Reply
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Protecting against malware

Highlighted
Community Manager
Garnor M Community Manager Member Since: Oct 29, 2014
1 of 29

Hi everyone,

Some of you might have noticed a recent trend of discussion topics that highlight potentially harmful attachments scammers have been trying to pass via job posts, messages and invites. Here’s one such discussion thread we addressed yesterday. This isn’t just affecting Upwork, as bad guys have been ramping up all over the Internet in recent months, see yesterday’s internet-wide DDoS attack as an example.

 

In addition to increasing our security efforts overall on the Upwork site, our team has been gathering every report we see here on the Community and quickly escalating them to our Account Security team for immediate action. We reach out directly to any users who may be potentially exposed to vulnerabilities.

 

We’ve said it before and I’ll reiterate, we take information security very seriously and we’ll continue doing everything we can to keep your information safe. We continue to use industry-standard security measures in place, including antivirus software that scans all attachments.  However, nothing is foolproof; bad actors continually modify virus signatures to avoid detection by even the best antivirus software.

 

Take some steps to protect yourself as well. Here’s a brief Help Article with some best practices for maintaining the security of your account, please give it a read.

 

Finally, for your safety, as is the case for anyone using the internet, you should perform routine antivirus scans on any devices used to access your account. Never run files that end in .exe or other suspicious files sent to you by users you do not know or trust; even if a trusted individual sends you an exe or other suspicious file, you should verify its safety before running it. If you are unsure about an attachment, you may upload exe and other files smaller than 64MB to http://www.virustotal.com to scan them for malware, spyware, and viruses.

 

Staying ahead of attacks is a challenging task. We have some of the best information security people and tools working to prevent vulnerabilities and keep the site safe. Thanks for your help in this effort and for continuing to place your trust in us. Together, we can protect Upwork from the bad guys.

Community Guru
Wassim T Member Since: May 29, 2015
2 of 29

Thanks a lot for the tips Garnor. Very useful stuff.

 

Another important issue a lot of web developers face, is that the client might have an infected server without their knowledge, and they provide you with FTP access to their servers so you can download the files and your computer gets infected as a result. So sometimes the client might be a victim without knowing it, so even if the client is a reputable person and from Upwork with many reviews, web developers still need to be very cautious about what they're downloading specifically using their FTP clients.

 

I've heard someone on YouTube complaining about Upwork not being secure, but really this isn't a thing that Upwork can monitor and it's absolutely not the client wanting to send you a virus (well unless they're sick), but it's often our responsibility of not taking care in an online world, where Mark Zuckerberg with all the technology puts a tape on his laptop's camera lens for an extra layer of protection. The world called it crazy, I thought it's smart.

Community Guru
Rene K Member Since: Jul 10, 2014
3 of 29

Garnor, while your advice is valuable, implementing 2-step authentication, for instance with the help of Google Authenticator, you could wipe out most of the account hacking attempts on Upwork.

 

Why you don't want to do this is beyond me.

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Community Manager
Garnor M Community Manager Member Since: Oct 29, 2014
4 of 29

Thanks Rene. It's not that we don't want to make the site as secure as possible, we obviously do. We've weighed it (2-step authentication) along with other options and will do so again as we re-evaluate.

Community Guru
Nichola L Member Since: Mar 13, 2015
5 of 29

How long does re-evaluation take?

Community Guru
Rene K Member Since: Jul 10, 2014
6 of 29

@Garnor M wrote:

Thanks Rene. It's not that we don't want to make the site as secure as possible, we obviously do. We've weighed it (2-step authentication) along with other options and will do so again as we re-evaluate.


I appreciate your answer. I also appreciate that you will re-evaluate this option, which already was re-evaluated and adopted a long time ago by many companies that deal with financial transactions all over the Web.

 

I won't lie, I'm a little bit concerned each time Upwork says they will evaluate an option, or put it on the to-do list. Often it means it won't happen.

 

But who knows, maybe this time...

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Employee
Jeff C Employee Member Since: May 1, 2015
7 of 29

Hi Rene,

 

I'm Jeff, the head of Trust & Safety. My team is exploring and evaluating options to manage these security issues. I can confirm what Garnor noted above that we are evaluating 2 Step (Factor) Authentication among other ideas. I think the list is up to 20 projects now. 2FA is an industry standard way to protect customer accounts from takeovers, and I think we should be doing this. We should have done this a while ago. As you know, a bad guy may be able to phish your username/password, but it's much harder to get your cell phone and pass the 2FA.

 

In these particular recent events, the problem isn't that accounts are being stolen (where 2FA would help), but rather accounts are being used to send viruses. In these cases 2FA won't help, but one of the other 20 projects will. 

 

Jeff

 

Community Guru
Rene K Member Since: Jul 10, 2014
8 of 29

Thanks Jeff. I hope that you will implement 2FA and that you will also find a way to mitigate the propagation of the viruses. I think both of those measures are now necessary considering the number of users on this platform.

-----------
"Where darkness shines like dazzling light"   —William Ashbless
Community Guru
Preston H Member Since: Nov 24, 2014
9 of 29

I don't have a cell phone. If a computer system requires a cell phone, I wouldn't be able to use it. Not everyone has a cell phone.

 

Also, I use more than one computer with my Upwork account. I do work on both Mac OS X and Windows computers, and I work from different locations. I use computers whose IP addresses are static and computers with dynamically allocated IP addresses.

 

 I am not opposed to additional security measures, but these are some things to keep in mind.

Community Guru
Rene K Member Since: Jul 10, 2014
10 of 29

@Preston H wrote:

I don't have a cell phone.


I'm still processing this.

 

I understand every individual word in this sentence, I actually understand the sentence itself, on a grammatical level, but I still fail to understand the message that this sentence conveys. The whole concept of not having a cellphone is foreign to me. And by cellphone, obviously, I mean a smartphone. Not having a phone that is not even a smartphone is beyond the reach of my brain.

 

And this is Preston. Which makes the thing even worst.

 

It's like the madness encountered by the protagonists of the H. P. Lovecraft's stories.

-----------
"Where darkness shines like dazzling light"   —William Ashbless
TOP KUDOED MEMBERS