Cyber Security Explanations


What is a Computer Virus?

As defined by Malwarebytes Labs, a computer virus is “malware attached to another program (such as a document), which can replicate and spread after an initial execution on a target system where human interaction is required. Many viruses are harmful and can destroy data, slow down system resources, and log keystrokes.”

Most computer viruses target systems running Microsoft Windows. Macs, on the other hand, enjoy a reputation as virus-proof super machines. In reality, Macs are not inherently safer. There are more Windows users in the world than Mac users and cybercriminals simply choose to write viruses for the operating system (OS) with the largest amount of potential victims.
Whatever OS you choose, Windows or Mac, don’t worry too much, because viruses just aren’t a thing anymore. That may sound odd coming from a cybersecurity company but hear us out.

Cybercriminals aren’t creating new viruses, instead they are focusing their efforts on more sophisticated and lucrative threats. When people talk about “getting a virus” on their computer, they usually mean some form of malware—often a computer worm.

The terms “virus” and “malware” are often used interchangeably, but they’re not the same thing. While a computer virus is a type of malware, not all malware are computer viruses.

“Cybercriminals aren’t creating new viruses, instead they are focusing their efforts on more sophisticated and lucrative threats. When people talk about “getting a virus” on their computer, they usually mean some form of malware—often a computer worm.”

The easiest way to differentiate computer viruses from other forms of malware is to think about viruses in biological terms. Take the flu virus, for example. The flu requires some kind of interaction between two people—like a hand shake, a kiss, or touching something an infected person touched. Once the flu virus gets inside a person’s system it attaches to healthy human cells, using those cells to create more viral cells.

A computer virus works in much the same way:

  1. A computer virus requires a host program.
  2. A computer virus requires user action to transmit from one system to another.
  3. A computer virus attaches bits of its own malicious code to other files or replaces files outright with copies of itself.

It’s that second virus trait that tends to confuse people. Viruses can’t spread without some sort of action from a user, like opening up an infected Word document. Worms, on the other hand, are able to spread across systems and networks on their own, making them much more prevalent and dangerous.

Famously, the 2017 WannaCry ransomware worm spread around the world, took down thousands of Windows systems, and raked in an appreciable amount of untraceable Bitcoin ransom payments for the alleged North Korean attackers.

Computer viruses don’t capture headlines like that—at least not anymore.

To recap, the bad guys aren’t focused on creating new viruses and most of the really bad stuff is actually malware. Should we still take computer viruses seriously? Definitely, yes.

Continuing the virus analogy, if a given population stops receiving vaccinations for diseases thought to be eradicated, like the measles and polio, those diseases can and do come back. Likewise, it’s important to be proactive about cybersecurity and take some basic protective measures against computer viruses. Otherwise, computer viruses could make a comeback.

With that said, let’s take a look at computer viruses under the microscope.

Computer virus examples

Sometimes to understand what something is, we have to examine what it isn’t. Keeping that in mind, let’s play: Is It a Virus?

In the Is It a Virus game we’re going to take a look at examples of things people on the Internet commonly believe to be a virus and explain why it is or isn’t. What fun!

Is a Trojan a virus? Trojans can be viruses. A Trojan is a computer program pretending to be something it’s not for the purposes of sneaking onto your computer and delivering some sort of malware. To put it another way, if a virus disguises itself then it’s a Trojan. A Trojan could be a seemingly benign file downloaded off the web or a Word doc attached to an email. Think that movie you downloaded from your favorite P2P sharing site is safe? What about that “important” tax document from your accountant? Think twice, because they could contain a virus.

Is a worm a virus? Worms are not viruses, though the terms are sometimes used interchangeably. Even worse, the terms are sometimes used together in a strange and contradictory word salad; i.e. a “worm virus malware.” It’s either a worm or a virus, but it can’t be both, because worms and viruses refer to two similar but different threats. As mentioned earlier, a virus needs a host system to replicate and some sort of action from a user to spread from one system to the next. A worm, conversely, doesn’t need a host system and is capable of spreading across a network and any systems connected to the network without user action. Once on a system, worms are known to drop malware (often ransomware) or open a backdoor.

Is ransomware a virus? Ransomware can be a virus. Does the virus prevent victims from accessing their system or personal files and demands ransom payment in order to regain access à la ransomware? If so, then it’s a ransomware virus. In fact, the very first ransomware was a virus (more on that later). Nowadays, most ransomware comes as a result of computer worm, capable of spreading from one system to the next and across networks without user action (e.g. WannaCry).

Is a rootkit a virus? Rootkits are not viruses. A rootkit is a software package designed to give attackers “root” access or admin access to a given system. Crucially, rootkits cannot self-replicate and don’t spread across systems.

Is a software bug a virus? Software bugs are not viruses. Even though we sometimes refer to a biological virus as a “bug” (e.g. “I caught a stomach bug”), software bugs and viruses are not the same thing. A software bug refers to a flaw or mistake in the computer code that a given software program is made up of. Software bugs can cause programs to behave in ways the software manufacturer never intended. The Y2K bug famously caused programs to display the wrong date, because the programs could only manage dates through the year 1999. After 1999 the year rolled over like the odometer on an old car to 1900. While the Y2K bug was relatively harmless, some software bugs can pose a serious threat to consumers. Cybercriminals can take advantage of bugs in order to gain unauthorized access to a system for the purposes of dropping malware, stealing private information, or opening up a backdoor. This is known as an exploit.

Latest news on computer viruses

Scammers use old browser trick to create fake virus download
Our computers, ourselves: digital vs. biological security

What is the history of computer viruses?

Today’s malware authors owe a lot to the cybercriminals of yesteryear. All the tactics and techniques employed by cybercriminals creating modern malware were first seen in early viruses. Things like Trojans, ransomware, and polymorphic code. These all came from early computer viruses. To understand the threat landscape of today, we need to peer back through time and look at the viruses of yesteryear.

1949, John von Neumann and “self-reproducing machines”
It was in those salad days of computing that mathematician, engineer, and polymath John von Neumann delivered a lecture on the Theory and Organization of Complicated Automata in which he first argued that computer programs could “self-reproduce.” In an era where computers were the size of houses, and programs were stored on mile-long punch tapes, Neumann’s ideas must’ve sounded like something from a sci-fi pulp novel.

1982, The proto computer-virus
In 1982 a fifteen-year-old boy pranking his friends proved Neumann’s theory a reality. Rich Skrenta’s Elk Cloneris widely regarded as the first proto-computer virus (the term “computer virus” didn’t exist just yet). Elk Cloner targeted Apple II computers, causing infected machines to display a poem from Skrenta:

Elk Cloner: The program with a personality
It will get on all your disks
It will infiltrate your chips
Yes, it’s Cloner!

It will stick to you like glue
It will modify RAM too
Send in the Cloner!

Other notable firsts—Elk Cloner was the first virus to spread via detachable storage media (it wrote itself to any floppy disk inserted into the computer). For many years to come, that’s how viruses travelled across systems—via infected floppy disk passed from user to user.

1984, Computer virus, defined
In 1984 computer scientist Fred Cohen handed in his graduate thesis paper, Computer Viruses – Theory and Experiments in which he coined the term “computer virus,” which is great because “complicated self-reproducing automata” is a real mouthful. In the same paper, Cohen also gave us our first definition of “computer virus” as “a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself.”

1984, Core War
Up to this point, most talk about computer viruses happened only in the rarified air of college campuses and research labs. But a 1984 Scientific American article let the virus out of the lab. In the piece, author and computer scientist A.K. Dewdney shared the details of an exciting new computer game of his creation called Core War. In the game, computer programs vie for control of a virtual computer. The game was essentially a battle arena where computer programmers could pit their viral creations against each other. For two dollars Dewdney would send detailed instructions for setting up your own Core War battles within the confines of a virtual computer. What would happen if a battle program was taken out of the virtual computer and placed on a real computer system? In a follow-up article for Scientific American, Dewdney shared a letter from two Italian readers who were inspired by their experience with Core War to create a real virus on the Apple II. It’s not a stretch to think other readers were similarly inspired.

1986, the first PC virus
The Brain virus was the first to target Microsoft’s text-based Windows precursor, MS-DOS. The brainchild of Pakistani brothers and software engineers, Basit and Amjad Farooq, Brain acted like an early form of copyright protection, stopping people from pirating their heart monitoring software. If the target system contained a pirated version of the brother’s software, the “victim” would receive the on-screen message, “WELCOME TO THE DUNGEON . . . CONTACT US FOR VACCINATION” along with the brothers’ names, phone number, and business address in Pakistan. Other than guilt tripping victims in to paying for their pirated software, Brain had no harmful effects.

Speaking with F-Secure, Basit called Brain a “very friendly virus.” Amjad added that today’s viruses, the descendants of Brain, are “a purely criminal act.”

1986, Viruses go into stealth mode
Also in 1986, the BHP virus was the first to target the Commodore 64 computer. Infected computers displayed a text message with the names of the multiple hackers who created the virus—the digital equivalent of scrawling “(your name) was here” on the side of a building. BHP also has the distinction of being the first stealth virus; that is, a virus that avoids detection by hiding the changes it makes to a target system and its files.

1988, Computer virus of the year
1988, one could argue, was the year computer viruses went mainstream. In September of that year, a story on computer viruses appeared on the cover of TIME magazine. The cover image depicted viruses as cute, googly eyed cartoon insects crawling all over a desktop computer. Up to this point, computer viruses were relatively harmless. Yes, they were annoying, but not destructive. So how did computer viruses go from nuisance threat to system destroying plague?

“Viruses were all about peace and love—until they started crashing people’s computers.”

1988, A message of peace goes haywire
Viruses were all about peace and love—until they started crashing people’s computers. The MacMag virus caused infected Macs to display an onscreen message on March 2, 1988:

RICHARD BRANDOW, publisher of MacMag, and its entire staff
would like to take this opportunity to convey their
to all Macintosh users around the world

Unfortunately, a bug in the virus caused infected Macs to crash well before Brandow’s day of “universal peace.” The virus was also designed to delete itself after displaying Brandow’s message but ended up deleting other user files along with it. One of the victims, a software executive working for Aldus Corp, inadvertently copied the virus to a pre-production version of Aldus’ Freehand illustration software. The infected Freehand was then copied and shipped to several thousand customers, making MacMag the first virus spread via legitimate commercial software product.

Drew Davidson, the person who actually coded the MacMag virus (Brandow wasn’t a coder), told TIME he created his virus to draw attention to his programming skills.

“I just thought we'd release it and it would be kind of neat,” Davidson said.

1988, front page of The New York Times
A little over a month after the TIME magazine piece, a story about the “most serious computer ‘virus’ attack” in US history appeared on the front page of The New York Times. It was Robert Tappan Morris’ Internet worm, erroneously referred to as a “virus.” In all fairness, no one knew what a worm was. Morris’s creation was the archetype. The Morris worm knocked out more than 6,000 computers as it spread across the ARPANET, a government operated early version of the Internet restricted to schools and military installations. The Morris worm was the first known use of a dictionary attack. As the name suggests, a dictionary attack involves taking a list of words and using it to try and guess the username and password combination of a target system.

Robert Morris was the first person charged under the newly enacted Computer Fraud and Abuse Act, which made it illegal to mess with government and financial systems, and any computer that contributes to US commerce and communications. In his defense, Morris never intended his namesake worm to cause so much damage. According to Morris, the worm was designed to test security flaws and estimate the size of the early Internet. A bug caused the worm to infect targeted systems over and over again, with each subsequent infection consuming processing power until the system crashed.

