In the flood of recent news reports about cyberterrorism, state-sponsored hacking, and zero-day vulnerabilities that give no one time to prepare, it’s easy to get paranoid.
“We have to remember that the majority of threats that really work with regular users don’t have to be that advanced,” wrote Jérôme Segura, senior researcher at security software maker Malwarebytes, in an email to me. He’s one of the experts I contacted in order to sort the flood of recent dire headlines from the threats that will actually affect average people–or anyone, for that matter. (For the ones that do matter, see Three Online Dangers You Really Need To Worry About.)
Two of the most-hyped dangers they named: a targeted attack on your computer and an infection of your phone. Both are possible, but neither is likely. It’s easier for bad guys to attack people en masse with phishing attacks–spam emails containing infected attachments or links to sites full of malware. (Yes, many people still click mindlessly.) Or crooks slip malware-laden ads into the poorly overseen online advertising networks that spew ads onto websites. People simply visiting the sites get infected in what’s called a drive-by download.
Crooks and spies will not go after your machine specifically, unless you are very important financially or politically. And they are unlikely to use the most cutting-edge tools.
Case in point: multiple flaws in the Adobe Flash player discovered by a cyber espionage company called the HackingTeam, which sold its services to government agencies, including repressive regimes such as those in Kazakhstan and Uzbekistan. Hacking Team used those zero-day (never before known) exploits to build malware that allowed hard-to-trace surveillance of targets–ranging from genuine criminal suspects to political dissidents.
The malware was likely distributed carefully through bogus emails individually crafted to be believable to the target–a tactic called spear-phishing. “I don’t believe it was widespread simply because the exploit/malware was too valuable to be wasted and possibly caught by security firms,” wrote Segura.
That’s not to say you can’t get hit with malware that attacks your system, but it will be from a scattershot approach of spam emails or infected websites that targets as many people as possible. Ransomware locks up your computer and gives crooks access to blackmail-worthy photos and info, unless you pay up. Banking Trojans impersonate you, from your own system, to siphon off funds; and botnets enslave your computer in giant networks to relay spam or launch coordinated attacks called distributed denial of service (DDoS). But most of these threats are well known, without the element of surprise that makes zero-day attacks dangerous.
Your best defenses: up-to-date antivirus/anti-malware software and some common sense about what to click on.
Reports of mobile malware have shot up, especially for Android devices. Antivirus maker G Data reported finding 440,000 new Android malware strains in just the first quarter of 2015. But the big numbers don’t translate into big danger. Most of this malware currently originates in Asia and the Middle East, and it propagates almost entirely through unofficial Android app markets such as Mumayi, AnZhi, Baidu, eoeMarket, and liqucn. Stick to the Official Google Play app store, and your chances of infection are very low.
Threats that target Apple’s iOS devices like the iPhone and iPad are almost nonexistent, in part because of Apple’s strictly controlled App Store. “It’s just harder to get things accepted, and that barrier probably reduces the amount of people who want to try,” says Robert Hansen, VP of White Hat Security. Also, iOS puts more restrictions than Android does on what apps can do to your system.
The main reason mobile malware is a minor threat is that it’s just too much trouble for cyber crooks, according to Hansen. “The bad guys know it’s not economically friendly to attack mobile devices. Whereas it’s easy to send out a bunch of (infected) emails and hope somebody clicks on them,” he says. That’s to attack PCs and Macs, not phones. Hansen even says that antivirus software isn’t worth installing on mobiles.
No security expert will say that an attack is impossible. “However, the reality for the average user is that the simple stuff is what usually causes the most damage,” says Chase Cunningham, threat intelligence lead at security firm FireHost (now Armor Defense). “It is not necessary to try and build some crazy malware tool or spend months doing reconnaissance on a single target when something as easy as a drive-by download or simple phishing email will usually easily achieve the desired end goal.”
This article has been updated to reflect the renaming of security firm FireHost.