Keeping online criminals at bay

The Web is a fount of information, a busy marketplace, a thriving social scene -- and a den of criminal activity.

Criminals have found abundant opportunities for stealthy attacks on ordinary Web users, experts say. Hackers are lacing websites -- often legitimate ones -- with malware that can silently infiltrate visiting PCs to steal sensitive personal information and then turn the computers into "zombies" that spew spam and more malware on the Internet.

At one time, virus attacks were obvious to users, said Alan Paller, director of research at the SANS Institute, a training organization for computer security professionals. He explained that now, the attacks were more silent. "Now it's much, much easier infecting trusted websites," he said, "and getting your zombies that way."

And there are myriad lures aimed at conning people into installing nefarious programs, buying fake antivirus software or turning over personal information that can be used in identity fraud.

"The Web opened up a lot more opportunities for attacking" computer users and making money, said Maxim Weinstein, executive director of StopBadware, a nonprofit consumer advocacy group, which receives funding from Google, PayPal and Mozilla among others.

Google says its automated scans of the Internet recently turned up malware on roughly 300,000 websites, double the number recorded two years ago. Each site can contain many infected pages. Meanwhile, malware doubled last year, to 240 million unique attacks, according to Symantec, a maker of security software. And that does not count the scourge of fake antivirus software and other scams.

So it is more important than ever to protect yourself and others from attackers. Here are some basic tips for thwarting them.

Internet Explorer and Firefox are the most targeted browsers because they are the most popular. If you use current versions, and download security updates as they become available, you can surf safely. But there can still be exposure between when a vulnerability is discovered and an update becomes available, so you also need up-to-date security software, especially if you have a Windows PC.

The Chrome browser from Google, the newest on the market, includes some security advances that make attacks more difficult.

Get updates for Adobe Reader, for PDF files, and Adobe's Flash Player. In the last year, a virtual epidemic of attacks has exploited their flaws; almost half of all attacks now come hidden in PDF files, Weafer said.

Many computers run old, vulnerable versions. To update the Reader, open the application and then select "Help" and "Check for Updates" from the menu bar. Since April, Windows users have been able to choose to get future updates automatically without additional prompts by clicking "Edit" and "Preferences," then choosing "Updater" from the list and selecting "Automatically install updates." Mac users can also arrange updates using a similar procedure, though Apple requires that they enter their password each time an update is installed.

To get the latest version of Flash Player, visit Adobe's website.

A particularly popular swindle involves an alert that a virus was found on the computer, followed by urgent messages to buy software to remove it. Of course, there is no virus and the security software, known as scareware, is fake. It is a ploy to get credit card numbers and $40 or $50. Scareware accounts for half of all malware delivered in ads, up fivefold from a year ago, Google said.

Closing the pop-up or killing the browser will usually end the episode. But if you encounter this scam, check your PC with trusted security software or Microsoft's free Malicious Software Removal Tool. K9 Web Protection, free from Blue Coat Systems, also helps. Though it is marketed as parental-control software, K9 can be configured to look only for security threats like malware, spyware and phishing attacks -- and to bark each time it stops one.

Poisoned search results: Online criminals also manipulate search engines into placing malicious sites toward the top of results. Google and competing search engines are working to remove malicious sites from indexes. Free tools like McAfee's SiteAdvisor and the Firefox add-on Web of Trust can also help.

Anti-social media: Attackers also use e-mail, instant messaging, blog comments and social networks like Facebook and Twitter to induce people to visit their sites.

Accept "friend" requests only from people you know, and guard passwords. Phishers filch log-in information so they can infiltrate accounts, impersonate you to try to scam others out of money and gather personal information about you and your friends.