1989, Computer viruses go viral
In 1989 the AIDS Trojan was the first example of what would later come to be known as ransomware. Victims received a 5.25-inch floppy disk in the mail labelled “AIDS Information” containing a simple questionnaire designed to help recipients figure out if they were at risk for the AIDS virus (the biological one).

While an apt (albeit insensitive) metaphor, there’s no indication the virus’ creator, Dr. Joseph L. Popp, intended to draw parallels between his digital creation and the deadly AIDS virus. Many of the 20,000 disk recipients, Medium reported, were delegates for the World Health Organization (WHO). The WHO previously rejected Popp for an AIDS research position.

Loading the questionnaire infected target systems with the AIDS Trojan. The AIDS Trojan would then lay dormant for the next 89 boot ups. When victims started their computer for the 90th time, they’d be presented with an on-screen message ostensibly from “PC Cyborg Corporation” demanding payment for “your software lease,” similar to the Brain virus from three years earlier. Unlike the Brain virus, however, the AIDS Trojan encrypted the victims’ files.

In an era before Bitcoin and other untraceable cryptocurrencies, victims had to send ransom funds to a PO box in Panama in order to receive the decryption software and regain access to their files. Funds, Popp claimed after his arrest, were destined for AIDS virus research.

1990s, Rise of the Internet
By 1990 ARPANET was decommissioned in favor of its public, commercially accessible cousin the Internet. And thanks to Tim Berners-Lee’s pioneering work on web browsers and web pages, the Internet was now a user-friendly place anyone could explore without special technical knowledge. There were 2.6 million users on the Internet in 1990, according to Our World in Data. By the end of the decade, that number would surpass 400 million.

With the rise of the Internet came new ways for viruses to spread.

1990, Mighty morphin’ 1260 virus
Cybersecurity researcher Mark Washburn wanted to demonstrate the weaknesses in traditional antivirus (AV) products. Traditional AV works by comparing the files on your computer with a giant list of known viruses. Every virus on the list is made of computer code and every snippet of code has a unique signature—like a fingerprint. If a snippet of code found on your computer matches that of a known virus in the database, the file is flagged. Washburn’s 1260 virus avoided detection by constantly changing its fingerprint every time it replicated itself across a system. While each copy of the 1260 virus looked and acted the same, the underlying code was different. This is called polymorphic code, making 1260 the first polymorphic virus.

1999, “You’ve got mail (and also a virus)”
Think back to 1999. If someone you knew sent you an email that read “Here is the document you requested ... don’t show anyone else ;-),” you opened the attachment. This was how the Melissa virus spread and it played on the public’s naiveté about how viruses worked up to that point. Melissa was a macro virus. Viruses of this type hide within the macro language commonly used in Microsoft Office files. Opening up a viral Word doc, Excel spreadsheet, etc. triggers the virus. Melissa was the fastest spreading virus up to that point, infecting approximately 250,000 computers, Medium reported.

2012, A full Shamoon over Saudi Arabia
By the turn of the 21st century, the roadmap for future malware threats had been set. Viruses paved the way for a whole new generation of destructive malware. Cryptojackers stealthily used our computers to mine cryptocurrencies like Bitcoin. Ransomware held our computers hostage. Banking Trojans, like Emotet, stole our financial information. Spyware and keyloggers shoulder surfed us from across the web, stealing our usernames and passwords.

Old-school viruses were, for the most part, a thing of the past. In 2012, however, viruses made one last grab at the world’s attention with the Shamoon virus. Shamoon targeted computers and network systems belonging to Aramco, the state-owned Saudi Arabian oil company, in response to Saudi government policy decisions in the Middle East. The attack stands as one of the most destructive malware attacks on a single organization in history, completely wiping out three-quarters of Aramco’s systems, The New York Times reported. In a perfect example of what comes around goes around, cybersecurity researchers have suggested the attack started with an infected USB storage drive—the modern equivalent of the floppy disks used to carry the very first virus, Elk Cloner.

Today, tech support scams
Decades have passed since computer viruses reached their destructive zenith but there’s a related threat you should know about. Commonly referred to as a tech support scam or a virus hoax, this modern threat isn’t a virus at all.

Here’s how tech support scams work. The victim is served up a bogus pop-up ad after landing on a spoofedwebsite or as a result of an adware infection. In a recent example, scammers used malvertising to link victims to malicious support sites after victims searched for things like cooking tips and recipes. We’ve also seen hacked WordPress sites redirecting to support scam sites. The bogus ad is designed to look like a system alert generated by the operating system, and it may say something like, “Security alert: Your computer might be infected by harmful viruses,” along with contact information for “Technical Support.” There’s no virus and no technical support—just scammers who will make it seem like you have a virus and demand payment to “fix” it.

According to the Federal Trade Commission there were 143,000 reports about tech support scams in 2018, with total losses reaching $55 million. What makes this scam particularly insidious is that cybercriminals frequently target the most vulnerable part of the world’s population. People 60-years-old and over were five times more likely to report being a victim of a tech support scam.

How do I prevent computer viruses?

Preventing computer viruses from infecting your computer starts with situational awareness.
“Situational awareness is something law enforcement and militaries have practiced for decades. It refers to a police officer or a soldier’s ability to perceive threats and make the best decision possible in a potentially stressful situation,” said Malwarebytes Head of Security, John Donovan.

“As it applies to cybersecurity, situational awareness is your first line of defense against cyberthreats. By staying on the lookout for phishing attacks and avoiding suspicious links and attachments, consumers can largely avoid most malware threats.”

Regarding email attachments and embedded links, even if the sender is someone you know: viruses have been known to hijack Outlook contact lists on infected computers and send virus laden attachments to friends, family and coworkers, the Melissa virus being a perfect example.

If an email reads oddly, it’s probably a phishing scam or malspam. When in doubt about the authenticity of an email, don’t be afraid to reach out to the sender. A simple call or text message can save you a lot of trouble.

Next, invest in good cybersecurity software. We’ve made a distinction between computer viruses and malware, which now begs the question, “Do I need antivirus software or anti-malware software?” We’ve covered this topic before in great detail so checkout our article on antivirus vs. anti-malware. For now, though, here’s a quick gloss on the subject.

Antivirus (AV) refers to early forms of cybersecurity software focused on stopping computer viruses. Just viruses. Anti-malware refers to all-encompassing threat protection designed to stop old-fashioned viruses as well as today’s malware threats. Given a choice between traditional AV with limited threat detection technology and modern anti-malware with all the bells and whistles, invest in anti-malware and rest easy at night.

As mentioned previously in this piece, traditional AV solutions rely on signature-based detection. AV scans your computer and compares each and every file against a database of known viruses that functions a lot like a criminal database. If there’s a signature match, the malicious file is thrown into virus jail before it can cause any damage.

The problem with signature-based detection is that it can’t stop what’s known as a zero-day virus; that is, a virus that cybersecurity researchers have never seen before and for which there is no criminal profile. Until the zero-day virus is added to the database, traditional AV can’t detect it.

Malwarebytes’ Multi-Vector Protection, conversely, combines several forms of threat detection technology into one malware crushing machine. Amongst these many layers of protection, Malwarebytes uses what’s called heuristic analysis to look for telltale malicious behavior from any given program. If it looks like a virus and behaves like a virus, then it’s probably a virus.

How do I remove computer viruses?

Going back to our virus analogy one final time—removing a virus from your body requires a healthy immune system. Same for your computer. A good anti-malware program is like having a healthy immune system. As your immune system moves through your body looking for and killing off invading viral cells, anti-malware scans for files and malicious code that don’t belong on your system and gets rid of them.

The free version of Malwarebytes is a good place to start if you know or suspect your computer has a virus. Available for Windows and Mac, the free version of Malwarebytes will scan for malware infections and clean them up after the fact. Get a free premium trial of Malwarebytes for Windows or Malwarebytes for Mac to stop infections before they start.

What is a Trojan?

Beware of Greeks bearing gifts

In Virgil’s epic poem, The Aeneid, a clever Greek war strategist named Odysseus devises a plan to get his men inside the walled city of Troy. Instead of destroying or climbing the city’s walls, Odysseus sees another way in: with deception. Trojan soldiers watch as the Greeks appear to sail away, leaving behind a giant wooden horse as a token of surrender. Drunk on victory, the Trojans bring the horse inside their walls, only to discover Odysseus and his men were hidden inside the whole time.

Like its namesake, Trojan horse attacks, or simply “Trojans” use deception and social engineering to trick unsuspecting users into running seemingly benign computer programs that hide malicious ulterior motives.

How to characterize a Trojan

People sometimes think of a Trojan as a virus or a worm, but it is really neither. A virus is a file infector which can self-replicate and spread by attaching itself to another program. Worms are a type of malware similar to viruses, but they don’t need to be attached to another program in order to spread. Most viruses are now seen as legacy threats. Worms have also become rare, though they do pop up from time to time. 

“A Trojan can be like a Swiss Army knife of hacking.”

Think of Trojans as an umbrella term for malware delivery, because there are various kinds of Trojans. Depending on the criminal programmer’s intent, a Trojan can be like a Swiss Army knife of hacking—acting as a bit of standalone malware, or as a tool for other activities, such as delivering future payloads, communicating with the hacker at a later time, or opening up the system to attacks just as the Greek soldiers did from inside the Trojan fortress.

Put another way, a Trojan is a delivery strategy that hackers use to deliver any number of threats, from ransomware that immediately demands money, to spyware that conceals itself while it steals valuable information like personal and financial data.

Keep in mind that adware or PUPs (potentially unwanted programs) can be confused with Trojans because the delivery method is similar. For example, sometimes adware sneaks onto your computer as part of a bundle of software. You think you’re downloading one piece of software, but it’s really two or three. The program authors usually include the adware for marketing affiliate reasons so they can monetize their installer with offers—usually clearly labeled. Such adware bundlers are typically less malicious than Trojans. Also, they do not conceal themselves as Trojans do. But since the adware distribution vector resembles that of a Trojan, it can cause confusion.

Trojan infection methods

Trojans can look like just about anything, from free software and music, to browser advertisements to seemingly legitimate apps. Any number of unwise user behaviors can lead to a Trojan infection. Here are a few examples:

  • Downloading cracked applications. Promises of an illegal free copy of a piece of software can be enticing, but the cracked software or activation key generator may conceal a Trojan attack.
  • Downloading unknown free programs. What looks like a free game or screensaver could really be a Trojan, especially if you find it on an untrustworthy site.
  • Opening infected attachments. You get a strange email with what looks like an important attachment, like an invoice or a delivery receipt, but it launches a Trojan when you click on it.
  • Visiting shady websites. Some sites only need a moment to infect your computer. Others use tricks like pretending to stream a popular movie, but only if you download a certain video codec, which is really a Trojan.
  • Any other social engineering that disguises itself by taking advantage of the latest trends. For example, in December 2017, an extensive installed base of Intel processors was discovered to be vulnerable to attack due to hardware issues. Hackers leveraged the ensuing panic by faking a patch called Smoke Loader, which installed a Trojan.

Latest Trojan news

Trojans: What’s the real deal?

Malware analysis: decoding Emotet, part 1

Malware analysis: decoding Emotet, part 2

History of Trojans

Fun and games

A program called ANIMAL, released in 1975, is generally considered the world’s first example of a Trojan attack. It presented itself as a simple game along the lines of twenty questions. However, behind the scenes, the game copied itself onto shared directories where other users could find it. From there, the game could spread across entire computer networks. For the most part, it was a harmless prank.

