A macro is a small piece of code that runs within a software program such as Microsoft Word or Excel, and is normally used to automate common or repetitive tasks. Macro malware is the practice of hiding a virus in a macro code and enticing unsuspecting users into downloading a Word or Excel file and running the macro script within, which then will download a virus, malware or even ransomware onto that person’s PC. Macro malware was common during the 1990s, but lapsed in popularity through most of the 21st century as increasingly savvy PC users learned how to spot the spam or phishing emails that delivered them, which were often riddled with typos. Nowadays, however, macro malware is seeing a big return due to two factors – Phishing emails are becoming increasingly sophisticated and no longer have obvious typos in them, and ransomware – a very profitable form of malware for criminals – can be easily downloaded via a macro, leading to entire networks being encrypted and held to ransom. It is now critical that all users understand the threats that macro malware can pose, particularly to their organisation, and learn how to spot the attacks before it’s too late.
Traditionally, cyber security has been seen as an IT department’s problem. They make sure everyone has antivirus on their PCs and take care of the firewall – and as long as they’re doing it right, then everyone else is safe… right? This has lulled users and business owners into a false sense of security of late, believing that cyber security simply isn’t their area or that it’s not in their job description. However, this attitude is now being taken advantage of in a big way by cyber criminals, who have discovered that individual users are much easier to target and deceive. As a result, users often takes actions which inadvertently allows the hackers to bypass the IT security systems. Traditional antivirus is dead, and even more advanced next-generation antivirus simply can’t stop the most deadly attacks. Now, everyone in an organisation has a part to play in keeping it secure, from the bottom all the way up to the CEO.
Hackers are now finding it easier to target regular users, who often lack cyber security training, than to try and bypass complex technical measures put in place by IT
Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear-phishing and CEO Fraud are all examples.
Hoes does it work? It is often as simple as an email asking you to view an invoice, check out suspicious logins on your account, or even update your password. Cyber criminals will make these emails look as legitimate as possible, and then use social engineering to convince you to carry out the action without second-guessing the action. In more advances attack, such as spear-phishing, the emails may even appear to come from within your organisation. All of this is to convince you to do something that would allow hackers to infect your PC with ransomware or other forms of malware. Often, criminals will attempt to convince you that their email is ‘urgent’, and that something bad will happen if you do not click the link, such as you being locked out of one of your accounts. This tone of urgency is a classic social engineering ploy, and is big factor to look out for when you suspect an email may not be legitimate.
Remember: Always Think Before You Click