Scareware purports to be security software but isn't. It's sold to technically naive users to address supposed computer security threats. But it generally offers little or no protection, and may act maliciously, by stealing information, for example.
Scareware is also known as rogue security software, though the only security it enhances is the financial security of the scammers selling it. It can be compared to quack cures that have no real medicinal effect and may in some cases prove harmful.
"The prevalence of rogue security software has increased significantly over the past [year and a half]," the report says. "Rogue security software uses fear and annoyance tactics to convince victims to pay for 'full versions' of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both."
Microsoft's report says that two rogue software families, Win32/FakeXPA and Win32/FakeSecSen, were detected on more than 1.5 million computers, putting them among the top threats for the second half of 2008.
Such findings give appear to support the contention voiced by Alex Stamos, co-founder and partner at software security company ISEC Partners, at the Web 2.0 Expo earlier this month that the Internet is too dangerous for the technically unsophisticated.
"The Internet cannot be safely used by normal people," he said. "Most people are not prepared to make the technical decisions necessary to safely use the Internet."
That may be overstating the case given that such malware can be detected and dealt with, even if there's no cure for gullibility.
Or for irresponsibility: The report also finds that lost and stolen computer equipment, rather than hacking, represented the most common cause of security breaches (50%) leading to publicly reported data loss in the second half of 2008.
Illegal hacking nonetheless remains a problem, one that's increasingly focused on the application layer rather than the operating system. Almost 90% of vulnerabilities disclosed in the second half of 2008 affected applications, the report says.
This is good news for Microsoft, which for years has been focused on hardening its operating systems and is now starting to see some payoff, at least among customers with the most current patches installed.
Evidence of the company's progress can be seen in the finding that during the second half of 2008 about 40.9% of browser exploits on computers running Windows XP targeted Microsoft software, compared with just 5.5% of browser exploits on computers running Windows Vista.
Though the application layer now is the major point of attack, users of popular applications like Microsoft Office can still reduce their vulnerability by keeping their patches current.
"The most frequently exploited vulnerabilities in Microsoft Office software were also some of the oldest," the report says. "Over ninety-one percent of attacks examined exploited a single vulnerability for which a security fix had been available for more than two years (CVE-2006-2492)."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.