Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Flying Blind

Researchers say that ending the scourge of fake-antivirus malware—or malware of any other kind—will be nearly impossible unless Web and security companies collect and share more information about everything from the vectors that predominate in a given week to the banks that fraudsters are using to accept payments. Private companies reveal only limited data about breaches on their sites or malicious links in their networks. “There is surprisingly less information in the industry than you might think,” says Michael Barrett, the security chief at the online payment service PayPal.

That’s partly because having proprietary information about malware provides a competitive advantage for Internet security companies. “There has to be more of a community sharing effort, which the security industry is not used to doing,” says Philippe Courtot, CEO of Qualys, a security company. “Since no one company can have a complete view of the attacks and of the vulnerabilities, only a broader and community-driven effort can solve the problem.”

StopBadware is working on a partial solution: a reporting system to which it hopes a critical mass of Internet companies will contribute reports of infected websites. It will vet reports for accuracy, pass the information to Web hosting companies so they can take down the sites, and publicize which hosting companies aren’t cracking down. Increased pressure on those companies could force the criminals to change tactics, adding costs for them.

Another way to hassle the criminals could be to more closely scrutinize the banks that process their credit card payments. Savage suggests that credit card companies and law enforcement need not target many banks to have a big impact. He and colleagues recently studied a random sample of 120 products advertised through spam and determined that 95 percent of their sales went through just three banks, in Azerbaijan, Latvia, and St. Kitts and Nevis, West Indies. Savage believes that a study of payments for fake antivirus software would yield comparable results.

Meanwhile, at any one time, at least several hundred thousand websites—known ones—are distributing malware through fake-antivirus and other scams. “The criminals are doing a better job coördinating their offense than the good guys are doing coördinating our defense,” Weinstein says. That means the bogus flashing warnings—Your Computer Is Infected!—increasingly reflect the truth.

David Talbot is Technology Review ‘ s chief correspondent.

10 comments. Share your thoughts »

Credits: Fox Photos/Getty Images, Courtesy of U.S. Department of Justice, Tommy McCall
Video by David Talbot, edited by Brittany Sauser

Tagged: Computing

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me