Friday, September 10, 2010

scareware and human frailty

about two ago the folks at trend published a blog post about the persistence of fake av that really got under my skin. it was around the time of my birthday, which is ironic because the following quote really takes the cake:
Online, however, FAKEAV is a good example of a social engineering “success story.” By leveraging human weakness, FAKEAV effectively utilizes social engineering techniques such as blackhat search engine optimization (SEO) to trick users.
if there's one time a vendor should not be laying the blame for users being fooled on "human weakness" it's when talking about scareware.

scareware generally presents itself to the user in very much the same way legitimate security products do. vendors should consider that maybe scareware purveyors can be so effective while imitating legitimate security vendors is because of how close legitimate security vendors' messaging is to being an outright scam in and of itself.
use our software. we'll protect you.
worry free computing
we take care of X so you don't have to
you need our solution
the virus problem is solved

while those wearing vendor-coloured glasses may see the average user's propensity to believe the messaging put forward by illegitimate security vendors as nothing out of the ordinary (and certainly nothing to do with them themselves), i see over 2 decades of marketing and media training the populace to be as unquestioning, as unthinking as a pack of lemmings in a mindless frenzy when it comes to what security vendors say (whether they're really security vendors or not).

it's not human frailty at work here, it's bad guys figuring out how to exploit the one thing that security vendors are loathe to change: their marketing and business practices. legitimate (or so-called legitimate) security vendors made the market for scareware. the scareware purveyors are just showing up to the party, putting their hands out, and having a slice of the pie handed to them on a silver platter.

if the security industry really wants to do something about scareware purveyors, they should stop acting so much like them and start fostering skepticism amongst the populace - not only skepticism in what others say but also in what you yourselves say. stop creating an environment where scareware flourishes. stop doing their market development for them and actually start dismantling that blind-trust based market in spite of the fact that it's paid you so well in the past.

the bad guys are milking your cash cow, vendors. it's time to stop treating customers like cattle. it's time for you to lead rational critical thinkers rather than herd livestock. it's time for you to stop being part of the problem.


Charles Jeter said...

Hi Kurt,

Great article. There is a debate about how to educate people in the real threats online as well as present product solutions.

That isn't made easier by the lack of hard data about where the money is, where it's going, who's taking it, and how they're getting it.

Recently I started some research into a previously untapped resource, the US Treasury Department's Financial Crime (FinCEN) reporting. The preliminary results of this show that not only is it hard to quantify cybercrime through malware, it often goes misreported - so much so that the misreporting itself echoes the logarithmic growth of the threat.

I'd love to continue this discussion between blogs or as a joint project, as well as get a fresh pair of skeptical eyes onto the results we have so far. The link is in my Name tag.

Thanks for your great efforts in keeping it real - sometimes there needs to be a step back and breath taken in every industry.

(Note: my company doesn't have responsibility for this post, I'm doing it all on my own, etc. etc. broad disclaimer)

kurt wismer said...

"There is a debate about how to educate people in the real threats online as well as present product solutions. "

one of the problems related to educating people about real threats is the presentation of products as though they were solutions. it leads to the following line of thought:

'if X is a solution then why should i need to keep thinking about the problem?'

as for the rest of your comment, it's interesting, and i'm in the process of reading the article you pointed out right now (also interesting and some very persuasive conclusions), but the connection between scareware and banking trojans seems pretty thin. they're both malware, they both involve money, they can both be in the same *.exe (malware types aren't mutually exclusive), but the specifics are pretty different. the discussion you said you'd like to continue seems like 2 separate discussions to me.