You Aren't Safe. Get Over It

The latest news to add to the list of online perils to be paranoid about comes courtesy of the Washington Post. Virus writers apparently have a new scheme for distributing malicious code: purchasing popular Google keywords and publishing ads that purport to lead users to legitimate Websites. Some of the keywords the tricksters bought include "BBB" (for Better Business Bureau) and "Cars.com."The catch is that clicking on these ads really directs users to nasty places where a particularly damaging piece of malware lurks. If you didn't install an IE patch issued by Microsoft in June 2006, and if you're unlucky enough to be lured to one of these dubious sites, a flaw in Microsoft Windows downloads software that steals passwords and sensitive financial information from your PC. This exploit was identified by Exploit Prevention Labs; it echoes a similar one caught by Security Fix in mid 2006 in which a banner ad on MySpace linked users to an equally dangerous URL.

Yes, as respondents to the article have pointed out, you could put the blame on compromised users because they failed to install the IE patch. But let's face it: If you're reading this post on the InformationWeek Website, you almost certainly possess a certain amount of technical acumen--probably more than 99 percent of the general Internet-using population. Unfortunately, a significant proportion of the rest of the world isn't aware of the supreme importance of installing security patches, and moreover depends on the reputation of big-name brands like Google to shield them against tricks like this. Yes, it's naïve. But it explains the alarming statistics of why so many PCs of less-technically-expert people get infected so fast and so frequently.

This latest nefarious antic certainly gave me pause: I use Google sponsored links all the time. And--clearly wrongly--the fact that they appear on the Google search results page has always increased my sense of their legitimacy. One more thing to put on my personal list.

What about you? What of all the continuous stream of malicious tricks particularly alarm you? Have you ever fallen for one? Has anyone near and dear to you been tricked into giving up sensitive data? Let us hear your stories.