Malware can unleash devastating attacks on devices and IT systems, resulting in the theft of sensitive data and money, destruction of hardware and files, the complete collapse of networks and databases, and more. Understanding the attack paths malware uses to invade your systems is important for setting up defenses to stop it.
Email and the Web are the primary vectors for malware to creep into an organization, but there are many other ways. Most of the time, it even happens without the user or IT even knowing. Below we discuss some of the most common ways malware can infect your device — along with security measures you can use to stop it.
If you’ve been hit by malware and are looking for help, see How to Remove Malware: Removal Steps for Windows & Mac.
Table of Contents
8 Ways Malware Gets on Your Device
Just by surfing the Web, malware can be injected into a system without clicking on any downloads, plugins or intentionally opening any files. Malvertising is one way hackers accomplish that, by injecting malicious or malware-laden advertisements into legitimate online advertising networks and Web pages.
A particularly dangerous example of this comes in the form of ChromeLoader. ChromeLoader is a piece of malware that can hijack users’ browsers to redirect them to pages full of ads. The malware recently evolved into a more dangerous form thanks to variants that can inject users’ devices with ransomware like Enigma.
A good defense against malvertising is the use of ad blockers on your preferred web browser. While many legitimate websites, such as for digital news, ask users to shut off their ad blockers, a good ad blocker can be an excellent way to filter out a lot of malvertising content. Additionally, enabling click-to-play plugins will block malvertising that uses Java or Flash from playing unless you directly click on them.
Spear phishing is one of the most common email attack vectors, where attackers disguise themselves as other employees such as your CEO or legitimate entities in an attempt to steal log-in credentials or trick users into sending money. With spear phishing, hackers target organizations for confidential or highly sensitive data. When aimed at higher-level employees like the CEO, it’s called whaling.
QR codes have become a potent new vector for spear phishing attacks. By embedding a malicious QR code in an otherwise innocuous-looking email, scammers have found another way to trick users into handing over their sensitive information. A 2021 spear phishing campaign spoofed legitimate-looking Microsoft Office 365 emails by offering users a QR code to access missed voicemail messages. When victims used the code, they were taken to a page which asked for their login credentials which were promptly stolen.
Employee training can be a big help when dealing with spear phishing. Good training allows users to better spot some of the hallmarks of spear phishing attempts, such as a sense of urgency in the messages and imitating legitimate email addresses.
Want to Protect Yourself Against Phishing and Other Email Threats? Take a Look at Top Secure Email Gateway Solutions for 2022
Web Trojan Download
A pattern has developed with Chrome extensions, WordPress plugins and the like; software that starts out safe is turned into malware, either through exploitation or a software update. The initial download of the legitimate software is used as a Trojan horse. When a user installs third-party software, it’s impossible for existing security mechanisms to detect if it’s malware or not.
A recent example of this malicious behavior was revealed this year by McAfee, which reported that a number of popular Chrome extensions had potentially infected over 1.4 million users with malicious cookies. These extensions included Netflix Party and Netflix Party 2, a pair of extensions that allowed users to sync up movies and shows on the popular streaming service to watch together.
The primary defense against trojans like these is personal vigilance. Avoid downloading software from unwanted sources. Employee training is a possible method for businesses to upgrade their employees’ cybersecurity vigilance.
PDF and Microsoft Office documents such as Word and PowerPoint permeate the Web. This is something that we don’t often notice – until a critical vulnerability shows up. Popular browsers like Chrome and Firefox contain built-in viewers for PDFs, which enable document viewing to blend seamlessly with the native Web experience. But easy document viewing can come at a price. A simple click, (whether on the Web or in an email), can lead to a document that’s potentially weaponized and laden with malware.
This threat is constantly evolving as well. When Microsoft began blocking macros from running on untrusted files by default, hackers found a way around this by using compression files like .zip, .rar. or .iso to successfully smuggle the malware-laden files onto your device.
Like with trojans, the best defense against these sorts of documents is personal vigilance. Only open documents from trusted sources.
A popular way to inject malware onto devices is by setting up legitimate-looking websites to entice users. This can come in a variety of forms, such as changing a single letter in a legitimate website’s url — often called typosquatting — or copying the website’s entire website design and layout but adding malicious links.
Earlier this year, hackers impersonated the Ghanian Oil Company, also known as GOIL, with a fake website claiming that users were eligible for government fuel subsidies. After filling out a short questionnaire involving questions about GOIL and basic user information like their age, users were asked to select a prize box, with three opportunities to select the correct box with their prize. If successful, users were asked to fill in their address and share the false promotion via WhatsApp in order to receive their prize, completing the phishing attempt. GOIL alerted their customers to these sorts of scams in an August 2022 Facebook post.
The best defense against spoofed websites is personal vigilance. Be aware of where the links you are clicking are sending you and, if the website is impersonating a legitimate entity like the Ghanian Oil Company, try contacting the entity first before clicking on any links related to the suspicious website. A good antivirus program can also help ward off some of the malware found on spoofed websites.
Want to Learn More About How Scammers Are Getting Ahold of Your Data? Check Out The Scammers’ Playbook
Fraudulent Mobile Apps
Much like the malicious Chrome extensions and WordPress plugins mentioned above, mobile apps are a dangerous vector for malware. Whether by impersonating popular apps, implementing hidden ads, keylogging, or other techniques, mobile apps possess a number of methods to infect users’ devices. These sorts of apps are nothing new, however, and they typically don’t end up on the Google Play Store or the Apple App Store, the two most popular app marketplaces.
However, an ad fraud campaign, known as Scylla, had managed to get 80 fraudulent apps onto the Google Play Store and 9 apps onto the Apple App Store, resulting in over 13 million downloads as of this writing. Scylla was first discovered in 2019 but is still ongoing. However, HUMAN Security’s Satori Threat Intelligence and Research Team has been working with Google, Apple, and other relevant parties to disrupt the campaign.
Like other infection vectors that rely on fakery and social engineering, one of the best defenses against fraudulent mobile apps is to remain vigilant. Make sure the apps you download come from legitimate sources and verify with those sources that they are selling this app on the app store. Also, be sure to report fraudulent apps you spot on the store, in order to help protect other users.
Remote Desktop Protocol (RDP)
Remote Desktop Protocol (RDP) is what allows two computers to connect with one another via a network. Though developed by Microsoft for Windows, the technology is widely-used and has clients for most popular operating systems, including Linux, MacOS, Android, and iOS.
Unfortunately, RDP is sometimes found vulnerable for exploitation by hackers on older or poorly protected systems, and once they gain access to a computer via RDP, they can inject malware or steal files from the victim’s machine without much trouble.
A growing genre of cybercriminal known as Initial Access Brokers (IABs) have begun making their ill-gotten gains off selling access credentials to RDP and other corporate services like content management systems or company VPNs. These credentials are then used by hackers to implement ransomware attacks on company devices.
RDP, being such a widely and legitimately-used technology, is a difficult infection vector to protect against. However, in cases where hackers are exploiting vulnerabilities on older systems, keeping your system up-to-date will ensure that these vulnerabilities are more difficult to use against you.
Struggling With Ransomware? Check Out Our Guide to the Best Ransomware Removal Tools
Finally, removable hardware like flash drives are a viable vector for malware. While remote methods like spear phishing are more common, there is still a danger whenever a user plugs an unknown flash drive into their machine. These flash drives can then inject a variety of malware, such as keyloggers, to get ahold of their data.
If using a device in public spaces, users should also be wary of public USB chargers found at libraries, cafés, or airports, as hackers can utilize these to steal data and infect user devices in a practice known as “juice jacking.”
While simply not plugging unknown flash drives into a device is part of preventing this sort of attack, malware infection via USB is so quick that briefly unattended devices can be vulnerable to attack as well if a hacker is opportunistic enough. When leaving a device unattended in a public space for any reason, we recommend disabling USB ports until you return to your device.
How to Shut Down Attack Vectors
Data breaches and malware attacks are costing enterprises millions of dollars each year, and that number won’t slow down any time soon. Security detection mechanisms look for a finite set of malware patterns, but the number of variations is infinite and impossible to effectively track.
Advanced methods like heuristics, behavioral analytics, or machine learning can detect changes in behavior that can signify malware infection. However, they’re far from foolproof, and infection can still occur even with the best cybersecurity solutions and employee training on the market. For that reason, secure, isolated data backup should be part of every cyber defense system.
Rather than focus on creating signatures for the millions of different malware variants – which is virtually impossible – security solutions should focus on the attack vectors, the paths attackers and malware follow to break into computer and IT systems. Even though there are infinite strains of malware, there are only a handful of vectors, some of which include surfing the Web, phishing emails, Trojan downloads and malicious documents such as portable document formats (PDFs).
Despite the growing sophistication, infection vectors stay constant. Every breach starts out with the same vectors, and the two largest buckets encompass Web and email. The only difference is what the malware does post-breach. If we are to begin to truly combat malware, we need to start by securing the attack vectors.
Looking For New Ways to Protect Your Business’s Data? Check Out Top Network Detection & Response (NDR) Solutions
NOTE: This article was originally written in April 2016 by Kowsik Guruswamy and updated by Zephin Livingston in December 1, 2022.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.