By December 1989, Trojan attacks weren’t for pranks anymore. Several thousand floppy disks containing the AIDS Trojan, the first known ransomware, were mailed to subscribers of PC Business World magazine and a World Health Organization AIDS conference mailing list. This DOS Trojan would lay dormant for 90 boot cycles, encrypt all filenames on the system, then display a notice asking the user to send $189 to a post office box in Panama in order to receive a decryption program.

In the 1990s, another infamous Trojan appeared disguised in the form of a simple Whack-A-Mole game. The program hid a version of NetBus, a program that allows one to remotely control a Microsoft Windows computer system over a network. With remote access, the attacker could do any number of things to a computer, even open its CD tray.

Love and money

In 2000, a Trojan called ILOVEYOU became the most destructive cyberattack in history at the time, with damages estimated up to $8.7 billion. Recipients received an email with what looked like a text attachment named “ILOVEYOU.” If they were curious enough to open it, the program would launch a script that would overwrite their files and send itself to every email in the user’s contact list. As clever as the worm was from a technical perspective, its use of social engineering was arguably its most ingenious component.

Through the 2000s, Trojan attacks continued to evolve, as did the threats they carried. Instead of targeting people’s curiosity, Trojans leveraged the rise of illegal downloading, disguising malware as music files, movies, or video codecs. In 2002, a Windows-based backdoor Trojan horse called Beast emerged and was capable of infecting almost all versions of Windows. Then, in late 2005, another backdoor Trojan called Zlob was distributed disguised as a required video codec in the form of ActiveX.

The 2000s also saw a rise in the number of Mac users, and cybercriminals followed suit. In 2006, the discovery of the first-ever malware for Mac OS X, a low-threat Trojan Horse known as OSX/Leap-A or OSX/Oompa-A, was announced.

The motivations behind Trojan attacks also began to shift around this time. Many early cyberattacks were motivated by a lust for power, control, or pure destruction. By the 2000s, an increasing number of attacks were motivated by greed. In 2007, a Trojan named Zeus targeted Microsoft Windows in order to steal banking information by means of a keylogger. In 2008, hackers released Torpig, also known as Sinowal and Mebroot, which turned off anti-virus applications, allowing others to access the computer, modify data, and steal confidential information like passwords and other sensitive data.

Bigger and badder

As cybercrime entered the 2010s, the greed continued, but hackers started thinking bigger. The rise of untraceable cryptocurrencies like Bitcoin led to a rise in ransomware attacks. In 2013, the Cryptolocker Trojan horse was discovered. Cryptolocker encrypts the files on a user's hard drive and demands a ransom payment to the developer in order to receive the decryption key. Later that same year, a number of copycat ransomware Trojans were also discovered.

“Many of the Trojans we hear about today were designed to target a specific company, organization, or even government.”

The 2010s have also seen a shift in how victims are targeted. While many Trojans still use a blanket approach, attempting to infect as many users as possible, a more targeted approach seems to be on the rise. Many of the Trojans we hear about today were designed to target a specific company, organization, or even government. In 2010, Stuxnet, a Windows Trojan, was detected. It was the first worm to attack computerized control systems, and there are suggestions that it was designed to target Iranian nuclear facilities. In 2016, Tiny Banker Trojan (Tinba) made headlines. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. In 2018, the Emotet Trojan, once a banking Trojan in its own right, was seen to be delivering other types of malware, including other Trojans.

As one of the oldest and most common ways to deliver malware, the history of Trojans follows the history of cybercrime itself. What started as a way to prank one’s friends morphed into a way to destroy networks, steal information, make money, and seize power. The days of pranks are long gone. Instead, they continue to be serious cybercriminal tools used mostly for data stealing, espionage, and Distributed Denial of Service DDoS attacks.

Types of Trojans

Trojans are versatile and very popular, so it’s difficult to characterize every kind. That said, most Trojans are designed to take control of a user’s computer, steal data, spy on users, or insert more malware on to a victim’s computer. Here are some common threats that come from Trojan attacks:

  • Backdoors, which create remote access to your system. This kind of malware changes your security to allow the hacker to control the device, steal your data, and even download more malware.
  • Spyware, which watches as you access online accounts or enter your credit card details. They then transmit your passwords and other identifying data back to the hacker.
  • Zombifying Trojans, which take control of your computer to make it a slave in a network under the hacker’s control. This is the first step in creating a botnet (robot + network), which is often used to perform a distributed denial-of-service (DDoS) attack designed to take down a network by flooding it with traffic.
  • Downloader Trojans, Emotet being a good example, download and deploy other malicious modules, such as ransomware or keyloggers.
  • Dialer Trojans, which might seem anachronistic since we don’t use dial-up modems any longer. But more on this in the next section.

Trojanized apps on Android smartphones

Trojans aren’t just a problem for laptops and desktops. They attack mobile devices as well, which makes sense given the tempting target presented by the billions of phones in use.

As with computers, the Trojan presents itself as a legitimate program, although it’s actually a fake version of the app full of malware.

Such Trojans usually lurk on unofficial and pirate app markets, enticing users to download them. The Trojans run the full gamut of mischief, infecting the phone with ads and keyloggers, which can steal information. Dialer Trojans can even generate revenue by sending out premium SMS texts.    

“Browser extension add-ons can act as Trojans as well….”

Android users have been the victims of Trojanized apps even from Google Play, which is constantly scanning and purging weaponized apps (many times after the Trojan’s discovery). Browser extension add-ons can act as Trojans as well, since it’s a payload capable of carrying embedded bad code.

While Google can remove browser add-ons from computers, on phones the Trojans can place transparent icons on the screen. It’s invisible to the user, but nonetheless reacts to a finger touch to launch its malware.

As for iPhone users, there’s good news: Apple’s restrictive policies regarding access to its App Store, iOS, and any other apps on the phone do a good job of preventing Trojan incursions. The only exception occurs for those who jailbreak their phones in their quest to download freebies from sites other than the App Store. Installing risky apps outside the Apple settings makes you vulnerable to Trojans.

How do I remove a Trojan?

Once a Trojan infects your device, the most universal way to clean it up and restore it to a desired state is to use a good quality, automated anti-malware tool and make a full system scan.

There are many free anti-malware programs—including our own products for Windows, Android, and Mac—which detect and remove adware and malware. In fact, Malwarebytes detects all known Trojans and more, since 80% of Trojan detection is done by heuristic analysis. We even help mitigate additional infection by cutting off communication between the inserted malware and any backend server, which isolates the Trojan. The only exception is for protection against ransomware, for which you need our premium product.

How do I prevent Trojans?

Since Trojans rely on fooling users into letting them into the computer, most infections are avoidable by remaining vigilant and observing good security habits. Practice a healthy skepticism about websites offering free movies or gambling, opting instead to download free programs directly from the producer’s site rather than from unauthorized mirror servers.

Another precaution to consider: change the default Windows settings so that the real extensions of applications are always visible. This avoids getting tricked by an innocent looking icon.

Other good practices besides installing Malwarebytes for Windows, Malwarebytes for Android, and Malwarebytes for Mac include:

  • Running periodic diagnostic scans
  • Setting up automatic updates of your operating system software, ensuring you have the latest security updates
  • Keeping your applications updated, ensuring any security vulnerabilities are patched
  • Avoiding unsafe or suspicious websites
  • Being skeptical of unverified attachments and links in unfamiliar emails
  • Using complex passwords
  • Staying behind a firewall

How Malwarebytes Premium protects you

At Malwarebytes, we are serious about infection prevention, which is why we aggressively block both websites and advertisements that we consider fraudulent or suspicious. For example, we block torrent sites like The Pirate Bay. Though many savvy users have used such sites without issue, some of the files they offer for download are really Trojans. For similar reasons, we also block cryptomining through browsers, but the user can choose to turn off the block and connect.

Our reasoning is that it’s better to err on the side of safety. If you want to take the risk, it’s easy to whitelist a site, but even tech-savvy types can fall for a convincing Trojan.

To learn more about Trojans, malware, and other cyberthreats, check out the Malwarebytes Labs blog. The things you learn may just help you avoid an infection down the road.

What is Malware?

All about malware

You know how every year the medical community campaigns for everyone to get a flu shot? That’s because flu outbreaks typically have a season—a time of year when they start spreading and infecting people.

In contrast, there are no predictable seasonal infections for PCs, smartphones, tablets, and enterprise networks. For them, it’s always flu season. But instead of suffering chills and body aches, users can fall ill from a kind of machine malady—malware.

Malware infections come at us like a torrent of water from a fire hose, each with its own methods of attack—from stealthy and sneaky to subtle like a sledgehammer. But if knowledge is power, as a preventative inoculation against infection, we offer here a short course on malware, what it is, its symptoms, how you get it, how to deal with it, and how to avoid it in the future.

What is malware?

Malware, or “malicious software,” is an umbrella term that describes any malicious program or code that is harmful to systems.

Hostile, intrusive, and intentionally nasty, malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.

Malware is all about making money off you illicitly. Although malware cannot damage the physical hardware of systems or network equipment (with one known exception—see the Google Android section below), it can steal, encrypt, or delete your data, alter or hijack core computer functions, and spy on your computer activity without your knowledge or permission.

How can I tell if I have a malware infection?

Malware can reveal itself with many different aberrant behaviors. Here are a few telltale signs that you have malware on your system:

  • Your computer slows down. One of malware’s main effects is to reduce the speed of your operating system, whether you’re navigating the Internet or just using your local applications.
  • A tidal wave of annoying ads that shouldn’t be there washes over your screen. Unexpected pop-up ads are a typical sign of a malware infection. They’re especially associated with a form of malware known as adware. What’s more, pop-ups usually come packaged with other hidden malware threats. So if you see something akin to “CONGRATULATIONS, YOU’VE WON A FREE PSYCHIC READING!” in a pop-up, don’t click on it. Whatever free prize the ad promises, it will cost you plenty.
  • Your system repeatedly crashes, freezes, or displays a BSOD (Blue Screen of Death), which can occur on Windows systems after encountering a fatal error.
  • You notice a mysterious loss of disk space, probably due to a bloated malware squatter which hides in your hard drive.
  • There’s a weird increase in your system’s Internet activity.
  • Usage of your system resources is abnormally high and your computer’s fan starts whirling away at full speed—signs of malware activity taking up system resources in the background.
  • Your browser’s homepage changes without your permission. Similarly, links you click send you to an unwanted web destination. This usually means you clicked on that “congratulations” pop-up, which downloaded some unwanted software. Likewise, your browser might slow to a crawl.
  • New toolbars, extensions, or plugins unexpectedly populate your browser.
  • Your antivirus product stops working and you cannot update it, leaving you unprotected against the sneaky malware that disabled it.
  • Then there’s the painfully obvious, intentionally non-stealthy malware attack. This famously happens withransomware, which announces itself, tells you it has your data, and demands a ransom to return your files.   
  • Even if everything seems to be working just fine on your system, don’t get complacent, because no news isn’t necessarily good news. Powerful malware can hide deep in your computer, going about its dirty business without raising any red flags as it snags your passwords, steals sensitive files, or uses your PC to spread to other computers.

How do I get malware?

The recipe for a malware infection calls for a long list of ingredients. Topmost are the two most common ways that malware accesses your system—the Internet and email. So basically, anytime you’re connected online.

Malware can penetrate your computer when (deep breath now) you surf through hacked websites, click on game demos, download infected music files, install new toolbars from an unfamiliar provider, set up software from a dicey source, open a malicious email attachment (malspam), or pretty much everything else you download from the web onto a device that lacks a quality anti-malware security application.

Malicious apps can hide in seemingly legitimate applications, especially when they are downloaded from websites or messages instead of a secure app store. Here it’s important to look at the warning messages when installing applications, especially if they seek permission to access your email or other personal information.

