A new report from the Anti-Phishing Working Group is yet another reminder of the information security threats we all face. This latest publication states that the number of compromised URLs used to distribute malicious code nearly tripled in the 12-month period from July 2007 through July 2008.
This data, along with similar research from McAfee, RSA Security, Symantec, and Trend Micro, demonstrate that the bad guys are taking advantage of the global recession with an increase in attack volume and sophistication. Certainly, security professionals recognize this unsettling trend, and according to ESG Research data, security remains a top IT priority for 2009. Based upon recent activities, it appears the federal government also sees the need for countermeasures.
While insiders seem to see the storm approaching, however, I'm worried about the Internet everyman--"Joe the Online User," if you will. Information security tends to be an esoteric topic sure to bore the pants off friends and neighbors at upcoming holiday parties, but there's more in play than ignorance alone.
I am starting to see a whole bunch of no-name security grifters pitching second-tier products and services with Chicken Little, "the sky is falling" scare tactics. You tend to find these guys are on drive-time radio and entertainment Web sites. I'm not alone in this observation. This week the U.S. District Court in Maryland ordered two fly-by-night companies to stop promoting "scareware" through online advertisements. These pop-up ads would warn Web surfers that their systems had been compromised by viruses, spyware, and even "illegal pornographic content." They were even so brazen as to suggest that users could be investigated or outed as some type of degenerate porn addict. Of course, they were happy to sell you software and services to alleviate the problem.
Unfortunately, there will always be a population of low-down dirtbags willing to take advantage of people's fears and hardships. After September 11 they pitched gas masks; they sold bottled water for $10 a piece following Hurricane Katrina. Given the cybersecurity activity out there, we are bound to see more and more of these security scams. The difference here is that security con artists are preying on fears that users really don't understand. Consumers may get scammed or become cynical--neither of which is good.
We need a focused effort to pull together as a security community, educate consumers, and push for strict punishment of these flimflammers. If not, things can only get worse.