Protect your device from malware and phishing attacks

Updated20 May 2018

Table of Contents

...Loading Table of Contents...

    Regardless of your broader objectives, keeping your device healthy is a critical first step down the path toward better security. Before worrying too much about data encryption, private communication and anonymous browsing, for example, you should protect your device from malicious software (which is often called malware). Malware can dramatically reduce the effectiveness of any other security precautions you might take.

    Although most malware still targets Windows computers, Mac, Linux, Android and iOS users are also at risk and should review the tactics presented here.

    What you can learn from this guide

    • Information about the threat that malware poses to the privacy and integrity of your information, the stability of your computer and the reliability of other security tools
    • Brief descriptions of a few specific types of malware
    • How to keep your computer secure by updating your software and operating systems frequently
    • How you can use a few recommended tools to help protect yourself from these threats
    • What steps to take if you believe that your computer or device is infected with malware
    • Why you should use Free and Open-Source (FOSS) tools where possible and how even closed-source freeware can help you avoid some of the dangers associated with expired licenses and pirated software

    Malware and phishing attacks

    There are many ways to classify malware, but knowing the various labels applied to malicious software does very little to help us avoid it. Viruses, spyware, worms, trojans, rootkits, ransomware and cryptojackers are all types of malware, as are some phishing attacks. Some types of malware spread over the Internet through email, text messages, malicious webpages and other means. Some spread through devices like USB memory sticks that are used to exchange data. And, while some malware requires an unsuspecting target to make a mistake, others can silently infect vulnerable systems without the victim doing anything at all.

    Introduction to malware

    Malware attacks are often considered to be either general or targeted.

    General malware

    Some malware is created or purchased by criminals who release it onto the Internet and help it spread as widely as possible in order to make money. This might include malware that searches for credit card numbers on your device and sends them back to the criminal. Some malware takes over your computer and uses it to mine cryptocurrency or interact with online ads to exploit pay-per-click advertising networks. And some malware is designed to infect other devices to which its victims are connected. This might include Internet connected "smart appliances" in your home or vulnerable devices used by people whose email addresses are stored on your computer. These networks of infected "zombie" machines are sometimes used to create botnets that are then rented out for distributed denial of service (DDoS) attacks and other nefarious activities.

    It is worth saying a little more about ransomware, both because it has been on the rise lately and because of its unique characteristics. Ransomware is malware that encrypts your files and demands money in exchange for decrypting them. Unlike most malware, it typically informs its victims as soon as they have been affected. As a result, making regular backups of your files can greatly limit the damage done by ransomware. (Some research suggests that files are restored only about half the time, even when the ransom is paid.) A good backup strategy is important when recovering from any type of malware, of course, but the timely warning provided by most ransomware means that you are less likely to have unknowingly corrupted your backups while infected.

    See the corresponding Tactics Guide to learn more about how to Protect the sensitive files on your computer.

    Targeted malware

    Targeted malware is typically used to interfere with or spy on a particular individual, organisation or network. Regular criminals use these techniques as well, but so do military and intelligence services, terrorists, online harrassers, abusive spouses, shady political actors, concerned parents and unethical employers. Targeted attacks are more likely to involve painstakingly customised messages, spoofed sender information, attachments with context appropriate filenames, physical access to target devices and other such tricks. They are also more likely to exploit zero day vulnerabilities, which are relatively uncommon software flaws that are kept secret so they will remain effective even on fully up-to-date target devices.

    Stalkerware is an example of targeted malware that allows attackers to monitor the activities of their victims. These attacks are often designed to obtain location data, messaging information and access to device features like cameras and microphones. They are most commonly associated with intimate partner violence and stalking, but are marketed to parents and employers as well.

    It is typically much more difficult to defend against targeted malware, not only due to its technical sophistication, subtlety and level of customisation, but because those who choose to employ it tend to be more persistent. If you think someone might be targeting you specifically, it is even more important that you review the suggestions listed below under Avoiding malware infections and that you Protect your information from physical threats.

    Anti-malware software

    Unfortunately, there are currently no full-featured, open-source anti-malware tools. As a result, we are not maintaining a set of anti-malware Tool Guides. If you are using Windows, however, you should have a look at the built-in Windows Defender, as discussed in the Basic Security for Windows guide. Macs and Linux computers do not come with built-in anti-malware software. The same is true of Android and iOS devices, which are somewhat less vulnerable because they typically prevent the installation of software unless it comes from an official source like the Google Play Store, b F-droid or the Apple App Store.

