More computer screens may be set to the warm (and eye-friendly) glow of “night mode” this time of year. Yet there’s a cold chill in the air, and ugly things happen to good people, especially online.
Crooks and cacodemons inhabit the web world around us, and not only at Halloween. Internet scares are not limited to the spooky time of the year.
This is your favorite season? Here’s how to turn any old day into an inescapable, never-ending Halloween nightmare: just use a local browser to access the web.
Abandon Hope All Ye Who Launch Your Browser
“Abandon hope all ye who enter here” and get ready for the goosebump ride of your life. Think lots of “tricks”, without the “treat” part.
Check out this list of things that are likely to go bump in your browser – no matter the season:
Browser Boo #1: Trick or Treat – “Your files have been encrypted.”
A mostly empty screen with these words on it (along with a skull-and-bones graphic) gets your attention right quick.
Ransomware attacks have become the most prevalent of criminal computer exploits, since they are as easy for web vampires to stage as it is for their traditional brethren to hook their fangs into a Red Cross blood bag.
No risky efforts required – the ransomware exploit kit gets delivered via a spiked link or hacked website, and the local browser – designed to indiscriminately fetch code from the web and process it locally – will dutifully execute the malicious code on the user’s computer and network.
Note the putrid smell of anguish in the IT department when the victims rake each other’s brains for the date of the last full data backup. The place will feel like a haunted crypt quickly. Moaning, gnashing of teeth, and crying are optional but common.
Browser Boo #2: Drag Me to Hell
“This isn’t the URL I thought I would end up at!” The URL shortener link you clicked delivered you straight to HTTP Hades.
There are many ways for this to happen, because regular browsers are unable to tell the difference between legitimate and illegitimate URLs. The effect is almost always the same: agony, torment and suffering for users and IT admins.
Turning the browser into a gateway to hell, by misdirecting a user’s path, is a cruel child’s play for the web’s darkest forces. Once this first step has been accomplished, malware will be downloaded in the background, or a phishing form served up by what looks like a legitimate login page.
In the Halloween movie “Drag Me to Hell” (2007), a loan officer finds herself under a supernatural curse after she evicted an old woman from her home. You’re not a bad person. You may not even be in mortgage banking.
All you did wrong was launching your (local) browser. Welcome to the nightmare.
Browser Boo #3: Invasion of the Browser Snatchers
Browser developers know that many things can go “bump” with their product. So they incorporate features to tell you why your browser won’t open a particular page. “Your connection is not secure” is a typical warning that pops up.
“The owner has configured their website improperly,” it may go on. Are you scared into submission yet? It’s in your own best interest, the message emphasizes: “To protect your information from being stolen, we have not connected to this website.”
This is usually about a valid security certificate that the browser was expecting on the web server, but the certificate may be missing or deemed unsafe. Or has it been replaced with something evil?
You may find out, the hard way, if you go ahead and say “just do it.” That requires a real-time, seat-of-the-pants security decision: Do I force the page to open? What’s behind that forbidden door?
In the classic B-flick “Invasion of the Body Snatchers”, a doctor learns that the town folk of his small community are being replaced by alien duplicates. To not have your browser snatched, keep in mind that security certificates can meet the same fate.
Browser Boo #4: Insidious
There you are in some “incognito mode” or “private browsing” setup, (presumably) keeping your identity to yourself, when, all of a sudden, you realize: you’re not surfing the web – the web is surfing you.
You’ve just placed an order for pumpkin spice and, totally unrelated, display ads for a winter coat you were checking out three weeks ago are beginning to crowd your screen. This is when you realize that something truly wicked is going on.
The explanation is simple. Incognito mode won’t keep others from tracking your website visits, nor will it keep websites from watching (and sharing with others) what you do on their pages or from pushing malware your way via your browser.
Switching to private mode only hides your browser history from someone with access to the same computer. It doesn’t hide your IP address from your ISP or employer, and it still allows for browser “fingerprinting” by third parties.
In the horror flick “Insidious: Chapter 2” (2013), the Lamberts – mistakenly – believe they finally got rid of the evil spirits that haunted them. Learn from the Lamberts.
“Incognito Mode” notwithstanding, with a local browser, expect the ghosts of your online past to haunt you whenever and wherever you access the web in the future.
Browser Boo #5: Scream.
You want to, but you can’t. Everything in the browser page stopped dead, and so did your heart. Tabs won’t change pages, content is frozen – and you have only five minutes left to deliver that quarterly report.
Your local browser may have been cryptojacked. Local CPU resources now go to the cryptocurrency mining script that some gold digger force-fed your browser, which is now choking on it.
The “why” of it you can guess by now. On the web, it’s not you who’s in control, but anyone out there who is familiar enough with the browser’s many vulnerabilities to turn them against you. Your work and your data have been immobilized. Caches are not available, since they are frozen as well. You are hosed.
