Even people with the best of intentions can be fooled by SPAM e-mails, browser pop-ups or dialogs that try to scare them into doing something you wouldn’t otherwise do on the Internet.

This article in CNET’s “Spyware Horror Stories” series is an example of something that probably happens to a lot of people, and they don’t even know it.

There are several ways that spyware scammers can trick people into becoming infected if they are not careful:

1. The Button Switch - Through the use of some browser based scripting tools that may have been left enabled, the choices in a box that asks if you want to “accept” or “reject” an action become switched. So, when you think you are rejecting a pop-up, you are actually accepting it. If you get a pop-up you don’t want, click “Control-Alt-Delete” to close it.

2. The Fake ‘X’ - Through a deceptive tactic of putting a little ‘X’ icon in the top corner of an image that has a border which looks like a window border, scammers can make it appear that the ‘X’ is the icon used to close the window. They do this because they know some people will try to close a pop-up or dialog instead of clicking the button choices (if they are getting wise to the “Button Switch” above). The ‘X’ is really part of an image that takes the user to a website they didn’t intend to go to. In many cases, that website will be a phishing site that tries to get you to think it’s a legitimate site, such as eBay or PayPal, where they may be able to trick people into trying to log in with their actual Username and Password. Again, for unwanted pop-ups or dialogs, click “Control-Alt-Delete”.

3. SPAM Images - Many SPAM e-mails now contain large areas of images. These images sometimes contain “unselectable text” as part of the bitmap image. If you click anywhere on the text or sometimes within any part of the entire email, it can take you to a phishing site. I recommend turning off the display of images within your e-mail program, or if you use a Webmail service like Yahoo, Gmail or Hotmail, look for an option to turn off or disable the automatic display of images in e-mail messages. If you get an email that you trust, but need to see the images, there will be a link somewhere in the e-mail window to load the images just for that email message.

Most of these scams depend on the fact that you may recognize the name of a bank or online service, and may even be a customer of one of these services. If they can get you to go to a particular site, they can:

1. Try to steal your Username and Password in a phishing attack. Only enter your Username and Password if you have actually typed the Web address into your browser yourself, and it’s a good idea to check the SSL security “lock” icon by clicking on it and checking the name on the certificate. Watch out for common misspellings of the domain name in the certificate. Certificate authorities such as Verisign and Entrust are supposed to make sure they don’t give certificates to bogus company names, but it’s not guaranteed that this will never happen.

2. Try to exploit a vulnerability in your browser or one of your plug-in applications such as Adobe Acrobat, Windows Media Player or other commonly used programs with known security problems. This can allow them to install spyware or other malicious code on your computer. One way to reduce this risk is to always enable updating from the major software distributors that you trust, so they can provide you with updates when security problems are discovered.

It’s important to keep people in your organization, or your family, from falling for these kinds of tricks. A good security awareness program will keep people alert to the threats, and provide them with good “rules of thumb” for staying out of trouble on the Internet.

Copyright 2007 - Scott Wright - All Rights Reserved