    You can also install a reputable, free-to-use tool like Malwarebytes (Windows, Mac, Android), Avira ([Windows], [Mac], [Android) or AVG (Windows], [Mac], [Android]). Most products advertised as "anti-malware" for iOS are really something else: VPNs, password managers, anti-theft trackers and other such "security" tools.

    There is one widely used FOSS anti-malware tool, called ClamAV, that runs on Windows and Linux. (You can install it on Ubuntu and other Debian distributions, using the built-in package manager.) ClamAV is only a scanner, however. You can use it to determine whether or not a file or directory contains known malware — and it can be run from a USB memory stick in case you do not have permission to install software on the suspect computer — but it will not monitor your system to protect you from infection.

    Finally, of course, you can purchase a commercial anti-malware product. If you do, you will probably have to pay an annual license fee to continue receiving regular updates.

    Trade-offs that come with anti-malware software

    Anti-malware software requires full access to your operating system in order to look for infected files and detect malicious behaviour. As a result, there are some situations where installing it could actually increase your level of risk, especially if it is poorly designed or compromised by a back door.

    That said, it is almost always in your favor to install an anti-malware tool — especially on Windows — unless you are a highly technical user targeted by a powerful adversary. If you believe this applies to you, or if you are advised by an expert that it does, then you will have to find other ways of protecting yourself from malware. You might switch to a hardened operating system like Tails or Qubes, for example, or access sensitive content on an air gapped machine with no network access.

    Tips on using anti-malware software effectively

    • Do not run two anti-malware tools at the same time. Many of them will identify the behaviour of another anti-malware program as suspicious and stop it from running. This can result in neither tool functioning properly.

    • Make sure that your anti-malware program allows you to receive updates. Many commercial tools that come pre-installed on new computers must be registered (and paid for) at some point or they will stop receiving updates. All of the software recommended here can be updated for free.

    • Ensure that your anti-malware software updates itself regularly. New malware is written and distributed every day, and your computer will quickly become vulnerable if you do not keep up with new malware definitions. If possible, you should configure your software to install updates automatically.

    • If your anti-malware tool has an optional "always on" feature, you should enable it. Different tools have different names for this mode: Realtime Protection, for example, or Resident Protection. If it is not active by default, you should turn it on.

    • Consider occasionally scanning all of the files on your computer. You do not want to do this often (and you might want to do it overnight), but explicit scans can help identify problems with your anti-malware tool's "always on" feature or its update mechanism. How often may depend on your circumstances. Have you connected your computer to insecure networks recently? With whom have you been sharing USB memory sticks? Do you frequently receive strange attachments by email? Has someone else in your home or office recently had malware issues.

    Avoiding malware and phishing attacks

    Installing anti-malware software is not the only thing you can do to protect your device. Below are a few additional suggestions.

    • Where possible, use the latest version of whatever operating system runs on your device (Windows, Mac, Ubuntu Linux LTS, Android, iOS). Keep that operating system up-to-date. Install updates as soon as they become available through the automatic update mechanism.

    • Keep your other software up-to-date as well. Install updates as soon as they become available. On Windows and Mac computers, this might require you to download and run a new installer. If it does, be sure to use the "official" source.

    • Uninstall software that you do not use any longer. Outdated software often has security issues, and you may have installed a tool that is no longer being updated. Read more about this under Keeping your software up to date below.

    • Improve the security of your Web browser by preventing it from automatically running potentially dangerous programs that are sometimes contained within the webpages you visit. To learn more, have a look at the Firefox Tool Guide ([Windows], [Mac], [Linux]).

    • Be cautious when opening files that are sent to you as email or messenger attachments, through download links or by any other means. It is best to avoid opening files from unknown sources, though even trusted sources might inadvertently send you malware. And think twice before inserting removable media like USB sticks, flash memory cards, DVDs and CDs into your computer. See the Windows Basic Security Tool Guide for tips on how to do this more safely.

    • If you often need to open files or insert external media from strangers, you should practice using an compartmentalised system like Tails to prevent malware from infecting your computer or accessing your sensitive files.

    • Never accept and run applications that come from websites you do not know and trust. Rather than accepting an "update" offered in a pop-up browser windows, for example, check the relevant application's official website.

    • Uninstall Adobe Flash and the Java browser plugins as described in Section 3 of the Firefox Tool Guide ([Windows] [Mac] [Linux]).

    • If you hover your mouse over a link in an email or on a webpage, you will see the full website address. This can help you decide whether or not you want to click that link. If you are using Mozilla Firefox, you can install the NoScript add-on, as described in the Firefox guide. Browser extensions like Privacy Badger, HTTPSEverywhere, and uBlock Origin are also helpful.

