It’s a common, somewhat frightening and potentially expensive experience: A user is on a Web site when a sudden pop-up alerts him that his computer is or may be infected with viruses and drives him to a site selling antivirus software.
A user may react by closing the pop-up and hoping it doesn’t happen again, or he or she may purchase the advertised software, as inadvisable as this might be. According to computer security firm Finjan, this practice, known as “scareware,” can net its practitioners as much as $10,000 a day. It’s not surprising, then, that this is a growing industry; a report released this past March by the Anti-Phishing Working Group found 9,287 bogus anti-malware programs in circulation in December 2008, a 225 percent rise from the beginning of the year.
“The reason people are falling victim to these types of fake antivirus products or alerts is because they don’t know what is good and bad,” said Melih Abdulhayoglu, CEO and chief security architect of computer security provider Comodo. “You have no means to verify that. In the real world, when you go to Home Depot [and] you buy a $5 padlock, even [that] comes with a standard, yet something as important as your desktop security has no standards whatsoever. That lends itself to people defrauding end-users by giving them any old rubbish — effectively giving them malware pretending to be an antivirus product.”
To address this, a new forum of security vendors has been established: the Common Computing Security Standards Forum (CCSS), which will allow users to protect themselves by compiling a list of legitimate antivirus vendors. Comodo is a member of CCSS.
The antivirus companies on the list either sell or distribute legitimate software intending to protect PCs from viruses, Trojans, zero-day attacks, worms, buffer overflows and other malware. The list will help users distinguish between beneficial software and online scams. “If you encounter an antivirus product, come to us [and] look at the forum to see whether it’s listed or not,” said Abdulhayoglu. “If it’s not listed, don’t buy [it].”
Abdulhayoglu termed this stage one of CCSS’s response to the problem. He described the next step: “We are pushing for standards and hopefully looking for ways for operating system providers to enforce those standards so that when you install an AV, your operating system should know it’s a legitimate AV.”
Reaction to CCSS has been felt internationally, with publications in the U.S., Europe and the Middle East linking to it to raise awareness of the need for accountability in the antivirus industry.
According to Abdulhayoglu, the original impetus behind CCSS was recognizing the essential role computers play in our daily lives and how security in this space is at times lacking.
“If you look at what we use our PCs for, it’s everything from our banking to our health care — computers have become an indispensible part of our lives,” he said. “[If] you go to a restaurant, what if they give you cyanide? Say you go to a hospital [and] they inject you with poison. There are rules against that — there are rules in real life against you being treated [wrong], yet in our digital life, we can be fed poison. Our digital life is totally insecure. That’s why it’s about time we start setting up some standards, and who’s going to make that happen? The whole desktop computer world gets together and does it themselves.”