Windows 10 is loaded with a plethora of features, but one of the things it’s known best for is its easy customization. With just a few clicks, you can easily swap out the desktop photo, change menu colors and even swap sounds. You can also save your settings as themes, which really puts the “personal” in personal computer.
Want to find more ways to customize your Windows PC? Tap or click here to read our guide to customizing Windows 10.
Custom themes are so popular with Windows users that it’s easy to find them for download online. But if you’re thinking of installing a theme you found, you might want to think again. Security researchers have discovered that hackers are creating custom Windows themes that can compromise your computer — and if you download one, you might end up losing your passwords.
Letting the vampire in
According to BleepingComputer, researcher Jimmy Bayne discovered that specially-crafted Windows 10 themes are capable of stealing your passwords through a method known as a “pass the hash attack.”
During one of these attacks, a compromised file will require you to log in with your user name and password in order to “authenticate it.” But doing so actually sends the password to a remote database where it can be accessed later by hackers who created the file.
For computers with local user profiles, this is less critical of an issue. Unfortunately, Microsoft is rapidly moving away from local users in favor of Microsoft Accounts, which grant access to all sorts of online and cloud-based features. Should a Microsoft Account login be stolen by one of these attacks, it’s a far more dangerous situation.
Windows themes, on their face, are mostly harmless — which makes them a perfect attack vector. And, just like most other malware types, Windows themes can be shared with other Windows 10 users via email. This means one could easily arrive from a “friend” with a compromised email account and you’d never be the wiser.
Tap or click here to see how malicious email attachments and files are driving malware campaigns.
How can I protect myself from this hacking threat?
Fortunately, you can take comfort in the fact that this particular issue is only found in malicious Windows 10 themes. If you avoid downloading themes for your computer, you’ll be safe from this attack method.
Plus, it’s not as if you can’t change appearance settings in Windows by default. You’ll only run into trouble if you go looking for pre-made themes.
Beyond that, another dangerous factor is the issue of email attachments. If you receive an email from a friend with a cool, custom Windows 10 theme, you can easily ignore it. Unless you explicitly collaborate with your friend and they’ve told you over the phone that they’re sending you a new theme, there is absolutely no reason to download one from your email or otherwise.
The silver lining: At least themes are much easier to identify and avoid than malicious Microsoft Office documents. Not only are those used every day for legitimate purposes, but it can also be much harder to tell when an account you trust is sending you a malicious document.
Tap or click here to see how these documents can recruit your system into the massive Emotet botnet.