“Malware attacks would not work without the most important ingredient: you.”

Bottom line, it’s best to stick to trusted sources for mobile apps, only installing reputable third-party apps, and always downloading those apps directly from the vendor—and never from any other site. All in all, there is a world of bad actors out there, throwing tainted bait at you with an offer for an Internet accelerator, new download manager, hard disk drive cleaner, or an alternative web search service.

Malware attacks would not work without the most important ingredient: you. That is, a gullible version of you, willing to open up an email attachment you don’t recognize, or to click and install something from an untrustworthy source. And don’t take this as “click-shaming,” because even very experienced people have been tricked into installing malware.

Even if you install something from a credible source, if you don’t pay attention to the permission request to install other bundled software at the same time, you could be installing software you don’t want. This extra software, also known as a potentially unwanted program (PUP), is often presented as a necessary component, but it often isn’t.

Another wrinkle is a bit of social engineering that a Malwarebytes expert observed in the UK. The scam hit mobile users by taking advantage of a common mobile direct-to-bill payment option. Users visited mobile sites, unwittingly tripping invisible buttons that charge them via their mobile numbers, directly billing the victims’ networks, which pass the cost onto their bill.

To be fair, we should also include a blameless malware infection scenario. Because it’s even possible that just visiting a malicious website and viewing an infected page and/or banner ad will result in a drive-by malware download.

On the other hand, if you’re not running an adequate security program, the malware infection and its aftermath are still on you.

What are the most common forms of malware?

Here are the most common offenders in the rogues’ gallery of malware:

  • Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser. Typically, it uses an underhanded method to either disguise itself as legitimate, or piggyback on another program to trick you into installing it on your PC, tablet, or mobile device.
  • Spyware is malware that secretly observes the computer user’s activities without permission and reports it to the software’s author.
  • A virus is malware that attaches to another program and, when executed—usually inadvertently by the user—replicates itself by modifying other computer programs and infecting them with its own bits of code.
  • Worms are a type of malware similar to viruses, self-replicating in order to spread to other computers over a network, usually causing harm by destroying data and files.
  • A Trojan, or Trojan horse, is one of the most dangerous malware types. It usually represents itself as something useful in order to trick you. Once it’s on your system, the attackers behind the Trojan gain unauthorized access to the affected computer. From there, Trojans can be used to steal financial information or install threats like viruses and ransomware.
  • Ransomware is a form of malware that locks you out of your device and/or encrypts your files, then forces you to pay a ransom to get them back. Ransomware has been called the cyber criminal’s weapon of choice because it demands a quick, profitable payment in hard-to-trace cryptocurrency. The code behind ransomware is easy to obtain through online criminal marketplaces and defending against it is very difficult.
  • Rootkit is a form of malware that provides the attacker with administrator privileges on the infected system. Typically, it is also designed to stay hidden from the user, other software on the system, and the operating system itself.
  • A keylogger is malware that records all the user’s keystrokes on the keyboard, typically storing the gathered information and sending it to the attacker, who is seeking sensitive information like usernames, passwords, or credit card details.
  • Malicious cryptomining, also sometimes called drive-by mining or cryptojacking, is an increasingly prevalent malware usually installed by a Trojan. It allows someone else to use your computer to mine cryptocurrency like Bitcoin or Monero. So instead of letting you cash in on your own computer’s horsepower, the cryptominers send the collected coins into their own account and not yours. Essentially, a malicious cryptominer is stealing your resources to make money.
  • Exploits are a type of malware that takes advantage of bugs and vulnerabilities in a system in order to allow the exploit’s creator to take control. Among other threats, exploits are linked to malvertising, which attacks through a legitimate site that unknowingly pulls in malicious content from a bad site. Then the bad content tries to install itself on your computer in a drive-by download. No clicking is necessary. All you have to do is visit a good site on the wrong day.

Latest malware news

Tomorrowland festival goers affected by data breach
How to tighten security and increase privacy on your browser
Removing the jam in your printer security

What is the history of malware?

Given the variety of malware types and the massive number of variants released into the wild daily, a full history of malware would comprise a list too long to include here. That said, a look at malware trends in recent decades is more manageable. Here are the main trends in malware development.

The 1980s and onward: The theoretical underpinning of “self-reproducing automata” (i.e., viruses) dates back to an article published in 1949, and early viruses occurred on pre-personal computer platforms in the 1970s. However, the history of modern viruses begins with a program called Elk Cloner, which started infecting Apple II systems in 1982. Disseminated by infected floppy disks, the virus itself was harmless, but it spread to all disks attached to a system, exploding so virulently that it can be considered the first large-scale computer virus outbreak in history. Note that this was prior to any Windows PC malware. Since then, viruses and worms have become widespread.

The 1990s: The Microsoft Windows platform emerged this decade, along with the flexible macros of its applications, which led malware authors to write infectious code in the macro language of Microsoft Word and other programs. These macro viruses infected documents and templates rather than executable applications, although strictly speaking, the Word document macros are a form of executable code.

2002 to 2007: Instant messaging worms—self-replicating malicious code spread through an instant messaging network—take advantage of network loopholes to spread on a massive scale, infecting the AOL AIM network, MSN Messenger, and Yahoo Messenger, as well as corporate instant messaging systems.

2005 to 2009: Adware attacks proliferated, presenting unwanted advertisements to computer screens, sometimes in the form of a pop-up or in a window that users could not close. These ads often exploited legitimate software as a means to spread, but around 2008, software publishers began suing adware companies for fraud. The result was millions of dollars in fines. This eventually drove adware companies to shut down.

2007 to 2009: Malware scammers turned to social networks such as MySpace as a channel for delivering rogue advertisements, redirects, and offers of fake antivirus and security tools. Their ploys were designed to dupe consumers through social engineering tricks. After MySpace declined in popularity, Facebook and Twitter became the preferred platforms. Common tactics included presenting fake links to phishing pages and promoting Facebook applications with malicious extensions. As this trend tapered down, scammers explored other means to steal.

2013: A new form of malware called ransomware launched an attack under the name CryptoLocker, which continued from early September 2013 to late May 2014, targeting computers running Windows. CryptoLocker succeeded in forcing victims to pay about $27 million by the last quarter of 2013. Moreover, the ransomware’s success spawned other similarly named ransomware. One copycat variant netted more than $18 million from about 1,000 victims between April 2014 and June 2015.

2013 to 2017: Delivered through Trojans, exploits, and malvertising, ransomware became the king of malware, culminating in huge outbreaks in 2017 that affected businesses of all kinds. Ransomware works by encrypting the victim’s data, then demanding payments to release it.

2017 to Present: Cyptocurrency—and how to mine for it—has captured widespread attention, leading to a new malware scam called cryptojacking, or the act of secretly using someone else’s device to surreptitiously mine for cryptocurrency with the victims’ resources.

Do Macs get malware?

Conventional wisdom has sometimes held that Macs and iPads are immune to catching viruses (and don’t need an antivirus). For the most part, that’s true. At the very least, it hasn’t happened in a long time.

“Mac systems are subject to the same vulnerabilities (and subsequent symptoms of infection) as Windows machines and cannot be considered bulletproof.”

Other kinds of malware are a different story. Mac systems are subject to the same vulnerabilities (and subsequent symptoms of infection) as Windows machines and cannot be considered bulletproof. For instance, the Mac’s built-in protection against malware doesn’t block all the adware and spyware bundled with fraudulent application downloads. Trojans and keyloggers are also threats. The first detection of ransomware written specifically for the Mac occurred in March 2016, when a Trojan-delivered attack affected more than 7,000 Mac users.

In fact, Malwarebytes saw more Mac malware in 2017 than in any previous year. By the end of 2017, the number of new unique threats that our professionals counted on the Mac platform was more than 270 percent higher compared to the number noted in 2016.

For more on the state of Mac malware, visit the Malwarebytes blog site here.

Do mobile devices get malware?

Malware criminals love the mobile market. After all, smartphones are sophisticated, complex handheld computers. They also offer an entrance into a treasure trove of personal information, financial details, and all manner of valuable data for those seeking to make a dishonest dollar.

Unfortunately, this has spawned an exponentially increasing number of malicious attempts to take advantage of smartphone vulnerabilities. From adware, Trojans, spyware, worms, and ransomware, malware can find its way onto your phone in a number of ways. Clicking on a dodgy link or downloading an unreliable app are some obvious culprits, but you can also get infected through emails, texts, and even your Bluetooth connection. Moreover, malware such as worms can spread from one infected phone to another.

The fact is, it’s a huge market (read: target). One source of statistics puts the number of mobile device users at 2.1 billion, worldwide—with a projected growth to 2.5 billion users by 2019. A quarter of these users own more than one device. Fraudsters find the mobile market very attractive and take advantage of a gigantic economy of scale to leverage their efforts.

Mobile users are often easier to target as well. Most do not protect their phones as diligently as they do their computers, failing to install security software or keep their operating systems up to date. Because of this, they are vulnerable to even primitive malware. Since mobile devices’ screens are small and users can’t easily see activity, the typical red-flag behaviors that signal an infection in a PC can run behind the scenes in stealth mode, as is the case with spyware.

Infected mobile devices are a particularly insidious danger compared to a PC. A hacked microphone and camera can follow your every move and conversation. Even worse, mobile banking malware intercepts incoming calls and text messages to evade the two-step authentication security many banking apps use.

“The more popular Android platform attracts more malware than the iPhone.”

Keep in mind that cheap phones can come with malware pre-installed, which are nearly impossible to clean. (Malwarebytes for Android will warn you of such pre-installed malware and provide instructions on how to remove it.)

Regarding the mobile malware ecosystem, the two most prevalent smartphone operating systems are Google’s Android and Apple’s iOS. Android leads the market with 80 percent of all smartphone sales, followed by iOS with 15 percent of all smartphones sold. No big surprise then that the more popular Android platform attracts more malware than the iPhone. Let’s look at them each separately.

How can I tell if my Android device has malware?

Fortunately, there are a few unmistakable red flags that wave at you if your Android phone is infected. You may be infected if you see any of the following:

  • A sudden appearance of pop-ups with invasive advertisements. If they appear out of nowhere and send you to sketchy websites, you’ve probably installed something that hides adware within it. So don’t click on the ad.
  • A puzzling increase in data usage. Malware chews up your data plan by displaying ads and sending out the purloined information from your phone.
  • Bogus charges on your bill. This happens when malicious software makes calls and sends texts to premium numbers.
  • A disappearing battery charge. Malware is a resource burden, gulping down your battery’s juice faster than normal.
  • People on your contact list report strange calls and texts from your phone. Malware replicates by spreading from one device to another by means of emails and texts, inviting them to click on the infected link it displays.
  • A phone that heats up while performance lags. For instance, there’s even a Trojan out there that invades Android phones with an installer so nefarious, that it can tax the processor to the point of overheating the phone, which makes the battery bulge, and essentially leaves your Android for dead.
  • Surprise apps on your screen. Sometimes you download apps that have malware piggybacked onto them for a stealthy installation. That happens because Android allows users to jump straight from Google Play to other marketplaces, like Amazon, which might have let a malware maker slip through.
  • Your phone turns on WiFi and Internet connections on its own. This is another way malware propagates, ignoring your preferences and opening up infection channels.
  • Further down, we’ll touch upon what you should do if your Android is infected. Plus, here’s a Malwarebytes blog article on securing your privacy on an Android.

How can I tell if my iPhone or iPad has malware?

If your smartphone’s name begins with a lower-case “i,” then pat yourself on the back, because malware is not a significant issue on the iPhone. That is not to say it doesn't exist, but it's extremely rare. In fact, suffering a malware infection on an iPhone mostly only happens in two extraordinary circumstances.

