Saturday, 10 March 2012

Rant on “Secure Invites”, Malware and Security

Yesterday my brother rang me to say that he was having a problem with his computer (a Toshiba laptop running Windows Vista). He’d been browsing the Internet and clicked yes when asked to install some software so he could view some files. Next think he knows, Internet Explorer is taking him to some website called secureinvites.com and telling him that he’s got a Trojan installed (at least that bit is right) and to buy their security software.

Basically, Secure Invites is a browser hijacker or rogue security software that’s trying to sell rogue anti-spyware software.

While I was helping my brother, he asked why people can get away with this sort of thing. I told him the Internet is like the Wild West. But that’s no excuse. Companies shouldn’t be able to get away with this sort of thing. To me it appears to be fraud. Now, in Australia, there’s no doubt that this would be illegal under the deceptive and misleading conduct provisions of the Trace Practices Act. I don’t know where the parent company for Secure Invites reside but I have no doubt that the people behind it should be in gaol.

I searched the Internet for utilities that would remove Secure Invites. My search on Microsoft didn’t find anything (which is just not good enough). Google turned up a number of results. However, all of them where for domains I wasn’t familiar with. How could I know if a utility was legitimate or more malware? In the end I used SmithfraudFix. It had been listed on a couple of sites and I seemed to recall using it before. I sent my brother the instructions from this page and talked him through it.

We didn’t do the first step however – I asked my brother to back up his files before he did anything. His response – “How do I do that?” When I asked him if he had an external drive, things got a bit vague. In the end it became a case of trusting the removal software and hoping for the best.

So, what’s not good enough:
  • This software exists at all
  • The people who wrote it and make money from it aren’t being prosecuted
  • Windows didn’t protect my brother from this type of software
  • Anti-virus software didn’t protect my brother either
  • A search of Microsoft’s website didn’t help us
  • There was no way for us to verify the bona fides of those sites on the Internet offering a removal tool
  • It shouldn’t be so hard for your average computer illiterate user to back up their files

What’s the solution? I don’t know. But I don’t think it’s user education. Security awareness training has its place in limited situations (e.g. tips on creating secure passwords in combination with systems that will only accept complex passwords), but it’s not practical to educate everyone. Even if we sent every user on a security awareness course, it still wouldn’t work. Some people would still be fooled by a social engineering attack like Secure Invites.

Let's explore the Wild West metaphor I used with my brother. Back in the Wild West, there were plenty of conmen selling snake oil to the gullible. You might say we’re now smarter and don’t buy snake oil. But we do, it’s just that now it’s made out of crystals or just plain water.

So, back to my question, what’s the solution? Well I don’t think there’s a silver bullet. We could deputise a posse to hunt down, torture and string up the malware writers. Of course that might be a little unrealistic (and unethical – cruelty to animals isn’t acceptable).

Perhaps better anti-virus software will help – but based on the industry’s past efforts I think that’s unlikely. Could better designed and built operating systems help? Perhaps it’s an issue that can only be addressed by law enforcement agencies and regulatory authorities.

Who knows? All I know is that it’s just not good enough.

No comments:

Post a Comment