It’s a scary headline, isn’t it? The kind of headline you can’t help clicking on. Were you driven by curiosity? Fear? Cynicism, perhaps? Whatever your motivation might be, you’re now learning about malware and how to prevent it — something that many computer users are still reluctant to do. To this day, a myth persists among certain Web users that if you stay away from 'dodgy' sites, you can’t get infected. This couldn’t be further from the truth.
The fact is, cybercrime is becoming an ever increasing threat; and unless proper safety measures are taken, nobody is safe. On January 5th, Pandalabs released a report which found some 25 million new strains of malware had been created during 2009. By contrast, there had been only 15 million strains in total over the previous two decades.
The question is: how do we inform Internet users who don’t want to listen? Shameless scaremongering, like the headline above, might be the only option left. (For the record, child pornography really could be on your computer, but we’ll get to that in a moment.)
We spoke to AVG’s marketing manager, Lloyd Borrett, at Kickstart Forum 2010, where IT journalists and vendors meet to discuss emerging trends in the industry. We quizzed him about the evolution of cybercrime, the current malware landscape and the challenges security companies face in educating the public. Here’s what he had to say.
PC World: Hi Lloyd. Why has malware become such a big threat in recent years?
Lloyd Borrett: The malware landscape has completely evolved, especially in the past five years or so. It used to be about hackers having fun and playing games — script kiddies, that sort of thing. Half the time they didn’t even know what they were doing. But now it’s about organised crime and people trying to make money. And they’re making a lot. It’s very, very successful for them. They’re using some of the most sophisticated tools and mechanisms that are around to run their business.
The way they use botnets [networks of computers infected with malware] as a distributed computing environment is phenomenal to behold. They’re doing it better than most enterprises. It’s so organised and they put so much money and effort into it that you can actually follow a market for it. It’s big, organised business. What this means is that we’re all very vulnerable.
PCW: Vulnerable from what? For mums and dads at home, this isn’t always clear. They’ve heard about cybercrime, but don’t necessarily understand how it affects them.
LB: It really boils down to three things. First, they want to con you out of your money. That covers things like your Nigerian scams, lotteries that you never entered, a lawyer trying to give you money from the estate of a relative you’ve never heard of, and so forth.
These are common social-engineering scams designed to rip you off. Another example is online antivirus software that finds all these problems on your computer — and then asks for a fee to get rid of it. They’re all rigged to get money from you. Many of these sites have offers that are just way too good to be true: there are Chinese sites offering brand new Harley Davidson for $5000.
The second level is identity theft: they try to get enough of your identity to be able rip someone else off. At its simplest level, they get your name and your credit card number so they can go and rip off some merchant. This is a big problem for businesses. Last year, over six per cent of losses came from such crimes.
They build up dossiers of information: such as what people post on social media sites. They’ll try to get malware onto your machine, so they can search around and get information. They use keyword loggers to get your sign-ons and passwords for various accounts. This could be your bank accounts, the online shops you visit, your online game assets.
The third and final thing is that they want to get onto your machine, and use its resources — its computing power, its hard disk capacity and your Internet bandwidth. We refer to that as becoming part of a botnet.
Most people think botnets are only used to send out spam, but they can use your machine to do whatever they want. They can use it to control part of the botnet, they can use it to host the files that they’re going to serve up via the torrent, they can use it to store porn videos and photos that they’re going to deliver up on Web sites. They can turn your machine into part of their Web server for that sort of stuff. It could be child porn — and you’re not going to know about it. The only indication you’re going to get is that you’ll be constantly hitting your broadband limits, and your machine might start running slowly.
There have been plenty of cases where some guy’s work machine starts running slow, so he hands it over to the IT guys. They’ll take a look and find child porn on there: so the guy gets suspended and has to talk to the cops. It’s only later that they find it was a botnet. He had no say in it whatsoever. Didn’t know it was there; completely innocent.
So you have to be aware of all this stuff and think positively. And that comes down to user education.
PCW: So how do we educate Internet users to be more malware-aware, so to speak, so they know what they should and shouldn't be doing?
LB: That’s the mega-million dollar question. At AVG I get constantly told, “You need to educate [users] more — we need to produce this and this and this.” But the thing is, that stuff’s already out there. In fact, it’s everywhere. There are government sites doing it, there are vendors like us doing it, there are organisations that have been set up to do it like Stay Safe Online. But the problem is people don’t read it. They aren’t interested in it. For user education to work, they’ve got to be open to it and actually want to get the message. And that’s not just consumers, it also goes for IT professionals. The reason we saw the Conficker exploit on 60 Minutes was because it had infected CBS. Fairfax got hit, schools and hospitals also got hit. The French navy got hit. These are organisations that should have known better.
PCW: You touched earlier on the Nigerian scams and bogus lottery wins and what have you. Seriously: who’s falling for this stuff? Who are they?
LB: You’d be surprised. It’s amazing: people don’t just get conned for small amounts, often they get conned for hundreds of thousands of dollars! You’d think someone who had that kind of money should be a reasonably sharp instrument; not the dullest thing in the toolshed. And yet, they get conned. This just shows that the fraudsters are able to leverage the internet, reach out and get to the gullible. It’s human nature: people think, “This sounds too good to be true, but I don’t want to miss out if everyone else is getting in on it.”
PCW: Do you think a level of scaremongering needs to enter the equation if we want to educate users? It seems to work for the mainstream media.
LB: That’s the big dilemma we have, especially. You can be the big scaremonger, but eventually people are going to switch off from it. Take for example, the effectiveness of road trauma ads, and that sort of thing. They go for the shock tactics, but eventually it feels dulled down, and they have to shock more and more to get the impact across.
Also, bear in mind that half the people you talk to think that security companies manufacture the malware themselves. We see about a 150,000 new malware samples a day; about 50,000 of those turn out to be really new stuff. And the volume is increasing almost exponentially. You think we need to be doing this stuff ourselves? [laughs]
PCW: And finally, what’s one piece of advice that every Internet user should follow?
LB: Stay up-to-date! Keep your operating system up-to-date, your security software up-to-date, all your utilities, Adobe Acrobat, Flash plug-ins, codec plug-ins, etcetera, etcetera. And remember that the bad guys exploit this too — if a site tells you that you need a new plug in to watch a video, don’t trust it blindly. You need to be aware and savvy.