Users' Bad Habits Invite Malware, Forum Says

Some estimates suggest spyware problems in the U.S. are decreasing, but writers of all kinds of malware are prevailing -- partly because of computer user behavior, antispyware experts said last week.

Computer users run outdated antivirus software, operating systems and browsers because they're scared of change, said Janie "CalamityJane" Whitty, administrator of security software vendor Lavasoft's online support forums.

Whitty sees people running a 2003 version of antivirus software, she said during an Anti-Spyware Coalition conference in Washington, D.C. "The nature of malware has changed since 2003," she said.

In addition to problems caused by users, there's a healthy underground market for the kinds of data compromised by spyware and other malware, said Stefan Savage, director of the Collaborative Center for Internet Epidemiology and Defenses at the University of California in San Diego. The center monitored a popular malware-trading IRC forum for about six months in 2006 and found the advertised value of compromised bank accounts offered there was US$54 million.

While some estimates show the spyware problem shrinking, U.S. companies and consumers are losing the battle against malware in general, Savage said. Antivirus vendors, in unguarded moments, will say they're able to catch less and less malware as criminals become more sophisticated, he said.

The chances of an Internet fraudster getting caught are "virtually zero," he added.

"By any objective measure ... this is something we end up losing on," Savage said. "The more money these guys make, the more money they can invest to get better."

The panel on consumer behavior kicked off a day-long session on fighting spyware, during which many experts said they continue to have major concerns about spyware and other malware. Those concerns remain despite Consumer Reports' annual estimate of spyware that suggests the problem is declining. The magazine estimated that 850,000 U.S. households had to replace computers in the first half of 2007, with the cost of fighting spyware at $1.7 billion for the year. In 2006, spyware cost U.S. individuals and businesses an estimated $2.6 billion, the magazine said.

Part of the problem is that people hang on to outdated operating systems and browsers, even though newer ones have better security controls, because they don't want to learn how to operate the new software, Whitty said. "The malware changes," she said. "If we don't change with it, they're going to win."

Computer users seem to be of two minds when it comes to giving up personal information, added Susannah Fox, associate director at the Pew Internet and American Life Project, a research organization. Many young computer users will refuse to disclose personal information to e-commerce sites, she said. "But yet this is the same group that is putting their whole lives" on social-networking sites, she said. One private detective has told Fox that social-networking sites make it significantly easier to track down details about people, Fox said.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon