Malwarebytes recorded 111 million malware detections on Windows devices and 75 million on Mac devices in 2020 alone. Cybercriminals are always trying to figure out new ways to get malware onto your computer or network. But how does malware get on your computer? Let’s break it down.
How do you get malware infections? This isn’t a one-and-done kind of response because there are many types of malware and even more ways that malware can infect your computer, devices, and larger network. SonicWall reports 5.6 billion malware attacks in 2020 — this is a decrease of 43% over the prior year. But don’t let this change fool you — although numbers have dropped over the last year, malware is a big issue for businesses and consumers alike.
So far in 2021, we’ve seen the devastating impacts of malware on major organizations in the ransomware attacks on Colonial Pipelines, OmniTRAX attack, and Harris Federation. But don’t think for even a moment that cybercriminals are only targeting the big guys — they’re also interested in small businesses, too.
This brings us to the main question we wish to address in this article: how do you get malware? We have put together a list of malware infection methods to avoid.
Why and How Do You Get Malware on Your Computer or Other Network Devices?
If you believe you are just a small business and a cybercriminal has nothing to gain from you, so you are safe, then you are wrong, my friend. As a small business, you have many riches that cybercriminals desire. Let’s look at some of the reasons a criminal might want to hack into your small business’s devices and network:
- They want access to your data. Small businesses often have lots of customer data, which cybercriminals can use for personal gain or sell to other bad guys on the dark web. Malware can help them steal it.
- They want your money. By infecting your devices with malware, bad guys can steal your credit card information or login credentials (such as for your bank). They can use this information to make fraudulent purchases or payments.
- You’re a bridge to larger targets. If you’re a small company that works with larger corporations, then bad guys might want to use you to gain access to those organizations’ networks or IT systems.
- Your device provides resources for cyber attacks. Bad guys may infect your device with malware so they can use its resources for illegal cryptomining (cryptojacking) or to launch DDoS attacks against other companies’ servers.
These are just a few of the reasons why cybercriminals introduce malware in your computer and network. But how do you get malware on your computer? Let’s look at some common malware infection methods. (Note: This isn’t an all-inclusive list but it at least gives you an idea of how bad guys use malware to infect devices and networks.)
Method 1 for How to Get Malware: Falling for Phishing Attacks
Phishing is a cyber attack method that uses social engineering tactics to extract personal information from victims. Cybercriminals often carry out phishing attacks in such a way that the victim believes the cybercriminal is a legitimate person. This is because bad guys present themselves as trusted authorities — government or law enforcement representatives or company executives — to get you to trust them and comply. They then either use the information you provide to carry out other crimes or sell it to other cybercriminals.
FBI IC3 reported 241,342 complaints of phishing in 2020 as opposed to 114,702 in 2019 (an increase of 110%). According to Proofpoint, 57% of global survey respondents said their organizations deal with at least one successful phishing attack in 2020.
There are many ways that cybercriminals can use phishing to their advantage. Let’s explore a few…
Email Phishing Attacks
Emails are one of the most common techniques to carry out phishing attacks. Verizon’s 2020 Data Breach Investigations Report (DBIR) data indicates that around 46% of organizations received all the malware was delivered through email. (Other organizations received malware via email at varying degrees.)
There are many types of phishing scams that bad guys will use to target potential victims, such as pretending to be a vendor or an executive within your organization. They’ll use a variety of tactics to make their emails appear legitimate to get you to download and install malware, including:
- Using email spoofing to make it look like it was sent by someone else (so you trust it).
- Disguising malicious links as legitimate-looking links and buttons.
- Inserting malicious attachments that are disguised as invoices, company spreadsheets, and other files.
- Attaching images to emails that have been altered to contain malware.
We’ve attached a really bad example of a malicious email. However, it’s important to note that malicious emails won’t always be this obvious. Sometimes, cybercriminals will put more time and effort into carefully crafting emails to make them look more legitimate. These are the ones you should be worried about.
SMS Phishing Attacks (Smishing)
A mobile phishing scam is called smishing. In-app messages, fraudulent SMSs, voice mails, and social media messages manipulate the victims to reveal sensitive personal information to the scammer. It might also be used to install malware on your mobile devices. Proofpoint reports that 61% of the organizations faced smishing attacks in 2020.
Voice Phishing Attacks (Vishing)
Voice phishing — or the use of voicemails and phone calls to carry out phishing attacks — is called vishing. In this scenario, a cybercriminal will call and say that they have an important matter to discuss but first must verify your identity. Alternatively, they may leave a message on your voice mail and might ask you to call another number. They’ll likely impersonate a bank, credit card company, or another authority in both scenarios and say they need to verify your personal information to speak with you about your account.
Proofpoint data shows that more than half (54%) of surveyed organizations experienced vishing attacks in 2020. However, only 41% of the organizations covered vishing in their employee cyber security awareness trainings.
Spear Phishing Attacks
Spear phishing is a targeted form of phishing that’s typically used to focus on key personnel. In some cases, cybercriminals use the information they collected from victims in previous phishing attacks. In other cases, they’ll spend weeks or even months researching their targets (and their organizations) to learn more about them. They use all of this data and information to make their scams more convincing and their requests more urgent.
Traditional phishing targets many individuals simultaneously, whereas spearphishing focuses on an individual target. It’s kind of like the difference between fishing with a net versus a speargun.
Method 2 for How to Get Malware: Using Social Media
People of all ages love social media. It’s a great way to stay connected to friends and family. Your employees may even use their work-issued devices to access their favorite social media sites. Proofpoint reports that 34% of employees admitted to viewing and posting on social media using their work devices.
Bad guys know this and use social media to send out malicious links to users. Clicking on a link in a private message can lead to serious consequences when you open it. You also might see posts for enticing product giveaways, intriguing surveys, fake job offers, and places to download free apps that are actually malicious links. These are just a handful of ways that cybercriminals can infect your computer or other devices. Proofpoint also reports that 61% of organizations experienced social media attacks in 2020.
Let’s continue on our journey of answering the question “how do you get malware infections?” brings us to our next topic.
Method 3 for How to Get Malware: Using Malicious Advertisements
“Malvertising” is a way to spread malware by placing malicious advertisements on legitimate websites. If someone clicks on the ad, they’ll be led to either phishing or malicious website that will download malware onto their device. In some cases, the ad won’t require any user interaction to trigger because they contain code that automatically downloads malware onto the user’s device.
These advertisements typically convey a sense of urgency or excitement. They’ll make you think that you might miss out on a good deal if you don’t act fast. If you or your employees click on these ads, you might end up with malware on your device. Threat actors might find a way to access your entire network as a result of such ads.
Method 4 for How to Get Malware: Receiving Malicious Content via a MitM Attack
As the name suggests, a man-in-the-middle attack involves a bad guy intercepting insecure information as it transmits between two devices. They can use that interception as a way to not only read and steal your data but to alter that information while it’s in transit as well. This means that they can also choose to insert malware or malicious code into those transmissions.
Using an insecure connection (such as when you connect using public Wi-Fi) or transmitting information to an insecure website are a couple of quick examples of how a man-in-the-middle attack can occur. The perpetrator positions himself in the middle of the conversation, including email conversation, communication with an app, or with a game, or a website. He will collect all the information he can and use it for his malevolent interests. These attacks are also used to implant malicious software on your device without your knowledge.
Method 5 for How to Get Malware: Visiting (or Being Directed to) Malicious Websites
Alright, we’ve reached the last item on our list of how to get malware infections. This one focuses on how bad guys use malicious URLs (websites) to spread malware.
Phishing emails might be used to send links to fake websites that resemble legitimate ones. When the user opens this fake website, they might be asked to log in to access their account. This is actually a phishing scam that allows bad guys to steal your user credentials. However, in some cases, the website links are even more sinister because they take you to sites containing malware. Those sites will instead infect your device.
Cybercriminals sometimes use typosquatting as well to make their fake websites’ URLs appear more legitimate. This helps users reach their sites by simply misspelling or mistyping the domain name. Here are a few quick examples of how this works:
- Swap letters or numbers with other similar-looking characters. For example, the letter “I” can be replaced with “l,” (e.g., instead of Netflix.com, it can be Netfllx.com or Netfl1x.com).
- Replace single characters with combinations. The letter “m” can be replaced with “rn” Amazon.com can be Arnazon.com or
- Add or remove characters to/from domains. An extra letter can be added or removed to create similar-looking domain names. For example, apple.com can become appple.com, and blogger.com can become bloger.com.
However, bad guys don’t always want to create phony websites. Sometimes, they opt to exploit vulnerabilities that exist on legitimate websites. This way, they can use those legitimate platforms to reach larger audiences and infect more devices with their malware.
Final Words to the Topic of How to Get Malware
As you can see, criminals use every method to launch a malware attack on you. You must take every step required to prevent yourself from malware attacks.
The FBI IC3 reported $4.2 billion in total victim losses in 2020. Verizon’s 2021 DBIR said that the majority of data breaches in that year were financially motivated. Therefore, we can conclude that a victim of cybercrime stands to face financial and non-financial losses. This makes it crucial to take the cyber security of your organization very seriously.