Fear drives the security market and no one knows that quite so well as scareware scammers.
In its sixth Security Intelligence Report, released Wednesday and covering the second half of 2008, Microsoft says scareware is on the rise.
Scareware purports to be security software but isn't. It's sold to technically naive users to address supposed computer security threats. But it generally offers little or no protection, and may act maliciously, by stealing information, for example.
Scareware is also known as rogue security software, though the only security it enhances is the financial security of the scammers selling it. It can be compared to quack cures that have no real medicinal effect and may in some cases prove harmful.
"The prevalence of rogue security software has increased significantly over the past [year and a half]," the report says. "Rogue security software uses fear and annoyance tactics to convince victims to pay for 'full versions' of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both."
Microsoft's report says that two rogue software families, Win32/FakeXPA and Win32/FakeSecSen, were detected on more than 1.5 million computers, putting them among the top threats for the second half of 2008.
Such findings give appear to support the contention voiced by Alex Stamos, co-founder and partner at software security company ISEC Partners, at the Web 2.0 Expo earlier this month that the Internet is too dangerous for the technically unsophisticated.
"The Internet cannot be safely used by normal people," he said. "Most people are not prepared to make the technical decisions necessary to safely use the Internet."
That may be overstating the case given that such malware can be detected and dealt with, even if there's no cure for gullibility.
Or for irresponsibility: The report also finds that lost and stolen computer equipment, rather than hacking, represented the most common cause of security breaches (50%) leading to publicly reported data loss in the second half of 2008.
Illegal hacking nonetheless remains a problem, one that's increasingly focused on the application layer rather than the operating system. Almost 90% of vulnerabilities disclosed in the second half of 2008 affected applications, the report says.
This is good news for Microsoft, which for years has been focused on hardening its operating systems and is now starting to see some payoff, at least among customers with the most current patches installed.
Evidence of the company's progress can be seen in the finding that during the second half of 2008 about 40.9% of browser exploits on computers running Windows XP targeted Microsoft software, compared with just 5.5% of browser exploits on computers running Windows Vista. Though the application layer now is the major point of attack, users of popular applications like Microsoft Office can still reduce their vulnerability by keeping their patches current.
"The most frequently exploited vulnerabilities in Microsoft Office software were also some of the oldest," the report says. "Over ninety-one percent of attacks examined exploited a single vulnerability for which a security fix had been available for more than two years (CVE-2006-2492)."
Attend a Webcast on why bad security breaches keep happening to good organizations. It happens April 15. Find out more and register.