Deep down in the crypto mine, you can almost hear the code kobolds chuckle softly while counting their cybercoins.
Browser Boo #6: Public WiFi – Something Wicked This Way Comes
Don’t be selfish, pumpkin. Share the horror with your co-workers, customers or clients. Make every day Halloween and turn your and their lives into living hell, just by stopping in at a local coffee shop or hotel lobby with free WiFi to get some work done online.
You’ve just opened your laptop, and before you even know it, your digital (and career) fate may be silently controlled by a devilish presence known as a rogue access point, which is mimicking the location’s legitimate WiFi hotspot.
Once you’ve inadvertently connected to the web through a rogue AP, anything you do in your local browser from now on without sufficient encryption – updating proprietary company information, say, reviewing webmail from your boss – will be fair game for the attacker.
Perhaps HR will call you into the office one day, because millions of dollars in damages later IT or some expensive forensic expert finally figured out who opened the doors to cyber doom for the company. Then you can still say “Happy Halloween!” and enjoy being Zombie-walked out of the office by security.
Don’t have the stomach for that? At a minimum, use VPN. Or better, because the rogue AP can still redirect regular browsers to fetch and execute malware or spyware on your local machine, use a secure cloud browser.
Browser Boo #7: The Upgrade from Hell
Maybe your browser at work has a standard plugin or extension active. But one dark and stormy night, that same plugin starts silently collecting intellectual property files or other sensitive data from your computer and exfiltrates them to some foreign attacker.
This has happened to millions of users over the past years. In most cases, the developer account for the browser plugin had been hijacked and then used to push an evil “update” of the extension to browsers.
While such attacks are on the rise, awareness of the situation hasn’t risen at the same rate. Realizing that your files have just been sent to China, Russia or New Jersey because you trusted a supposedly “secure” browser can turn any day into Halloween.
In the 2018 Sci-Fi horror flick “Upgrade”, Grey, the protagonist, loses control over his life and limbs. His only hope is an experimental computer chip implant. What are your options, when paralyzed by plugin pandemonium?
Better not wait for it to happen. Take back control from the data sucking demons now, no chip implants required. Simply upgrading to a secure cloud browser will do – and once and for all prevent code infiltration and data exfiltration on your local machine when you access the web.
Browser Boo #8: Wrong Turn
Unicode allows the entire world to use the same framework to convey written information, but it can also be used to disguise harmful URLs. Clicking on them, for example in a phishing email, will result in the web equivalent of taking the wrong turn on a lonely country road.
The text on your screen can contain characters belonging to one language that look similar to the characters of another. Without careful examination, they seem to be the same. But they aren’t. Cyrillic characters can look very similar to the Latin character set used by English speakers.
Put in ghoulish terms, Unicode has several zero-width code points (like the zero-width joiner and the zero-width non-joiner) which are hints for hyphenation tools. They have no visible effect on-screen appearance, but they still affect string comparison.
A class of attacks called homographs can be devastating. The Latin U+0069 character is a lowercase “i”, but the U+00ED character is an “i” with an accent. On a small (or dust-speckled) screen they will look exactly the same in the browser bar.
Even without Unicode tricks, the shapes of letters in the same language can cause people to fall victim to spoofing. ###www.rnullets.com in a webmail link will not load www.mullets.com (where you wanted to go), but the homepage of www.r n u l l e t s.com – a trap designed to steal your password or dupe your browser into downloading ransomware. The “r” and “n” characters put next to each other look just like an “m” when quickly perused.
Stephen King’s “Pennywise” will have nothing on the clown that you just made of yourself, in front of the whole company, if you fell for that phish.
Are you longing to revive those dark Halloween spirits of your childhood, the chills you felt when the cold wind howled past the abandoned Victorian on the corner? You could just feel the presence of IT lurking behind those blind windows. Yet you never took a closer look, because you were afraid of what you would find.
As an adult, launching your local browser will be as close as you’ll ever come to finally pushing open that forbidden door (and save on the annual scary movie ticket in the process). Just be warned: What you will find may confirm your worst fears.
Be prepared to get scared out of your wits. And what better time for that than Halloween? Get ready to admit that you’ve lost control. Online, you’ve long surrendered to that faceless presence that has been haunting your dreams.
Whenever you use the web, think about what lurks just outside your field of vision. That presence, it turns out, has taken control of your (digital) life. For real. It owns you now. It lives in your browser.
As kids, just to make sure, we checked under the bed before turning in on Halloween night. As grownups, we’ve learned: On the internet, it’s always Halloween.
You can end this nightmare. Snap out of it, regain control of your reality. Now go check your browser.
Larry Loeb has been online since uucp “bang” addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and “Hack Proofing XML” (his latest). Larry currently writes about cybersecurity for Security Now.
AddSearch Custom Site Search