Despite repeated warnings from security professionals, people still download files from sketchy places and end up getting compromised. Even those who grew up with computers and access to information on securing them seem to fall victim to certain patterns of attacks. The question is, why?
According to a security practitioner who moderates forums on Reddit and Discord, many people exploit trust when downloading software. They may receive private messages from supposed friends on Discord, urging them to download and give feedback on a game in a password-protected .ZIP file. They may use Google to search for a commercial software package but specify that they are looking for a free or cracked version of it, downloading it from a website in the search results. They may follow a video on YouTube that explains how to download a free or cracked version of commercial software. They may torrent the software from a well-known site specialising in pirated software, or from a private tracker, Telegram channel, or Discord server. In all these cases, people tend to trust the source of the software, even when they know it is untrustworthy.
Security professionals have advised people to download software only from reputable sites. However, they have not explained what makes a site safe to download from in the first place. A site is reputable if it is the author or publisher’s site, or a site expressly authorized by them. Sometimes, publishers provide additional links to other download sites that are also official because they are authorized by the author or publisher. There are also software repositories such as SourceForge and GitHub that host open-source projects, and sites that specialize in listing shareware and trial versions of commercial software. But caution is necessary as some of these sites place program wrappers around files downloaded from them, prompting to install additional software or potentially unwanted applications (PUAs).
File locker services such as Box, Dropbox, and WeTransfer are all legitimate file-sharing services, but they can be abused by threat actors who assume that programs downloaded from them are safe. Search engine results can be tricky to interpret as some of the top results may be paid advertising. Criminals take advantage of this through malvertising campaigns, buying advertising space to redirect people to phishing websites or malware.
In conclusion, people need to be cautious when downloading software and only do so from reputable sites. They need to be aware of the various means through which they could be tricked into running malware and take steps to prevent such attacks. Security professionals need to provide more comprehensive education and information on safe computing practices to bridge the disconnect between what they are advising people to do and what people are doing.