Scareware Surging, Microsoft Report Finds - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
News
4/8/2009
05:30 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Scareware Surging, Microsoft Report Finds

Two rogue software families were detected on more than 1.5 million computers, making them among the top threats for the second half of 2008.

Scareware on the rise
(click image for larger view)
Scareware on the rise

Fear drives the security market and no one knows that quite so well as scareware scammers.

In its sixth Security Intelligence Report, released Wednesday and covering the second half of 2008, Microsoft says scareware is on the rise.

Scareware purports to be security software but isn't. It's sold to technically naive users to address supposed computer security threats. But it generally offers little or no protection, and may act maliciously, by stealing information, for example.

Scareware is also known as rogue security software, though the only security it enhances is the financial security of the scammers selling it. It can be compared to quack cures that have no real medicinal effect and may in some cases prove harmful.

"The prevalence of rogue security software has increased significantly over the past [year and a half]," the report says. "Rogue security software uses fear and annoyance tactics to convince victims to pay for 'full versions' of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both."

Microsoft's report says that two rogue software families, Win32/FakeXPA and Win32/FakeSecSen, were detected on more than 1.5 million computers, putting them among the top threats for the second half of 2008.

Such findings give appear to support the contention voiced by Alex Stamos, co-founder and partner at software security company ISEC Partners, at the Web 2.0 Expo earlier this month that the Internet is too dangerous for the technically unsophisticated.

"The Internet cannot be safely used by normal people," he said. "Most people are not prepared to make the technical decisions necessary to safely use the Internet."

That may be overstating the case given that such malware can be detected and dealt with, even if there's no cure for gullibility.

Or for irresponsibility: The report also finds that lost and stolen computer equipment, rather than hacking, represented the most common cause of security breaches (50%) leading to publicly reported data loss in the second half of 2008.

Illegal hacking nonetheless remains a problem, one that's increasingly focused on the application layer rather than the operating system. Almost 90% of vulnerabilities disclosed in the second half of 2008 affected applications, the report says.

This is good news for Microsoft, which for years has been focused on hardening its operating systems and is now starting to see some payoff, at least among customers with the most current patches installed.

Evidence of the company's progress can be seen in the finding that during the second half of 2008 about 40.9% of browser exploits on computers running Windows XP targeted Microsoft software, compared with just 5.5% of browser exploits on computers running Windows Vista. Though the application layer now is the major point of attack, users of popular applications like Microsoft Office can still reduce their vulnerability by keeping their patches current.

"The most frequently exploited vulnerabilities in Microsoft Office software were also some of the oldest," the report says. "Over ninety-one percent of attacks examined exploited a single vulnerability for which a security fix had been available for more than two years (CVE-2006-2492)."


Attend a Webcast on why bad security breaches keep happening to good organizations. It happens April 15. Find out more and register.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
News
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll