The Dangers of Browsing the Web

It’s common sense to lock your car doors whenever you park in a sketchy neighborhood, and the Internet is a sketchy neighborhood. When you’re online, you’re often one ill-advised click away from a stealthy malware attack that can damage your computer or network, and/or steal patient, office or your own sensitive data. This can include PHI, private messages, passwords and even the login information for your bank accounts.9 How can these attacks happen and what can you do to protect yourself and your practice? Let’s discuss…

Drive-by downloads. A drive-by download is a piece of malware that is downloaded onto your computer or mobile device without your knowledge when you visit an infected website. Although they are frequently found on malicious websites, drive-by downloads can also be lurking on normal ones that have been compromised by hackers. A similar tactic referred to as “malvertising” uses malicious code in the advertisements on otherwise trusted websites (many of which outsource the ads that appear on them).10 The best things you can do to defend yourself are to keep your software up-to-date (since malware often attacks through older security flaws the software manufacturer has already fixed via an update) and think before you click. If you’re using a desktop or laptop computer, you can also hover over a given link before clicking on it. The destination address will appear on the lower left of your screen. If it’s something you don’t expect or haven’t seen before, don’t click on the link.

Fake websites. Another thing to look out for is slightly misspelled or plausible-sounding – but fake – website names. This can be something like (with an extra L) or www.securityupdate.[yourbank’sname].com. These sorts of misleading websites can be found both within phishing emails and as standalone sites that serve the same purpose as the emails. As a result, you should be absolutely sure you are on the actual website for your bank or other business before entering any personal, financial or log in information. One way to approach this is to go directly to the bank’s or business’ site and bookmark it for future use. If you are using a smartphone or tablet, many banks and other businesses will have a dedicated app you can use instead of going through a (possibly fake) web link. Make sure to download the apps either directly through an official app store such as Google Play for Android devices or Apple’s App Store or the business’ actual website.

Social networks. Facebook, LinkedIn and other social media sites can come with risks. Only connect to people you know and be mindful of your account’s privacy settings. Hackers can use information found on social media profiles to craft spear phishing attacks.

What steps should you take to protect yourself? Here are a few that can help:

Keep your software up-to-date. As noted above (and in Part I), nearly every type of malware targets flaws in software that have already been fixed by the developer through software updates. If the computers in your office network are up-to-date, the vast majority of malware attacks against them will fail.

Don’t forget to hover over weblinks before you actually click on them.

Make sure to use HTTPS whenever you access a banking or financial website. HTTPS provides a more secure way to access the Internet. It is used to encrypt the communication between your web browser (Internet Explorer, Safari, Microsoft Edge, Google Chrome, Firefox, etc.) and the web server you are accessing when you visit a website. This helps protect against several types of attacks. A particularly prevalent one is a man-in-the-middle attack, in which someone else is able to effectively eavesdrop on your web session and steal (or alter) sensitive information. When using HTTPS, you will see a locked padlock and “https” on the left side of the address bar at the top of your computer screen. A good approach is to use HTTPS whenever it’s available. One simple step that can help is to use a free web browser add-on called “HTTPS Everywhere.”11 It automatically uses the secure version of hundreds of popular websites whenever you connect to them.

No banking or financial transactions via public wi-fi. Using a public wireless network – like one you might find in a coffee shop – is not secure and can expose you to a variety of spying software. You should never engage in any electronic banking or other financial transactions when on a public wireless network.

Know how to identify – and avoid – a webinject attack. A webinject attack is a type of a man-in-the-middle attack that will often appear as extra text fields or a fake pop-up window while you are actually logged in with your bank. The text fields or pop-up will generally ask for your account and/or log in credentials again “to enhance your security” or something similar. The problem is that it’s not from your bank. Banks do not communicate with their clients like that. If you see something like it, it’s an attempt to steal your log in information. Do not respond and notify your bank immediately. Like many other attacks, a web inject will attack through flaws in software that hasn’t been updated. Be sure to update the web browsing and other software on your computer and perform an updated anti-virus scan. This may not be enough to remove the infection once it’s on your computer, so you may wish to contact a security expert to ensure the problem is completely eradicated.

Webinject screen
A webinject attack
Image source:

Browse the Web with a non-administrative account. Computers come with a primary user account featuring “administrative privileges.” Those privileges allow full access to the computer, including the ability to download, modify and delete programs. While you need that to add, change or remove any software on your computer, you don’t need it to browse the Web. If an attacker is able to gain access to your administrator account, he or she will be able to control your system. To keep this from happening, set up a user account with non-administrator access to browse the Web (and limit the potential damage an attacker can do).

Secure your social media accounts. The methods used to lock down social media accounts vary based on which site you’re using. Advice on securing them can be found online.12