We have regular ConfCalls with our security support to exchange trends and issues we see. During the last one we had an interesting discussion I would like to share with you: We seem to get a hell lot of calls mainly from the consumer segment with Virus/Trojan/Spyware infections. The way they get the malware is a pretty well known one: You go to a web page which is telling you that your PC is infected by malware and that you have to install the "protection software" immediately – which then installs the malware. That's the reason why we call this software "Scareware". There are two things which frighten me:
One is that it shows how easy social engineering works (once again).
But the second one is much more frightening: The malware installed is by far not sophisticated. It is usually pretty old and well known. Therefore every AV scanner would detect it easily and prevent it from being installed. This tells us that there is still a high percentage of people not running AV software on their PC… Since years we are telling our customers you have to do at least three things to run your system: Use a firewall, keep your software updated, run an Anti-Malware software and keep it updated. Similar things are true for ISPs. Why do people still not do it? Is it the money?
I don't think so it's money.
People are just lazy. Perhaps not properly aware of security impact or probably they think installing all this will make their computer slow.
Roger said he is "frightened" in part because this "shows how easy social engineering works".
That's pretty funny coming from an employee of a company that has spent an awful lot of effort trying to collapse the distinction between "local" (arguably reasonably safe and trustworthy) and "remote" (unknowable, at best, in these matters).
Remember one of the big advances touted in Win98 was its "view as webpage" option for the desktop; a showpiece of the integration between local and web content of the new (v4) IE browser?
Roger -- as an employee of a company that has been pushing so hard for so long to make it essentially impossible for a real expert to "tell at a glance" what is local and what is remote, what have _you_ been doing to reverse this usability nightmare for "ordinary users" who you now lament being so easily fooled, at least partly because of the machinations of your employer's developers and products?