ads

We’ve seen drive-by attacks that hijack cameras and disk drives.  Several years ago, I saw one that hijacked the keyboard.  Usually, the only way to fix your computer is with complete reinstallation of the operating system.  This type of attack is made possible by browser vulnerabilities.

How to protect your data?

  • ONLY allow admin credentials to install anything on your computer
  • Keep your browsers updated and ALWAYS use the latest version.
  • Stay away from unknown sites
  • Use an ad-blockerhere’s one recommended by Duke

Malvertising

Malvertising is a general term you’ll hear to categorize these attacks:

  • Drive-by Downloads (we’ve already discussed above)
    • Can be inserted in many places (videos, ad content, links, even individual pixels)
  • Force you to a malicious site (redirecting you to a site you didn’t want to go to)
  • Display unwanted advertising, content, pop-ups, etc.

How to protect yourself and your data:

  • Keep your antivirus up-to-date
  • For your Duke-owned machine, connect to the Duke network at least every month
    • Use VPN to do this if you aren’t going to be on-site
  • Get an Ad blockerhere’s one recommended by Duke
  • Keep your browsers updated
  • Only go to sites that you trust

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.