Researchers say that ending the scourge of fake-antivirus malware—or malware of any other kind—will be nearly impossible unless Web and security companies collect and share more information about everything from the vectors that predominate in a given week to the banks that fraudsters are using to accept payments. Private companies reveal only limited data about breaches on their sites or malicious links in their networks. “There is surprisingly less information in the industry than you might think,” says Michael Barrett, the security chief at the online payment service PayPal.
That’s partly because having proprietary information about malware provides a competitive advantage for Internet security companies. “There has to be more of a community sharing effort, which the security industry is not used to doing,” says Philippe Courtot, CEO of Qualys, a security company. “Since no one company can have a complete view of the attacks and of the vulnerabilities, only a broader and community-driven effort can solve the problem.”
StopBadware is working on a partial solution: a reporting system to which it hopes a critical mass of Internet companies will contribute reports of infected websites. It will vet reports for accuracy, pass the information to Web hosting companies so they can take down the sites, and publicize which hosting companies aren’t cracking down. Increased pressure on those companies could force the criminals to change tactics, adding costs for them.
Another way to hassle the criminals could be to more closely scrutinize the banks that process their credit card payments. Savage suggests that credit card companies and law enforcement need not target many banks to have a big impact. He and colleagues recently studied a random sample of 120 products advertised through spam and determined that 95 percent of their sales went through just three banks, in Azerbaijan, Latvia, and St. Kitts and Nevis, West Indies. Savage believes that a study of payments for fake antivirus software would yield comparable results.
Meanwhile, at any one time, at least several hundred thousand websites—known ones—are distributing malware through fake-antivirus and other scams. “The criminals are doing a better job coördinating their offense than the good guys are doing coördinating our defense,” Weinstein says. That means the bogus flashing warnings—Your Computer Is Infected!—increasingly reflect the truth.
David Talbot is Technology Review ‘ s chief correspondent.