I'm at the Anti-Phishing Working Group (APWG) Counter eCrime operations Summit (CeCOS) this week. This conference is attended by law enforcement officers, researchers, and industry professionals. I'll be giving some highlights that are relevant to usable privacy and security.
Gary Warner from University of Alabama reported on trends in malvertising. Malvertising is a relatively new kind of attack, where criminals inject malware or
scareware into online advertisements. These malvertisements might be, for example, Flash files that make use of exploits, or use scare tactics that "warn" users about viruses that are on their computer and urge people to click on the link to install (fake) anti-virus software.
There are three points I want to discuss here. First, these advertising networks have a very wide reach on the Internet. Even the New York Times' web site was hit with one of these fake advertisements. As such, these malvertisements represent a very serious
threat to the operation of the Internet.
Second, as a user, you could be doing everything right and still end up infected. You might keep your anti-virus software up to date, always install the latest patches, avoid sketchy programs and web sites, and not fall for any phish, and still end up with malware.
Third, using fake virus scans has been a growing tactic to convince people to install malware onto their own computers. This kind of malware is growing in sophistication, and is causing damage to legitimate anti-virus vendors too by reducing people's trust. Admittedly, it's a good strategy for the bad guys to take.
I had the misfortune of facing some of this fake anti-virus software recently. My wife
fell for one of these scams and asked me to fix her computer. The malware actually blocked standard anti-virus software from running, so I tried to remove the software manually. However, as I did this, I saw the malware start to re-install itself from a remote location. I tried again after turning off networking, and deleted all the malware files. However, I either missed something in the registry or a browser helper object, as it started re-installing itself again after rebooting. After wasting an hour of time, we decided it would be easier and safer to just wipe the machine and start over.
(As an aside, I'm convinced that systems people interested in studying how to create robust and highly reliable systems should take notes from malware creators. It's hard to think of an environment more challenging than one where adversaries are actively trying to kill you. However, remember, you can only use your powers for good.)
If we take a step back, we can view malvertisements as just another kind of attack where criminals try to make use of our greater connectivity. It's useful to go back to the three basic strategies for usable privacy and security: (1) make it invisible, (2) provide
better user interfaces, and (3) educate users. In the short-term, we can educate people about fake anti-virus. However, in the long-term, advertising networks will need far better tools for detecting and filtering out these kinds of malware so that users don't see them at all.