On this blog, we’ve discussed the ways that scammers can attack your PC, through malicious software, rogue security alerts, phishing attacks and more. But the bad guys have now devised a new vector: the phone. I first learned about this when I heard my parents had received a call that they had been identified as having rogue software on their PC. The caller, who said he was from Microsoft, needed to remote access their PC to resolve the issue. Turns out scammers like these were simply taking the time to prey on potential victims by calling them and masquerading as a representative from a trusted institution to trick them into giving up valuable and personal information. Sometimes, as in my parents’ case and others, they even advise installing a remote access code so scammers will have full access to the PC.

We’ve discovered this telephone scam is aimed at English-speaking countries, including North America and the United Kingdom. The callers pretend to be from Microsoft and try to sell the victim something, direct them to a specific website, asked for remote access, to install software, a credit card number, or run a bogus security scan that showed an infection. The Trustworthy Computing Team conducted a survey of 7,000 people, and found that more than 1,000 people had received calls.  Of those 1,000 people, 22 percent of people fell for the scam (234 people total), and 184 of those lost money - on average, more than $800.

You can check out some tips for avoiding phone scams here, but we want to remind you will never receive a legitimate call from Microsoft or our partners to charge you for computer fixes. If someone does call you claiming to be from Microsoft:

• Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
• Never provide your credit card or financial information to someone claiming to be from Microsoft tech support if you did not initiate the call to Microsoft first.
• Ask upfront if you are required to purchase software or pay a fee or subscription associated with the "service." If there is, hang up.
• Take the caller's information down and immediately report it to your local authorities. If you think you’ve been the victim of a scam, check out these tips that can help you protect your money and identity.

It’s a jungle out there! Please remember to question any unsolicited email or call. If the email came from somebody in your contact list but it feels suspicious, here is a great article on recognizing phishing emails. Lastly, always keep your PC protected with antivirus software like Microsoft Security Essentials, which is free or software from one of our partners.

You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.

It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.

Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.

We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.

The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.

This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using - in order to stay safe..

Some social engineering scams can be easily recognized by containing any of the following:

• Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
• Alarmist messages and threats of account closures.
• Promises of money for little or no effort.
• Deals that sound too good to be true.
• Requests to donate to a charitable organization after a disaster that has been in the news.
• Bad grammar and misspellings.

To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.

Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.

Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.

As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, - free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.

Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.

Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.

Our friends over at the FutureFed blog reported that Windows 7 the has passed  the Common Criteria (CC) certification process and achieved Evaluation Assurance Level 4 with augmentation (EAL4+). Common Criteria certification is an international standard recognized by 26 member nations including the United States and is a procurement requirement for U.S. Defense and national security customers.

With this certification, we are excited that our federal customers as well as foreign governments can feel secure in deploying Windows 7, having successfully passed the rigorous security testing protocols set forth by the National Information Assurance Partnership.

Several governments have already successfully deployed Windows 7, including the Moscow North District Prefecture in Russia, the Vernon Hills Police Department in Chicago, Illinois, the City of Miami, Florida and the City of Stockholm, Sweden.

This is exciting news, but not surprising as Windows 7 is our most secure operating system to date. In addition to enhancing existing security features in Windows, we incorporated customer feedback throughout the development process of Windows 7 to deliver innovative new security features, including Direct Access, AppLocker and BitLocker To Go.

Congratulations, Windows 7!

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labs reported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

Last week, we saw the re-emergence of another new trojan that is disguising itself as Microsoft’s no-cost antimalware program Microsoft Security Essentials. This imposter is known in the technical world of antimalware combat as “Win32/FakePAV”. FakePAV is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications.

This fake software is distributed by a tactic commonly described as a “drive-by download” and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake Microsoft Security Essentials software reports it cannot clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.

Before we get to the detailed view of how this trojan works, we want the message to be very clear: This software is a fake. Do not be fooled by this scam. This malware can potentially cause consumers and small business owners harm. Microsoft Security Essentials can be downloaded and used at no cost by users running genuine Windows (Download here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly up to no good.

If you have not already updated your security software please do so. Making sure your security software is up-to-date and has the latest definitions is the best way to prevent infections.

And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here is how the current one imitating Microsoft Security Essentials works:

1. It modifies the system so that it runs when Windows starts

2. When you go to execute something it’s watching for, it opens the alert window claiming the program is infected and blocks it from running.

3. You can expand it out for “additional details”

4. If you click “Clean computer” or “Apply actions”, it simulates an attempt to clean the claimed infection

5. You’ll then get an ‘unable to clean’ alert and be instructed to click ‘Scan Online’

6. Clicking this, a list of antimalware programs appears, including several fake removal tools, and you’d need to click Start Scan

7. Once the simulated scan completes, it will claim a solution was found and list products that can ‘clean’ the system (the listed products are fake removal tools).

8. Clicking ‘Free install’ on one of those downloads will download its installer and start installing

If you believe your machine has become infected, we encourage you to use Microsoft Security Essentials to check your PC for malware and to help remove them from your system. You can also find out how to get virus-related assistance at no charge from Microsoft here: http://www.microsoft.com/protect/support/default.mspx.

For more information on this FakePAV please visit our encyclopedia entry at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakePAV. It contains a lot of information that may help answer questions about this rogue.

And remember: Microsoft does not charge for Microsoft Security Essentials. You can find the legitimate version of Microsoft Security Essentials at http://www.microsoft.com/security_essentials.