For the past 20 years or so, websites and applications across the world have relied on platforms such as Shockwave, Java, Flash, and Silverlight to show everything from video games to interactive graphics and financial graphs. Although many have declined in use over the past decade, most of the computers in the world still run Java or Flash Player, but the vast majority of people don’t know what either of them are for, only that they might be “important”.
Unfortunately, the almost universal adoption of these two programs opens up an easy target for scammers looking to steal user information or fool people into installing less than legitimate programs on their computers. The weakness comes from both sides in the form of updates for Flash,
as well as Java.
As far as the first group is concerned, their objective is to hit people who have not updated in a while, and who still have outdated versions of either program, in attempts to exploit glitches or chinks in the program to their advantage. This is usually with the intention of stealing valuable information such as credit card or social security numbers, online banking logins, et cetera. For this group the best defense is to always stay up to date and never open any emails from senders you don’t recognize. Frequently, links or attachments to any such exploits are sent via email in a message that may seem completely innocuous.
Now, this brings us to group two. Group two relies on the fact that most people have Flash and Java, and most people wish to keep them up to date, and so disguises their malicious or unwanted software as Flash or Java in order to trick people into downloading them. This method is typically more prevalent than the first, and ironically takes advantage of people’s fears concerning not being up to date and protected. More often than not, these types of illegitimate “updates” are shoehorned over webpages in the form of popups such as the one below.
The average person might see this and choose to download the “update”, believing it to be to their benefit. However, at the very least, the resulting program will be annoying, and at the very worst, dangerous to your security. The best defense against these types of attacks is to never download anything from a popup, and to always take careful notice of details in the popup itself. Ask yourself, “does this look legitimate?” Comparing the two Flash “updates” above, we see that the bottom one has several tells that indicate it’s not what it says it is. For example, the bottom one lacks any sort of officially licensed Adobe markings or insignias, is filled with jargon intending to sell itself rather than inform users of improvements, has no option to install the update later, and it possesses no End User License Agreement.
All the same, it’s usually best to avoid any sort of popups claiming to be updates or “free downloads” if possible. When you see a popup, even one that seems legitimate, there’s a fool-proof way of telling. Go straight to the developer’s website for the product, whether it be Flash or Java, and you can get the latest version from adobe.com and java.com, respectively.