“While outright malware infections are unlikely, using an iPhone doesn’t protect you at all against scam phone calls or scam text messages.”

The first consists of a targeted attack by a nation-state-level adversary—a government that has either created or purchased at a cost of millions of dollars a piece of malware engineered to take advantage of some obscure security hole in the iOS. Don’t be shocked, because all devices have some sort of vulnerability. To be sure, Apple has done a fine job of securing iOS, even preventing any apps (including security software) from scanning the phone or other apps on the device’s system. That’s why it’s so expensive to engineer malware that installs its code for whatever kind of remotely executed activity the offending nation-state needs.

One particularly noteworthy instance happened in 2016 when an internationally recognized human rights defender, based in the United Arab Emirates (UAE), received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails. The targeted recipient was invited to click on an included link. He didn’t, but instead sent the message to cybersecurity researchers, who identified it as containing an exploit that would have turned the activist’s phone into a digital spy.

The second instance is when a user makes an iPhone vulnerable by means of jailbreaking, which removes the restrictions and limitations Apple imposes, chiefly to ensure that software apps can only be installed from the App Store. Apple carefully vets the app developers it carries, even though malware piggybacking on a legitimate app has happened.

One more point. While outright malware infections are unlikely, using an iPhone doesn’t protect you at all against scam phone calls or scam text messages. If you tap a link in a message from an unknown source (or someone you know who’s being impersonated, or “spoofed”), it could send you to a site that asks for your login and other personal information. So there are still plenty of ways that you can become a victim. Always proceed with caution.

Who does malware target?

The answer here is: take your pick. There are billions of consumer-owned devices out there. They’re connected to banks, retail store accounts, and anything else worth stealing. It’s a broad attack surface for adware and spyware, keyloggers, and malvertising—as well as an attractive method for lazy criminals to create and distribute malware to as many targets as possible, with proportionately little effort.

“If you use your smartphone or tablet in the workplace, hackers can turn their attack to your employer.”

Cyptominers and ransomware purveyors seem to be equal opportunity about their targets. Individuals fall victim to these two, as do corporate businesses, hospitals, municipalities, and retail store systems.

Also, it's not just consumers that mobile spyware criminals target. If you use your smartphone or tablet in the workplace, hackers can turn their attack to your employer through vulnerabilities in mobile devices. Moreover, your corporation’s incident response team may not detect breaches that originate through a mobile device’s use of corporate email.

To repeat, not all of the apps available through Apple's App Store and Google Play are desirable and the problem is even more acute with third-party app stores. While the app store operators try to prevent malicious apps from penetrating their site, some inevitably slip through. These apps can steal user information, attempt to extort money from users, try to access corporate networks to which the device is connected, and force users to view unwanted ads or engage in other types of unsanitary activity.

How can I remove malware?

If you suspect malware—or you just want to be careful— there are a few steps you should take.

First, if you don’t already have one, download a legitimate anti-malware program, such as Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android, Malwarebytes for Chromebook, or one of our business products. Next, install it and run a scan. Programs like these are designed to search out and eliminate any malware on your device.

Once the device is clean, it’s a good idea to change your passwords, not only for your PC or mobile device, but also your email, your social media accounts, your favorite shopping sites, and your online banking and billing centers.

If your iPhone has somehow become infected with something nasty, things are a little trickier. Apple does not permit scans of either the iPhone’s system or other files. Your only option is to wipe your phone with a factory reset, then restore it from your backup (which you have, right?). You can also consider using security software that can screen and block scam calls and texts, such as Malwarebytes for iOS.

How can I protect myself from malware?

Stay vigilant. Pay particular attention if you see a domain name that ends in an odd set of letters, i.e., something other than com, org, edu, or biz, to name a few, as they can be an indicator for risky websites.

“Make sure your operating system, browsers, and plugins are always up to date.”

For all your devices, pay close attention to the early signs of malware infection to prevent them from burrowing in.

Avoid clicking on pop-up ads while browsing the Internet. Stay away from opening unsolicited email attachments or downloading software from untrustworthy websites or peer-to-peer file transfer networks.

Make sure your operating system, browsers, and plugins are always up to date, because keeping your software patched can keep online criminals at bay.

For mobile users, only download apps from Google Play Store (the App Store is the iPhone’s only choice). Every time you download an app, check the ratings and reviews first. If it has a low rating and a low number of downloads, it is best to avoid that app.

Do not download apps from third-party sources. The best way to make sure of this is to turn off this function on your Android phone. Go to Settings on your Android device and open up the Security section. Here, make sure Unknown Sources is disabled to avoid installation of apps from marketplaces other than the Play Store.

Do not click on strange, unverified links in emails, texts, and WhatsApp messages of unknown origin. Strange links from friends and contacts should be avoided too unless you have verified it to be safe.

To keep their businesses safe, organizations can prevent malicious apps from threatening their networks by creating strong mobile security policies and by deploying a mobile security solution that can enforce those policies. This is vital in the business environment that exists today—with multiple operating systems at work under multiple roofs.

Finally, get yourself a good anti-malware program. It should include layered protection (the ability to scan and detect malware such as adware and spyware while maintaining a proactive real-time defense that can block threats such as ransomware). Your security program should also provide remediation to correct any system changes from the malware it cleans, so everything goes back to normal.

So before you take a hit on your PC, mobile, or enterprise network, hit back first by downloading a quality cybersecurity and antivirus program, such as Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android, Malwarebytes for Chromebook, Malwarebytes for iOS, portable Malwarebytes, or one of Malwarebytes' business products. (It’s a good idea to get that flu shot too!)

How does malware affect my business?

Malware attacks on businesses went up 55 percent in the second half of 2018 with banking Trojans and ransomware proving to be the most popular types of attacks. Specifically, Trojan attacks on businesses rose 84 percent while ransomware attacks went up 88 percent.

So why are cybercriminals bullish on business attacks? The answer is simple: businesses present a broader attack surface and more bang for the buck. In one noteworthy example, the Emotet banking Trojan hobbled critical systems in the City of Allentown, PA, requiring help from Microsoft’s incident response team to clean up and racking up remediation costs to the tune of $1 million.

In another example, the SamSam ransomware brought the City of Atlanta to its knees by taking down several essential city services—including revenue collection. Ultimately, the SamSam attack cost Atlanta $2.6 million to remediate.

While Emotet and SamSam grab the headlines, the majority of ransomware cases as of late have been the result of GandCrab. First detected in January of 2018, the GandCrab ransomware has already gone through several iterations as its authors try to avoid detection and strengthen encryption. It’s been estimated GandCrab has already netted its authors somewhere around $300 million in paid ransoms, with individual ransoms set from $600 to $700,000.

Considering the tremendous cost associated with a malware attack, and the current rise of ransomware and banking Trojans in particular, here’s some tips on how to protect your business from malware.

  • Implement network segmentation. Spreading your data onto smaller subnetworks reduces your attack surface—smaller targets are harder to hit. This can help contain a breach to only a few endpoints instead of your entire infrastructure.
  • Enforce the principle of least privilege (PoLP). In short, give users the access level they need to do their jobs and nothing more. Again, this helps to contain damages from breaches or ransomware attacks.
  • Backup all your data. This goes for all the endpoints on your network and network shares too. As long as your data is archived, you can always wipe an infected system and restore from a backup.
  • Educate end users on how to spot malspam. Users should be wary of unsolicited emails and attachments from unknown senders. When handling attachments, your users should avoid executing executable files and avoid enabling macros on Office files. When in doubt, reach out. Train end users to inquire further if suspicious emails appear to be from a trusted source. One quick phone call or email goes a long way towards avoiding malware.
  • Educate staff on creating strong passwords and implement some form of multi-factor authentication (MFA)—two-factor authentication at a bare minimum.
  • Patch and update your software. Microsoft releases security updates the second Tuesday of every month and many other software makers have followed suit. Stay in the loop on important security updates by subscribing to the Microsoft Security Response Center blog. Expedite the patch process by launching updates at each endpoint from one central agent, as opposed to leaving it up to each end user to complete on their own time.
  • Get rid of end of abandonware. Sometimes it’s hard to get rid of old software that’s past its expiration date—especially at a large business where the purchasing cycle moves with the urgency of a sloth, but discontinued software is truly the worst-case scenario for any network or system administrator. Cybercriminals actively seek out systems running outdated and obsolete software so replace it as soon as possible.
  • Get proactive about endpoint protection. Malwarebytes, for example, has multiple options for your business with Endpoint Protection, Endpoint Security, and Endpoint Protection and Response.

What is Ransomware?

All about ransomware

Ever wondered what all the ransomware fuss is about? You've heard about it at the office or read about it in the news. Maybe you've got a pop-up on your computer screen right now warning of a ransomware infection. Well, if you’re curious to learn all there is to know about ransomware, you’ve come to the right place. We'll tell you about ransomware’s different forms, how you get it, where it came from, who it targets, and what to do to protect against it.

What is ransomware?

Ransom malware, or ransomware, is a type of malware that prevents users from accessing their system or personal files and demands ransom payment in order to regain access. The earliest variants of ransomware were developed in the late 1980s, and payment was to be sent via snail mail. Today, ransomware authors order that payment be sent via cryptocurrency or credit card.

How do I get ransomware?

There are several different ways that ransomware can infect your computer. One of the most common methods today is through malicious spam, or malspam, which is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.

Malspam uses social engineering in order to trick people into opening attachments or clicking on links by appearing as legitimate—whether that’s by seeming to be from a trusted institution or a friend. Cybercriminals use social engineering in other types of ransomware attacks, such as posing as the FBI in order to scare users into paying them a sum of money to unlock their files.

Another popular infection method, which reached its peak in 2016, is malvertising. Malvertising, or malicious advertising, is the use of online advertising to distribute malware with little to no user interaction required. While browsing the web, even legitimate sites, users can be directed to criminal servers without ever clicking on an ad. These servers catalog details about victim computers and their locations, and then select the malware best suited to deliver. Often, that malware is ransomware.

Malvertising and ransomware infographic.
Malvertising and ransomware infographic.

Malvertising often uses an infected iframe, or invisible webpage element, to do its work. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via exploit kit. All this happens without the user’s knowledge, which is why it’s often referred to as a drive-by-download.

Types of ransomware

There are three main types of ransomware, ranging in severity from mildly off-putting to Cuban Missile Crisis dangerous. They are as follows:


Scareware, as it turns out, is not that scary. It includes rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe.

A legitimate cybersecurity software program would not solicit customers in this way. If you don’t already have this company’s software on your computer, then they would not be monitoring you for ransomware infection. If you do have security software, you wouldn’t need to pay to have the infection removed—you’ve already paid for the software to do that very job.

Screen lockers

Upgrade to terror alert orange for these guys. When lock-screen ransomware gets on your computer, it means you’re frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear, often accompanied by an official-looking FBI or US Department of Justice seal saying illegal activity has been detected on your computer and you must pay a fine. However, the FBI would not freeze you out of your computer or demand payment for illegal activity. If they suspected you of piracy, child pornography, or other cybercrimes, they would go through the appropriate legal channels.

Encrypting ransomware

This is the truly nasty stuff. These are the guys who snatch up your files and encrypt them, demanding payment in order to decrypt and redeliver. The reason why this type of ransomware is so dangerous is because once cybercriminals get ahold of your files, no security software or system restore can return them to you. Unless you pay the ransom—for the most part, they’re gone. And even if you do pay up, there’s no guarantee the cybercriminals will give you those files back.