    • Stay alert when browsing websites. Glance at the website address after you follow a link and make sure it looks appropriate before entering sensitive information like your password. Watch for browser windows that appear automatically and read them carefully instead of just clicking Yes or OK.

    • When possible, verify the software you download before installing it. This is not always easy, but the VeraCrypt Tool Guide for Linux describes one way of doing this on Linux.

    Protecting your smartphone or tablet from malware

    Smartphones and tablets are increasingly targeted by malware. They are especially good targets because we tend to leave them on and carry them around with us wherever they go. They also contain microphones, cameras and GPS hardware.

    • As with computers, keep your operating system and applications up to date.

    • Install only from official or trusted sources like Google's Play Store and Apple's App Store (or F-droid, a FOSS app store for Android). Apps can have malware inserted into them and still appear to work normally, so you will not always know if one is malicious.

    • Pay attention to the permissions that your apps request. If they seem excessive, deny the request or uninstall the app.

    • Consider installing a reputable anti-malware tool if one is available for your device.

    • Uninstalling apps that you no longer use can also help protect your smartphone or tablet. Developers sometimes sell ownership of their apps to other people. These new owners may continue to improve the app or they may try to make money by inserting malicious code.

    • See the Basic Security for Android Tool Guide for more on how to protect your Android smartphone or tablet.

    Recovering from Malware

    If you think your device has been infected with malware, you should try to disconnect it from any networks to which it has access. This might include WiFi, Ethernet, mobile data, Bluetooth or some other type of network. Doing so will help prevent the malware from sending additional data, receiving new commands or infecting other devices on the network.

    Avoid connecting things like USB memory sticks and backup drives to the suspect device unless you are prepared to discard them or know how to disinfect them safely. Similarly, you should avoid using things that were previously connected to that device.

    You can sometimes clear up a malware infection just by running your anti-malware software and letting it take care of the problem. On the other hand, some malware is designed to survive a full re-installation of the operating system. Most infections falls somewhere in the middle. In order from least to most effort (and, unfortunately, from least to most effective), the following are a few options:

    1. Do a full scan with your existing anti-malware tool.
    2. If the suspect device is a computer, restart it from an anti-malware rescue disk (such as Windows Defender Offline or the AVG RescueCD) and then discard the USB memory stick you used to create the rescue disk.
    3. If you have a way to restore your device to its "factory settings," backup your important files and do so. Do not backup any software. Be careful with the storage device you used for backup. Make sure it is clean before plugging it into your restored device.
    4. If the suspect device is a computer, you can reinstall the operating system after backing up your important data. Once again, make sure your backup disk is clean before plugging it into the device on which you reinstalled the operating system. If you use a USB stick to reinstall the operating system, consider discarding it.
    5. Backup your important files. Do not backup any software. Buy a new device and make sure your backup disk is clean before plugging it into your new device.

    In the last three examples, you might want to use a secure, bootable liveUSB like Tails, without a network connection, to copy your backed up files from the original storage device to a new one. This is not a perfect solution, but it will decreases the likelihood of your backup drive re-infecting your system.

    Clearly, the best way to deal with malware is to avoid it. But thinking through the potential impact, and planning out how you would respond, can help you recover more quickly if one of your devices does get infected.

    Keeping your software up-to-date

    Computer programs are often large and complex. Undiscovered flaws are more or less inevitable, and some of these flaws can undermine the security of a device. Software developers continue to find these errors, however, and release updates to fix them. It is essential that you update all of the software on your computer, including the operating system, as regularly as possible. This is probably the single most important thing you can do to protect your device from malware.

    Staying up-to-date with FOSS and freeware tools

    Proprietary software often requires proof that it was purchased legally before it will allow you to install updates. If you are using a pirated copy of Microsoft Windows, for example, it may be unable to update itself, which would leave you and your information extremely vulnerable. Some pirated software even comes with malware already installed. By not having a valid license, you put yourself and others at risk.

    Relying on illegal software can present non-technical risks, as well. The authorities in some countries use software piracy as a pretence to confiscate devices and close down offices that belong to organisations with which they have political differences.

    Fortunately, you do not have to purchase expensive software to protect yourself from threats like these. Free and open-source software (FOSS) is software that can be obtained and updated free of charge, and for which the source code is publicly available. FOSS tools are generally considered more secure than proprietary ones, all else being equal, because their code can be examined by a diverse group of experts, any one of whom can identify problems and contribute solutions. This transparent approach to development also makes it much more difficult for someone to hide a back door in a piece of open source software.

