Oon Yeoh

We’ve all heard about security flaws resulting from operating system or browser flaws but according to security experts Trend Micro, software bugs were the source of just 5% of computer infections last year.

The bulk of the attacks were the result of computer users’ own actions, the security company said, adding that the majority of the attacks carried out by last year’s top 100 malware were caused by users visiting malicious sites and then accepting some kind of download.

Trend Micro’s analysis showed that from January 1 to November 25, 2008, the top 100 attack programs infected 53% of their victims by duping them into downloading something from the Internet. An additional 12% of the infections were caused by users opening e-mail attachments.

“This illustrates that social engineering seems to be playing a larger role than we thought,” said Paul Ferguson, network architect at Trend Micro. “The problem isn't due to software vulnerabilities in, say, the browser.”

According to Ferguson, users still need a lot of education when it comes to safe surfing. “They still manage to get duped into situations that put them at risk,” he said. “The same (hacker) methodology still works. There's still enough low-hanging fruit that they don't even have to try very hard.”

One of the more popular ways to infect unsuspecting users’ computers is by embedding malware into a websites with pictures and videos of famous celebrities.

Last week, anti-virus company, McAfee, reported that actress Jessica Biel is the “most dangerous celebrity” this year. If you search for “Jessica Biel downloads”, “Jessica Biel wallpaper” or “Jessica Biel screen savers”, you’d have a one-in-five (basically 20%) chance of ending up on a site designed to damage your computer, according to the company.

Last year’s most dangerous celebrity was actor Brad Pitt and the year before that it was socialite, Paris Hilton.

“Cybercriminals are star watchers too,” said Jeff Green, senior vice president of McAfee's product development. “They latch onto popular celebrities to encourage the download of malicious software in disguise.”

Of course simply searching for Jessica Biel on Google will not infect your computer. But if you visit some of the sites in the search results and especially if you click on some links or download some files from there, you could end up with some malware on your computer.

Surprisingly Michael Jackson wasn’t on McAfee's top 15 list but his name was used by several scammers in the aftermath of his death.

One particularly notorious one was an e-mail that touted a YouTube video that showed the “last work of Michael Jackson.” People who clicked on the link would instead receive a malware that stole their passwords.

Another e-mail contained a link to what it claimed to be the “latest unpublished photos” of Jackson. Clicking on that link resulted in the installation of a password-stealing program.

But it’s not just celebrities that lure people. Symantec, another leading anti-virus company, has released the “Dirtiest Web Sites of Summer 2009” which lists the top 100 infected sites based on number of threats detected by Norton Safe Web as of August 2009.

According to Norton Safe Web’s website, the company analyzes sites using signature-based file scanning, intrusion detection engines, behavioural detection and install/uninstall analysis to identify security risks including phishing sites, malicious downloads, browser exploits and links to unsafe external sites.

“It comes as no surprise that 48% of the Dirtiest Web Sites are, well, dirty – sites that feature adult content,” Norton Safe Web said. “However, other Dirtiest sites run the gamut of subject matter, including sites dedicated to deer hunting, catering, figure skating, legal services, and buying electronics.”

Simply clicking through to a site with these threats could put you at risk of exposing your computer to infection, the company warned, and worse, put your identity, personal and financial information into the hands of cybercriminals.

With so many threats out there, what can you do? First of all, use common sense. Don’t visit strange sites that appear dodgy in any sense. Stick instead to sites with good reputations – sites that you know and trust.

Here are some useful links:
McAfee’s Top 15 Most Dangerous Celebrities: http://tr.my/3Td
Samples of Norton Safe Web’s Dirtiest Sites: http://tr.my/3Th
The US Department of Homeland Security’s Cyber-Security Tips: http://tr.my/3Tl

Oon Yeoh is editor for New Media at The Edge. He invites you to follow him at www.twitter.com/oonyeoh.