Latest ransomware news

History of ransomware

The first ransomware, known as PC Cyborg or AIDS, was created in the late 1980s. PC Cyborg would encrypt all files in the C: directory after 90 reboots, and then demand the user renew their license by sending $189 by mail to PC Cyborg Corp. The encryption used was simple enough to reverse, so it posed little threat to those who were computer savvy.

With few variants popping up over the next 10 years, a true ransomware threat would not arrive on the scene until 2004, when GpCode used weak RSA encryption to hold personal files for ransom.

In 2007, WinLock heralded the rise of a new type of ransomware that, instead of encrypting files, locked people out of their desktops. WinLock took over the victim screen and displayed pornographic images. Then, it demanded payment via a paid SMS to remove them.

With the development of the ransom family Reveton in 2012 came a new form of ransomware: law enforcement ransomware. Victims would be locked out of their desktop and shown an official-looking page that included credentials for law enforcement agencies such as the FBI and Interpol. The ransomware would claim that the user had committed a crime, such as computer hacking, downloading illegal files, or even being involved with child pornography. Most of the law enforcement ransomware families required a fine be paid ranging from $100 to $3,000 with a pre-paid card such as UKash or PaySafeCard.  

Average users did not know what to make of this and believed they were truly under investigation from law enforcement. This social engineering tactic, now referred to as implied guilt, makes the user question their own innocence and, rather than being called out on an activity they aren’t proud of, pay the ransom to make it all go away.

Finally, in 2013 CryptoLocker re-introduced the world to encrypting ransomware—only this time it was far more dangerous. CryptoLocker used military grade encryption and stored the key required to unlock files on a remote server. This meant that it was virtually impossible for users to get their data back without paying the ransom. This type of encrypting ransomware is still in use today, as it’s proven to be an incredibly effective tool for cybercriminals to make money. Large scale outbreaks of ransomware, such as WannaCry in May 2017 and Petya in June 2017, used encrypting ransomware to ensnare users and businesses across the globe.

Mac ransomware

Learn about KeRanger, the first true Mac ransomware.
Learn about KeRanger, the first true Mac ransomware.

Not ones to be left out of the ransomware game, Mac malware authors dropped the first ransomware for Mac OSes in 2016. Called KeRanger, the ransomware infected an app called Transmission that, when launched, copied malicious files that remained running quietly in the background for three days until they detonated and encrypted files. Thankfully, Apple’s built-in anti-malware program XProtect released an update soon after the ransomware was discovered that would block it from infecting user systems. Nevertheless, Mac ransomware is no longer theoretical.

Mobile ransomware

It wasn’t until the height of the infamous CryptoLocker and other similar families in 2014 that ransomware was seen on a large scale on mobile devices. Mobile ransomware typically displays a message that the device has been locked due to some type of illegal activity. The message states that the phone will be unlocked after a fee is paid. Mobile ransomware is often delivered via malicious apps, and requires that you boot the phone up in safe mode and delete the infected app in order to retrieve access to your mobile device.

Who do ransomware authors target?

When ransomware was introduced (and then re-introduced), its initial victims were individual systems (aka regular people). However, cybercriminals began to realize its full potential when they rolled out ransomware to businesses. Ransomware was so successful against businesses, halting productivity and resulting in lost data and revenue, that its authors turned most of their attacks toward them. By the end of 2016, 12.3 percent of global enterprise detections were ransomware, while only 1.8 percent of consumer detections were ransomware worldwide. And by 2017, 35 percent of small and medium-sized businesses had experienced a ransomware attack.

Ransomware report on small- and medium-sized businesses.
Ransomware report on small- and medium-sized businesses.

Geographically, ransomware attacks are still focused on western markets, with the UK, US, and Canada ranking as the top three countries targeted, respectively. As with other threat actors, ransomware authors will follow the money, so they look for areas that have both wide PC adoption and relative wealth. As emerging markets in Asia and South America ramp up on economic growth, expect to see an increase in ransomware (and other forms of malware) there as well.

What to do if I'm infected

The number one rule if you find yourself infected with ransomware is to never pay the ransom. (This is now advice endorsed by the FBI.) All that does is encourage cybercriminals to launch additional attacks against either you or someone else. However, you may be able to retrieve some encrypted files by using free decryptors.

To be clear: Not all ransomware families have had decryptors created for them, in many cases because the ransomware is utilizing advanced and sophisticated encryption algorithms. And even if there is a decryptor, it’s not always clear if it’s for right version of the malware. You don’t want to further encrypt your files by using the wrong decryption script. Therefore, you’ll need to pay close attention to the ransom message itself, or perhaps ask the advice of a security/IT specialist before trying anything.

Other ways to deal with a ransomware infection include downloading a security product known for remediation and running a scan to remove the threat. You may not get your files back, but you can rest assured the infection will be cleaned up. For screenlocking ransomware, a full system restore might be in order. If that doesn’t work, you can try running a scan from a bootable CD or USB drive.

If you want to try and thwart an encrypting ransomware infection in action, you’ll need to stay particularly vigilant. If you notice your system slowing down for seemingly no reason, shut it down and disconnect it from the Internet. If, once you boot up again the malware is still active, it will not be able to send or receive instructions from the command and control server. That means without a key or way to extract payment, the malware may stay idle.  At that point, download and install a security product and run a full scan.

How do I protect myself from ransomware?

Security experts agree that the best way to protect from ransomware is to prevent it from happening in the first place.

Read about the best ways to prevent a ransomware infection.
Read about the best ways to prevent a ransomware infection.

While there are methods to deal with a ransomware infection, they are imperfect solutions at best, and often require much more technical skill than the average computer user. So here’s what we recommend people do in order to avoid fallout from ransomware attacks.

The first step in ransomware prevention is to invest in awesome cybersecurity—a program with real-time protection that’s designed to thwart advanced malware attacks such as ransomware. You should also look out for features that will both shield vulnerable programs from threats (an anti-exploit technology) as well as block ransomware from holding files hostage (an anti-ransomware component). Customers who were using the premium version of Malwarebytes for Windows, for example, were protected from all of the major ransomware attacks of 2017.

Next, as much as it may pain you, you need to create secure backups of your data on a regular basis. Our recommendation is to use cloud storage that includes high-level encryption and multiple-factor authentication. However, you can purchase USBs or an external hard drive where you can save new or updated files—just be sure to physically disconnect the devices from your computer after backing up, otherwise they can become infected with ransomware, too.

Then, be sure your systems and software are updated. The WannaCry ransomware outbreak took advantage of a vulnerability in Microsoft software. While the company had released a patch for the security loophole back in March 2017, many folks didn’t install the update—which left them open to attack. We get that it’s hard to stay on top of an ever-growing list of updates from an ever-growing list of software and applications used in your daily life. That’s why we recommend changing your settings to enable automatic updating.

Finally, stay informed. One of the most common ways that computers are infected with ransomware is through social engineering. Educate yourself (and your employees if you’re a business owner) on how to detect malspam, suspicious websites, and other scams. And above all else, exercise common sense. If it seems suspect, it probably is.

How does ransomware affect my business?

GandCrab, SamSam, WannaCry, NotPetya—they’re all different types of ransomware and they’re hitting businesses hard. In fact, ransomware attacks on businesses went up 88% in the second half of 2018 as cybercriminals pivot away from consumer-focused attacks. Cybercriminals recognize big business translates to big payoffs, targeting hospitals, government agencies, and commercial institutions. All told, the average cost of a data breach, including remediation, penalties, and ransomware payouts, works out to $3.86 million.

The majority of ransomware cases as of late have been identified as GandCrab. First detected in January of 2018, GandCrab has already gone through several versions as the threat authors make their ransomware harder to defend against and strengthen its encryption. It’s been estimated GandCrab has already raked in somewhere around $300 million in paid ransoms, with individual ransoms set from $600 to $700,000.

In another notable attack happening back in March of 2018, the SamSam ransomware crippled the City of Atlanta by knocking out several essential city services—including revenue collection and the police record keeping system. All told, the SamSam attack cost Atlanta $2.6 million to remediate.

Considering the spate of ransomware attacks and the tremendous cost associated with them, now is a good time to get smart about protecting your business from ransomware. We’ve covered the topic in great detail previously but here’s a quick gloss on how to protect your business from malware.

  • Backup your data. Assuming you have backups available, remediating a ransomware attack is as simple as wiping and reimaging infected systems. You may want to scan your backups to ensure they haven’t been infected, because some ransomware is designed to look for network shares. Accordingly, you’d do well to store data backups on a secure cloud server with high-level encryption and multiple-factor authentication.
  • Patch and update your software. Ransomware often relies on exploit kits to gain illicit access to a system or network (e.g. GandCrab). As long as the software across your network is up-to-date, exploit-based ransomware attacks can’t hurt you. On that note, if your business runs on outdated or obsolete software then you’re at risk for ransomware, because the software makers aren’t putting out security updates anymore. Get rid of abandonware and replace it with software still being supported by the manufacturer.
  • Educate your end users on malspam and creating strong passwords. The enterprising cybercriminals behind Emotet are using the former banking Trojan as a delivery vehicle for ransomware. Emotet relies on malspam to infect an end user and get a foothold on your network. Once on your network, Emotet shows worm-like behavior, spreading from system to system using a list of common passwords. By learning how to spot malspam and implementing multi-factor authentication, you’re end users will stay one step ahead of cybercriminals.
  • Invest in good cybersecurity technology. Malwarebytes Endpoint Protection and Response, for example, gives you detection, response and remediation capabilities via one convenient agent across your entire network.

What do you do if you’re already a victim of ransomware? No one wants to deal with ransomware after the fact.

  • Check and see if there is a decryptor. In some rare cases you may be able to decrypt your data without paying, but ransomware threats evolve constantly with the aim of making it harder and harder to decrypt your files so don’t get your hopes up.
  • Don’t pay the ransom. We’ve long advocated not paying the ransom and the FBI (after some back and forth) agrees. Cybercriminals don’t have scruples and there’s no guarantee you’ll get your files back. Moreover, by paying the ransom you’re showing cybercriminals that ransomware attacks work.

Keep up to date on the latest ransomware news in Malwarebytes Labs.

What is Phishing?

All about phishing

What is phishing?

Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. As with real fishing, there's more than one way to reel in a victim, but one phishing tactic is the most common. Victims receive a malicious email (malspam) or a text message that imitates (or “spoofs”) a person or organization they trust, like a coworker, a bank, or a government office. When the victim opens the email or text, they find a scary message meant to overcome their better judgement by filling them with fear. The message demands that the victim go to a website and take immediate action or risk some sort of consequence. 

If users take the bait and click the link, they're sent to an imitation of a legitimate website. From here, they're asked to log in with their username and password credentials. If they are gullible enough to comply, the sign-on information goes to the attacker, who uses it to steal identities, pilfer bank accounts, and sell personal information on the black market.

“Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective.”

Unlike other kinds of online threats, phishing does not require particularly sophisticated technical expertise. In fact, according to Adam Kujawa, Director of Malwarebytes Labs, “Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective. That is because it attacks the most vulnerable and powerful computer on the planet: the human mind.” Phishers are not trying to exploit a technical vulnerability in your device's operation system—they're using “social engineering. From Windows and iPhones, to Macs and Androids, no operating system is completely safe from phishing, no matter how strong its security is. In fact, attackers often resort to phishing because they can't find any technical vulnerabilities. Why waste time cracking through layers of security when you can trick someone into handing you the key? More often than not, the weakest link in a security system isn't a glitch buried in computer code, it's a human being who doesn't double check where an email came from.

