So THAT'S Who's Doing it!

Early last month I posted a blog entry entitled "Who Is Doing it? Who? Who....?!". The main point of my entry was regarding the matter of people opening attachments and clicking on links that appear to be spam based.

I've just been reading the 2010 MAAWG Email Security Awareness and Usage Report, and it seems that the answers to many of the questions I raised in my entry are in the report. The MAAWG is the Messaging Anti-Abuse Working Group. In January 2010 they undertook a survey of general email users in the US, Canada, France, Germany, Spain and the UK. And they came up with some surprising and disappointing results. Well, they were surprising and disapponting to me, anyway!

It seems that half of the surveyed users have opened or accessed spam emails. 11% have clicked on a link in an email that they suspected was spam, with 8% having opened an attachment in an email they suspected was spam. And 4% have responded to an email they suspected was spam.

The survey found that 84% of the surveyed users were aware of botnets, but only one third said that they considered it likely that they could get a bot on their computer. The other concerning fact (for me) was that less than half of the users believed it was their responsibility to stop the spread of virus, fraudulant email, spaware and spam - with up to two thirds of the users believing that it is the responsibilty of anti-virus software companies and ISPs to stop the spread of malicious software.

Arrrggghhh!!!!! How do we stop users from being so short sighted and naive? It seems we still have lots of people who are willing to click on links and open attachments in emails, even when they suspected the email was spam and could be malicious.

If I had a magic wand, I would use it to make every computer user aware that they are responsible for their cyber actions, and get them to NOT click on links or open attachments in spam emails - and verify the source of an email before opening an email if they weren't sure if it was spam or not. And as I said in my previous blog entry on the subject, if every user stopped clicking on those links and opening those attachments, the spammers would quickly run out of business.

We clearly have a long way to go when it comes to raising user awareness with regards to computer security. Not just raising awareness but helping people to understand that these threats are real and are a threat to them as much as they are to everyone else out there. The sooner we get over the "It won't happen to me" mentality, the better!

Craig Johnston
Senior Cybercrime Research Analyst