marco
blog
Menu:
Fake AV, education, and conditioning
June 21, 2011
Some time ago, I've stumbled upon a web page launching a "Mozilla Security scan". The page would purportedly identify viruses and other malware on my machine. Unfortunately, there is no (legit) Mozilla Security Scanner, as this was yet another case of a fake AV attack.
A characteristic of the Mozilla Security attack is that it uses a slight variation on the classic fake AV playbook: in fact, to convince users to install malware on their machines or directly part with their money, it mimics a security mechanism implemented in a specific program (the alert page presented by Firefox when a user visits a blacklisted domain), rather than simulating a generic anti-virus tool.
These attacks are successful because they piggyback on the trust that users have learned to assign to these security mechanisms (anti-virus software, blacklist filters in browsers, etc.). Of course, this shows that attackers are quite creative in coming up with new attack techniques, especially social engineering schemes. However—and this is perhaps a more constructive observation—they also point out a weakness in how we (the security community in general) have been educating users on computer security. While we were aiming for "user education" (finally having regular users "get" security), it appears that we only managed to do "user conditioning": Security. Advice. Must. Be. Followed. The anti-virus (or a program that looks like it) tells me to pay for an upgrade: done. The malware filtering page in the browser suggests to download a binary: check. And so on.
So, how to improve?
Well, user conditioning and its risks have been pointed out before, together with loads of good suggestions on how to avoid it (most exhaustively by Peter Gutmann). My simple, bare-minimum suggestion is the fake-AV-check: when a new security mechanism or security advice is introduced, how likely is it that this very same mechanism or advice is going to be used in fake AV attacks in a few weeks time? Or, how difficult is it to turn this mechanism or advice on its head and make it into a tool in the hands of the attackers? If the answer is "easy", then let's just go back to the design board and start over.
To leave a comment, complete the form below. Mandatory fields are marked *.