Scams designed to steal identities, data and ultimately money from Internet users continued to rise steeply in the first half of this year, according to a report released on Tuesday by Microsoft.
The company's Security Intelligence Report, a broad look at the computer threat landscape, shows a continued focus on attacks aimed at making a profit, rather than simply generating fear or gaining notoriety.
According to the study, there were 31.6 million detected phishing scams, more than double those found in the prior six months. There was a more than five-fold increase in the types of malicious code used to install trojans, password stealers, keystroke loggers and other malware.
"Some of these challenges are created by the fact the operating systems are more secure, which has caused the bad guys to look at other attack vectors," said Scott Charney, Microsoft's vice president of trustworthy computing.
What's clear is that the overall problem of users finding their machines compromised is not getting better. Microsoft can get a rough estimate of how many users have infected systems by assessing the PCs that are scanned using its free Malicious Software Removal Tool. Malware was removed on one out of every 217 computers scanned in the first half of 2007. That compares from just one in 409 PCs that was infected during the prior six months.
And while operating systems are getting more secure, threats are moving to the applications layer, a move that could actually make computers harder to secure. "It's often the applications that contain the information that is important to the user," Charney said. In addition, while there are only a few large companies that create most major operating systems, there are thousands of companies that create applications, ranging from huge software vendors to individuals working out of their homes.
"It is a much bigger challenge," Charney said.
In the short term, Charney said much of Microsoft's efforts are around publicizing the types of social engineering tips used by the bad guys and to developing more automated tools like its phishing filter that can prevent scams from reaching consumers eyes in the first place.
Over time, though, the industry needs to find better means than user name and password to assess someone's identity as well as ways of separating authentication away from things like birth dates and social security numbers. "Longer term, what we need to do is figure out different ways to validate claims," Charney said. Neither businesses nor consumers have shown much stomach, however, for the kinds of improved authentication mechanisms that could help. "We're far removed from that because the business infrastructure isn't there today."