If you ever watched The Road Runner cartoons, you probably witnessed that zippy bird outwit Wile E. Coyote on more than one occasion by turning a directional signpost 180 degrees and sending his antagonist careening off a cliff. While they don't make the same "Beep-Beep" sound, the Internet is full of clever people and entities engaged in similar efforts at misdirection. The difference is that, rather than driving your body off a cliff, they are looking to drive your money in their direction. There are lots of ways to take a wrong turn as you browse through web pages. Here are some indicators to keep you on the right path.
Occasionally, a client will call in about one of our firewalls blocking access to a common every day site, like FedEx or Amazon due to being a “known malware” or “adware” site. In most cases, what we find when we connect to the client's computer is that, while the person thinks s/he is clicking to go to FedEx.com's package tracking page, assuming that FedEx's site would be the top search result, s/he's actually clicking on one of the "Ad" links Google places at the top of their results. These Ad sites are paid for and may very well be sites with malware buried in them, so our Meraki firewalls block the resulting pages.
The title of the link does an impressive job of sounding legitimate - and the title is the most eye-catching part of the results - but the actual web address reveals it to be an unofficial, and possibly dangerous, site. The highlighted selection in the example above shows where the correct web address is. It’s important to select your results based on the actual web address rather than the page title in order to avoid getting redirected to a drive-by malware attack or phishing page. Not every paid ad result is malicious - some, in fact, are actually purchased by the vendor to avoid this situation - but they’re often risky.
If you need to download an application or an update, it’s critical to make sure you actually go to the vendor’s site to download the file. Searching for an application’s name and choosing one of the results can lead you to a page that looks to be offering you the official software but is actually just giving you a malware-laden installer - or worse. Many firewalls and antivirus programs will protect you from these types of sites, but it’s not foolproof, and many end-users may disable these protections just to get to what they’re sure is a legitimate download.
Rather than directly installing malware silently in the background, many malicious ads will instead force a pop-up or display an ad that looks like a legitimate upgrade/update prompt, as in the image below.
If you go to adobe.com, you won’t be able to find 'Flash Player Pro' because it’s not a real application they make, but that update window looks awfully official. In actuality, it’s a separate pop-up window summoned up by a malicious ad on a site. It’s much easier to trick a user into installing malware disguised as an update than it is to find and leverage a vulnerability in Windows to automatically and silently infect the machine. Going to the vendor’s site - regardless of where the pop-up comes from - to find the software/update helps avoid getting caught in this trap.
The third-party sites that do host legitimate downloads of an application or updater often turn into online Russian Roulette with a flood of ads posing as "Download!" buttons, all of which lead to fake installers and malware. Some smaller vendors host their installers on third-party download sites, meaning even if you do go to the vendor’s page, you may still find yourself on a separate site with a barrage of download links. Can you tell which of the buttons below is an actual download button?
You can usually hover over the buttons and check the bottom of your browser to see where address the link actually goes to. If it looks like it’s going to take you to an entirely separate website, it’s probably an ad. In this case, the actual download button is directly under the software’s name button (the CNET Secure Download). If you click on a button that you’re confident is the right one, but your firewall or antivirus blocks it or warns you, trust their warnings.
Even if you do get a legitimate installer, you’re not out of the woods yet. If you look at your installed programs right now, there’s a high chance you’ll see 'McAfee Security Scan' in the list, and you probably have no idea where it came from.
When downloading the installer for Adobe Reader directly from Adobe’s website, there are a pair of checkboxes that are automatically checked for “value add” software. They aren’t malicious programs, but you don’t need them, you probably don’t want them, and you certainly didn’t expect them. They won’t cause much system performance degradation (other than maybe popping up from time to time) but you didn’t intend to install them. This is a common practice by just about every major “free” software developer. Java updates are notorious for installing a toolbar on your system if you’re not vigilant during the install process. Adobe tries to include McAfee Security Scan with just about every free product. Other programs may try to install Google Chrome and the Google Toolbar. It’s unfortunate, because you essentially need to install these updates - not installing them does leave you substantially vulnerable to malicious attachments and drive-by exploits - but you have to be careful during the download and install process.
Less common software developers might include far worse junkware. You need to check each and every window/page of an install process just to make sure you’re not about to open up a browser afterwards and find yourself with a new, terrible homepage or another 15% of your browser choked up with another toolbar. At a minimum, stay alert for any check boxes.
There’s some irony to the installer above proclaiming itself “Safe, Trusted, and Spyware Free” on the same page as it’s trying to push a toolbar onto your browser. At least it’s not changing your search/homepage to a Google-lookalike directing primarily to pay-for-click ad sites.
Many of these bundled pieces of software are obnoxious or worse. “Driver updater” programs don’t do anything other than annoy you at start-up, unless you decide to try to pay them for a non-existent service. Some of them may legitimately be malicious, redirecting your browser to more malware and ads, collecting tracking data, and so on. Even if you only get stuck with innocuous junkware, the more of them that find their way onto your system, the slower your system will run. Most of these can be removed, like any legitimate program, through Add/Remove Programs. Others may persist like viruses and require specialized removal tools or your IT provider to assist you.