The latest phishing news

Mobile Menace Monday: SMS phishing attacks target the job market
6 sure signs someone is phishing you—besides email
Bad romance: catphishing explained
A new kind of Apple phishing scam

History of phishing

The origin of the name “phishing” is easy enough to trace. The process of performing a phishing scam is much like actual, aquatic fishing. You assemble some bait designed to deceive your victim, then you cast it out and hope for a bite. As for the digraph “ph” replacing the “f,” it could be the result of a portmanteau of “fishing” and “phony,” but some sources point back to another possible origin.

In the 1970s, a subculture formed around the practice of using low-tech hacks to exploit the telephone system. These early hackers were called “phreaks”—a combination of “phone” and “freaks.” At a time when there weren't many networked computers to hack, phreaking was a common way to make free long-distance calls or reach unlisted numbers.

“Phishing is the simplest kind of cyberattack and, at the same time, the most dangerous and effective.”

Even before the actual “phishing” term took hold, a phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.

The use of the name itself is first attributed to a notorious spammer and hacker in the mid-1990s, Khan C Smith. Also, according to Internet records, the first time that phishing was publicly used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. At the time, America Online (AOL) was the number one provider of Internet access, with millions of log-ons daily.

Naturally, AOL's popularity made it a target for fraudsters. Hackers and software pirates used it to communicate with one another, as well as to conduct phishing attacks on legitimate users. When AOL took steps to shut down AOHell, the attackers turned to other techniques. They sent messages to AOL users claiming to be AOL employees and asked people to verify their accounts and hand over billing information. Eventually, the problem grew so bad that AOL added warnings on all email and instant messenger clients stating "no one working at AOL will ask for your password or billing information."

“Social networking sites became a prime phishing target.”

Going into the 2000s, phishing turned its attention to exploiting online payment systems. It became common for phishers to target bank and online payment service customers, some of whom—according to subsequent research—might have even been accurately identified and matched to the actual bank they used. Likewise, social networking sites became a prime phishing target, attractive to fraudsters since personal details on such sites are useful for identity theft.

Criminals registered dozens of domains that spoofed eBay and PayPal well enough that they passed for the real thing if you weren't paying close enough attention. PayPal customers then received phishing emails (containing links to the fake website), asking them to update their credit card numbers and other personally identifiable information. The first known phishing attack against a bank was reported by The Banker (a publication owned by The Financial Times Ltd.) in September 2003.

By the mid-2000s, turnkey phishing software was readily available on the black market. At the same time, groups of hackers began to organize in order to orchestrate sophisticated phishing campaigns. Estimated losses due to successful phishing during this time vary, with a 2007 report from Gartner stating that as many as 3.6 million adults lost $3.2 billion between August 2006 and August 2007.

“In 2013, 110 million customer and credit card records were stolen from Target customers.”

In 2011, phishing found state sponsors when a suspected Chinese phishing campaign targeted Gmail accounts of highly ranked officials of the United States and South Korean governments and militaries, as well as Chinese political activists.

In perhaps the most famous event, in 2013, 110 million customer and credit card records were stolen from Target customers, through a phished subcontractor account.

Even more infamous was the phishing campaign launched by Fancy Bear (a cyber espionage group associated with the Russian military intelligence agency GRU) against email addresses associated with the Democratic National Committee in the first quarter of 2016. In particular, Hillary Clinton's campaign manager for the 2016 presidential election, John Podesta, had his Gmail hacked and subsequently leaked after falling for the oldest trick in the book—a phishing attack claiming that his email password had been compromised (so click here to change it).

In 2017, a massive phishing scam tricked Google and Facebook accounting departments into wiring money, a total of over $100 million, to overseas bank accounts under the control of a hacker.

Types of phishing attacks

Despite their many varieties, the common denominator of all phishing attacks is their use of a fraudulent pretense to acquire valuables. Some major categories include:

Spear phishing

While most phishing campaigns send mass emails to as many people as possible, spear phishing is targeted. Spear phishing attacks a specific person or organization, often with content that is tailor made for the victim or victims. It requires pre-attack reconnaissance to uncover names, job titles, email addresses, and the like. The hackers scour the Internet to match up this information with other researched knowledge about the target's colleagues, along with the names and professional relationships of key employees in their organizations. With this, the phisher crafts a believable email.

For instance, a fraudster might spear phish an employee whose responsibilities include the ability to authorize payments. The email purports to be from an executive in the organization, commanding the employee to send a substantial payment either to the exec or to a company vendor (when in fact, the malicious payment link sends it to the attacker).

Spear phishing is a critical threat to businesses (and governments), and it costs plenty. According to a 2016 report of a survey on the subject, spear phishing was responsible for 38% of cyberattacks on participating enterprises during 2015. Plus, for the U.S. businesses involved, the average cost of spear phishing attacks per incident was $1.8 million.

“A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet's earliest and longest-running scams.”

Clone phishing

In this attack, criminals make a copy—or clone—of previously delivered but legitimate emails that contain either a link or an attachment. Then, the phisher replaces the links or attached files with malicious substitutions disguised as the real thing. Unsuspecting users either click the link or open the attachment, which often allows their systems to be commandeered. Then the phisher can counterfeit the victim's identity in order to masquerade as a trusted sender to other victims in the same organization.

419/Nigerian scams

A verbose phishing email from someone claiming to be a Nigerian prince is one of the Internet's earliest and longest-running scams. According to Wendy Zamora, Head of Content at Malwarebytes Labs, “The Nigerian prince phish comes from a person claiming to be a government official or member of a royal family who needs help transferring millions of dollars out of Nigeria. The email is marked as ‘urgent' or ‘private,' and its sender asks the recipient to provide a bank account number for safekeeping the funds.”

In a hilarious update of the classic Nigerian phishing template, British news website Anorak reported in 2016 that it received an email from a certain Dr. Bakare Tunde, who claimed to be the project manager of astronautics for Nigeria's National Space Research and Development Agency. Dr. Tunde alleged that his cousin, Air Force Major Abacha Tunde, had been stranded on an old Soviet space station for more than 25 years. But for only $3 million, Russian space authorities could mount a flight to bring him home. All the recipients had to do was send in their bank account information in order to transfer the needed amount, for which Dr. Tunde will pay a $600,000 fee.

Incidentally, the number "419" is associated with this scam. It refers to the section of the Nigerian Criminal Code dealing with fraud, the charges, and penalties for offenders.

Phone phishing

With phone-based phishing attempts, sometimes called voice phishing or “vishing,” the phisher calls claiming to represent your local bank, the police, or even the IRS. Next, they scare you with some sort of problem and insist you clear it up immediately by sharing your account information or paying a fine. They usually ask that you pay with a wire transfer or with prepaid cards, so they are impossible to track.

SMS phishing, or “smishing,” is vishing's evil twin, carrying out the same kind of scam (sometimes with an embedded malicious link to click) by means of SMS texting.

“The email makes an offer that sounds too good to be true.”

How to identify a phishing attack

Recognizing a phishing attempt isn't always easy, but a few tips, a little discipline, and some common sense will go a long way. Look for something that's off or unusual. Ask yourself if the message passes the “smell test.” Trust your intuition, but don't let yourself get swept up by fear. Phishing attacks often use fear to cloud your judgement.

Here are a few more signs of a phishing attempt:

The email makes an offer that sounds too good to be true. It might say you've won the lottery, an expensive prize, or some other over-the-top item.  

  • You recognize the sender, but it's someone you don't talk to. Even if the sender's name is known to you, be suspicious if it's someone you don't normally communicate with, especially if the email's content has nothing to do with your normal job responsibilities. Same goes if you're cc'd in an email to folks you don't even know, or perhaps a group of colleagues from unrelated business units.
  • The message sounds scary. Beware if the email has charged or alarmist language to create a sense of urgency, exhorting you to click and “act now” before your account is terminated. Remember, responsible organizations do not ask for personal details over the Internet.
  • The message contains unexpected or unusual attachments. These attachments may contain malware, ransomware, or another online threat.
  • The message contains links that look a little off. Even if your spider sense is not tingling about any of the above, don't take any embedded hyperlinks at face value. Instead, hover your cursor over the link to see the actual URL. Be especially on the lookout for subtle misspellings in an otherwise familiar-looking website, because it indicates fakery. It's always better to directly type in the URL yourself rather than clicking on the embedded link.

Here's an example of a phishing attempt that spoofs a notice from PayPal, asking the recipient to click on the “Confirm Now” button. Mousing over the button reveals the true URL destination in the red rectangle.

Phishing attempt from PayPal spoof

Here's another phishing attack image, this time claiming to be from Amazon. Note the threat to close the account if there's no response within 48 hours.

Phishing attempt that claims to be from Amazon

Clicking on the link leads you to this form, inviting you to give away what the phisher needs to plunder your valuables:

Phishing attempt from Amazon spoof form

How do I protect myself against phishing?

As stated previously, phishing is an equal opportunity threat, capable of showing up on desktops, laptops, tablets, and smartphones. Most Internet browsers have ways to check if a link is safe, but the first line of defense against phishing is your judgement. Train yourself to recognize the signs of phishing and try to practice safe computing whenever you check your email, read Facebook posts, or play your favorite online game.

Once again from our own Adam Kujawa, here are a few of the most important practices to keep you safe:

  • Don't open e-mails from senders you are not familiar with.
  • Don't ever click on a link inside of an e-mail unless you know exactly where it is going.
  • To layer that protection, if you get an e-mail from a source you are unsure of, navigate to the provided link manually by entering the legitimate website address into your browser.
  • Lookout for the digital certificate of a website.
  • If you are asked to provide sensitive information, check that the URL of the page starts with “HTTPS” instead of just “HTTP.” The “S” stands for “secure.”It's not a guarantee that a site is legitimate, but most legitimate sites use HTTPS because it's more secure. HTTP sites, even legitimate ones, are vulnerable to hackers. 
  • If you suspect an e-mail isn't legitimate, take a name or some text from the message and put it into a search engine to see if any known phishing attacks exist using the same methods.
  • Mouseover the link to see if it's a legitimate link.

As always, we recommend using some sort of anti-malware security software. Most cybersecurity tools have the ability to detect when a link or an attachment isn't what it seems, so even if you fall for a clever phishing attempt, you won't end up sharing your info with the wrong people.

All Malwarebytes premium security products provide robust protection against phishing. They can detect fraudulent sites and stop you from opening them, even if you're convinced they're legitimate.

So stay vigilant, take precautions, and look out for anything phishy.

How does phishing affect my business?

The fact of the matter is this—cybercriminals are targeting your business. As reported in the Malwarebytes Labs Cybercrime Tactics and Techniques Report (CTNT), attacks on businesses went up 55 percent in the second half of 2018 with Trojans and ransomware proving to be the most popular types of attacks. Specifically, Trojan attacks on businesses rose 84 percent while ransomware attacks went up 88 percent. Phishing often plays an important role in Trojan and ransomware attacks, because cybercriminals rely on phishing emails to get victims to download the malware and initiate the attack.

The Emotet banking Trojan, for instance, that wreaked havoc throughout 2018 includes a spam module that scans contact lists on an infected computer and sends your friends, family, and coworkers phishing emails that link to a malware laden attachment or download. In an interesting twist, Emotet, once a banking Trojan in its own right, is now being used to deliver other malware, including ransomware.

What happens once malware like Emotet gets a foothold on your network via a phishing attack? Just ask the beleaguered city officials of Allentown. The 2018 attack on the Pennsylvania city required direct help from Microsoft’s incident response team to clean up and reportedly cost the city upwards of one million dollars to fix.

See all our reporting on phishing at Malwarebytes Labs. 

What is Adware?