    Freeware is software that is distributed free of charge but that is not open source. While it does not benefit from the transparency of FOSS, it may still be safer than proprietary software that is pirated or "expired." Consider trying out FOSS alternatives to the propriety software you rely on. If you do not find something that works for you, consider freeware alternatives to any unlicensed software you might be using.

    FOSS applications are often similar to, and compatible with, the proprietary software they replace. Even if your colleagues continue to use the commercial version of a particular type of program, you can still exchange files and share information with them quite easily. As a place to start, you might consider replacing Microsoft Internet Explorer and Microsoft Office with Mozilla Firefox and LibreOffice.

    There are FOSS alternatives to the Windows and MacOS X operating systems as well. GNU/Linux is the most popular of these and probably the most user friendly. To try it out, you can download a liveUSB version of Ubuntu Linux, copy it onto a USB memory stick, put it in your computer and restart. When it's done loading, your computer will be running Linux, and you can decide what you think. It will not make any permanent changes. When you're finished, just shut down your computer and remove the Ubuntu liveUSB. The next time you start up, you'll be back in Windows, and all of you applications, settings and data will be just as you left them.

    In addition to the general security advantages of open-source software, Ubuntu provides an easy-to-use update tool that will keep all of your applications, and the operating system itself, from becoming outdated and insecure. Linux is also a good option for hardware that is too old to run current versions of Microsoft Windows or MacOS X.

    Firewalls

    A firewall is the first program on a computer that sees incoming data from the Internet. It is also the last program to handle outgoing data. Like a security guard posted at the door of a building to decide who can enter and who can leave, a firewall receives, inspects and makes decisions about network traffic.

    Network connections reach your device through numbered ports. These ports allow the software on your device to listen for and respond to requests. If firewalls are the guards, these ports are the doors themselves, and they can be open or closed. A closed port is one on which no software is listening. There is no way for an external attacker to exploit such a port directly. Because of this, not all devices come with a firewall turned on. Macs ship with their application firewall disabled, for example, and the default Linux Firewall is configured to allow pretty much anything in. (Neither Android nor iOS devices have firewalls.) This does not mean these systems are wide open to all network connections, however. It just means they trust their software not to be listening when it shouldn't. They are like building owners that do not bother with guards and cameras because they are confident about which doors are unlocked, which are barricaded and which will open only for people with certain keys.

    Computers are complicated, however, and can sometimes do unexpected things. Firewalls help us protect our devices in situations where a piece of software starts listening on a port when we weren't expecting it to. Where a door gets left open, in other words, either by accident or by a malicious person within the building. If you know the list of ports that should be accessible on your computer — and if you do not want additional ports added to that list just because a new piece of software gets installed — have a look at the Firewall software section below.

    Having said all that, the default firewall configuration on a modern operating system should work just fine for most of us.

    Finally, while firewalls are often thought of as we described them above — as a way to deny external attackers a clear path to our devices — many of them monitor outgoing connections as well. By doing so, they are sometimes able to let us know when malicious software is trying to steal data or "phone home" for instructions. If you install a firewall that is specifically designed to limit outgoing connections, or if you configure your built-in firewall to work this way, you should be prepared to spend some time "training" it so that it only alerts you when it observes something unusual.

    Firewall software

    All current versions of Windows include a built-in firewall, which is turned on by default. As mentioned above, MacOS X has a firewall but it is disabled. Turning it on rarely causes problems and is probably a good idea. If nothing else, you will learn more about firewalls by looking at how it is configured. Ubuntu Linux comes with a powerful but difficult to use firewall called iptables. If you want to add restrictions to your Linux firewall, you should consider installing gufw using your package manager. It is a graphical user interface for the Uncomplicated Firewall (UFW) application, which makes iptables easier to manage.

    Preventing untrusted network connections

    • Make sure that all Windows computers on your home and office networks have a firewall installed and enabled.

    • Make sure that your router or WiFi access point has a firewall enabled. Most of them do, but it is worth checking. That router is the only thing between your local network and an Internet full of malicious activity. You should also change the administrator password used to modify the router's settings to something strong and unique.

    • Only install essential software on the devices you use for sensitive work. Make sure you get this software from a reputable source, and keep it up to date.

    • Disable any system services, such as local file-sharing, that you no longer use.

    • Disconnect your computer from the Internet when you are not using it and shut it down completely overnight.

    • Do not share your device password with anyone.

    Further reading