All about adware

Here’s how it happens. You go online with your nice, well-behaved browser, only to see it fly into a virtual tantrum, as an onslaught of advertisements either pops up, slides in from the side, or otherwise inserts itself to interrupt and even redirect your intended activity. And no matter how much you click to close those windows, they keep buzzing you like flies at a picnic.

That bothersome phenomenon results from adware, short for advertising supported software. And just as your picnic food attracts the pests that come after it, money—or the revenue generated by unbidden ads—is what draws adware to your PC or mobile device. Below, we offer a short primer on adware, what it is, how you get it, what it tries to do to you, how to deal with it, and what to do in the future to avoid this irritant.

What is adware?

Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser. Some security professionals view it as the forerunner of the modern-day PUP (potentially unwanted program). Typically, it uses an underhanded method to either disguise itself as legitimate, or piggyback on another program to trick you into installing it on your PC, tablet, or mobile device.

Adware is unwanted software designed to throw advertisements up on your screen.

Adware is unwanted software designed to throw advertisements up on your screen.”

Adware generates revenue for its developer by automatically displaying online advertisements in the user interface of the software or on a screen that pops up in the user’s face during the installation process. And that’s when you start seeing dubious miracle weight loss programs, offers for get-rich-quick secrets, and bogus virus warnings that invite your click. Also, you might experience new tabs opening, a change in your home page, findings from a search engine you never heard of, or even a redirect to a NSFW website.

Mind you, it does happen that legitimate software applications do use online advertising, with ads that are typically bundled within the program and that display in ways the program developer specified. Adware is an altogether different kettle of rotten fish. You might download it without understanding its intent. Or it might land on your PC by means of legitimate software within which it’s secretly buried. Whatever the path, it all boils down to some program on your computer showing you advertisements that do not come from the websites you are visiting.

Once adware hijacks your device, it might carry out all sorts of unwanted tasks. The software's functions may be designed to analyze the location and which Internet sites you visit, and then present advertising pertinent to the types of goods or services featured there. While adware is more of a pesky nuisance than a harmful malware threat to your cybersecurity, if the adware authors sell your browsing behavior and information to third parties, they can even use it to target you with more advertisements customized to your viewing habits. And it doesn’t matter whether you are using Chrome, Firefox, or other browsers: It affects all of them.

Here are a few typical telltale signs that you have adware on your system:

  • Advertisements appear in places they shouldn’t be.
  • Your web browser’s homepage has mysteriously changed without your permission.
  • Web pages that you typically visit are not displaying properly.
  • Website links redirect to sites different from what you expected.
  • Your web browser slows to a crawl.
  • New toolbars, extensions, or plugins suddenly populate your browser.
  • Your Mac starts automatically installing unwanted software applications.
  • Your browser crashes.

How do I get adware?

There are two main ways by which adware sneaks onto your system. In the first one, you download a program—usually freeware or shareware—and it quietly installs adware without your knowledge, or permission. That’s because the program’s author signed up with the adware vendor. Why? Because the revenue generated by the advertisements enables the program to be offered gratis (although even paid software from an untrustworthy source can deliver an adware payload). Then the adware launches its mischief, and the user learns there’s a price to pay for “free.”

There are two main ways by which adware sneaks onto your system.

“There are two main ways by which adware sneaks onto your system.”

The second method is just as insidious. You’re visiting a website. Maybe it’s a trusted site; maybe it’s a sketchy one. Either way, it can be infected with adware, which takes advantage of a vulnerability in the user’s web browser to deliver a drive-by download. After it burrows in, the adware starts collecting your information, redirecting you to malicious websites, and throwing more advertisements into your browser.

Types of adware

For all the ways adware tries to dig into your PC or other device, most adware strategies qualify as browser hijackers. These interlopers specialize in modifying Internet browser settings without the user’s knowledge or consent. Typically, hijackers change the homepage and default search settings. You’re happily surfing along when suddenly the ads start pummeling you. You might naturally assume that the ads originate from the site you’re visiting, but they aren’t. But since they appear in the form of pop-ups or pop-unders, they seem that they are embedded in the site itself.

Once again, there are adware programs that change your start page, your search engine, or even fiddle with the shortcuts on your computer that open your browsers. There is also, of course, different adware for different devices and operating systems. So you might have to cope with mobile/Android adware, Mac adware, or Windows adware.

Latest adware news

Mobile Menace Monday: Adware MobiDash gets stealthy
Kuik: a simple yet annoying piece of adware
PBot: a Python-based adware

History of adware

In the beginning, meaning from roughly 1995 on, industry experts considered the first ad-supported software to be part of the larger category of spyware. Soon, security professionals began to differentiate adware from spyware as a less harmful type of PUPs. They were even seen as “legitimate,” at least in theory, because legal businesses with actual offices and payrolls were creating adware software.

But the affiliates to these legitimate businesses often spread their adware without themselves being checked for legitimacy by the adware vendor. Unchecked, the adware proliferated by every means at their disposal—peer-to-peer sites, botnets, instant messaging infections, and the aforementioned browser hijacks.

With enough time, adware vendors started to shut down their badly behaved affiliates, and issued denials of responsibility for the affiliate’s actions. This was a common pattern of activity during peak adware years, which flourished from about 2005 to 2008. After that, governing authorities started to issue large fines for these offenses, which drove the biggest adware players to pick up their code and leave. More recently, browsers have been cracking down with adblockers, and adblock plugins are ubiquitous. Although these measures protect users from adware, they also cause websites to lose revenue from legitimate ads.

Today, although adware persists, it is usually viewed as a form of PUP, which presents a threat level below the category of malware. Nonetheless, adware remains popular and always charts highly in our analysis of top consumer detections. In the second half of 2018, adware placed second behind banking Trojans (e.g. Emotet) as the number one consumer detection. One reason is, the volume of adware is on the rise, perhaps thanks to proliferation of mobile devices and adware making its way into mobile apps. However, adware makers today are consolidating power. In order to stay afloat, they’re using techniques more aggressive than simply hijacking, including hiding within Trojans, bundling with adfraud components, or demonstrating rootkit capability, making them difficult to remove.

Adware is now Malwarebyte’s top consumer detection.

“Adware is now Malwarebyte’s top consumer detection.”

Mac adware

It used to be that Mac users had no adware fears. For one thing, Macs have a built-in anti-malware system called XProtect, which does a decent job of catching known malware. Then there’s the fact that cyber criminals focus mostly on Windows PCs, as they are a more prolific target compared to the installed Mac base. But recently that’s changed fast. According to counts of the number of new Mac malware families to appear in 2017, they increased by more than 270 percent compared to those in 2016. Adware specifically for Macs first started to emerge in 2012; and since then, Mac adware variants have proliferated, developed both in secret by hackers and organized crime bad guys, as well as by seemingly legitimate corporations who claim to sell bona fide software with real-world uses. In the latter instance, the adware hides in plain sight as fine print in a long, small-type installation agreement. You know, the kind nobody reads. So when you click on the agreement, you accept its terms, and viola, the spam ensues. Those behind the adware are not doing anything illegal. At least technically, that is.

For the most part, adware for Macs rides inside a Trojan, malware that takes its name from the Trojan horse of Greek mythology. The Trojan portrays itself as something you want. Maybe a player, or some kind of plug-in. It might even be skulking around inside a legitimate software download from a disreputable site. Either way, it promises you one thing, but delivers adware in a bait-and-switch.

As far as the signs of a Mac adware infection go, they mirror the symptoms you see on Windows systems. Ads pop up where they shouldn’t be—literally everywhere. Something changes your homepage without so much as a how do you do. Familiar web pages just don’t look right anymore, and when you click on a link, you find yourself redirected to an entirely different site. It might even substitute a new search engine for your regular one.

So in the end, Macs, while less vulnerable than Windows computers, can still have a security problem with adware. More on what to do about it below.

Mobile adware

There’s not much real estate room on a mobile’s screen. So when a mysterious icon moves into your start screen, or scads of ads start clogging your notification bar, you’ve probably got an uninvited adware guest. No big surprise, since thousands of Android apps now contain the gift that keeps on shoving icons and ads at you without warning.

There are two methods through which mobiles come down with adware: through the browser and through downloaded applications.

  • Infection by browser refers to a known exploit, caused by the way most browsers handle redirections executed by JavaScript code. It’s a weakness that can cause ad pop-ups; and advertising affiliates know about it, and how to exploit it. If your mobile’s browser has been compromised, then the best way to block the pop-ups is to use a different browser, disable JavaScript, or install a browser with ad blocking. Another remedy to pop-ups is to back out of them using Android’s back key. Or you can clear your history and cache, which will also stop the ads from coming back.
  • Infection by downloaded applications refers to getting infected with persistent ads through adware apps installed on a phone. They present in different forms, from full screen ads inside and outside of the infected app, to the device notifications and on the lock screen. Typically, a third-party app store installs this kind of adware app. So it’s best to avoid third-party app stores, although even Google Play has been an unwitting source of adware-infested apps. 

Despite its being an annoying pest, take some small comfort in the fact that such adware is generally not blatantly malicious, threatening your device like malware might. Many of the free apps you download to your phone often include third-party ad content, providing software developers an alternative revenue stream so you can have their offering for free. Still, adware is not generally benevolent; so faced with a free app that stuffs your device with adware, and a paid program that plays nicely, consider the best choice for you.

Who do adware authors target?

Conventional wisdom is, adware’s main intended victims are individuals, as opposed to businesses. And it follows the individual user across any path of opportunity—from Windows PCs and Macs, to mobile phones, and virtually all browsers. It calls to potential victims through the “too good to be true” model, offering something for nothing in a scam that can suggest new games, movies, or special deals.

Adware’s main intended victims are individuals.

“Adware’s main intended victims are individuals.”

What do I do if infected?

If you suspect adware has compromised your Mac or Windows PC, there are a few steps you can take to remedy the infection. First, back up your files, regularly. You can try to remove the adware through the pertinent utility on your operating system (i.e., Add/Remove on the Windows platform). But this requires that you can identify the adware program’s name, or that the adware doesn’t have a Resuscitator, which are files designed to bring a program back to life after an uninstall.

If that is the case, then download a legitimate cybersecurity program such as Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android, Malwarebytes for Chromebook, and Malwarebytes for iOS. All are free to try, and are designed to search and destroy adware, PUPs, and any new forms of malware lurking on the scene. Run a scan and, if there are any nasties hiding away in your machine, it’ll bag, tag, and dump them for you. At this point, it’s a good idea to change your password, not only for your PC, but also your email, your social media accounts, your favorite shopping sites, and your online billing centers. 

How to remove adware from your Mac

“For a deeper dive, read How to remove adware from your PC  and How to remove adware from your Mac over at Malwarebytes Labs. ”

How do I protect myself from adware?

Use caution and practice safe computing. That means thinking twice before immediately downloading and installing any new software—especially freeware. Read the terms and conditions like a lawyer before agreeing to them, and quit out of the download process if anything smells like a permission to load adware. Avoid torrent sites, illegal downloads, and never ever open an app from an unknown source, even if it comes to you under the guise of a known email contact.

Finally, even before all the above precautions, download a reputable cybersecurity program for your PC or mobile phone. Perform scans frequently, and keep your updates, well, up to date. Of course, we recommend any of our Malwarebytes family of anti-malware products as a prudent measure: Malwarebytes for WindowsMalwarebytes for MacMalwarebytes for Android, Malwarebytes for Chromebook, and Malwarebytes for iOS. By arming yourself with knowledge, and protecting yourself with a robust cybersecurity program, you can take the steps necessary for an adware-free life online.

See all our reporting on adware at Malwarebytes Labs.