"Microsoft doesn't have a monopoly on all the technical vulnerabilities that are out there," Zulfikar Ramzan, technical director of Symantec Security Response, said Tuesday in a phone interview with PCWorld.
Today's online criminals are far more likely to target user behavior rather than a technical flaw in the OS. "It's a lot easier to do that," said Zulfikar. "You don't need as many technical skills to find one person who might be willing, in a moment of weakness, to open up an attachment that contains malicious content."
This trend has been rising rapidly over the past two years. Currently, only about 3 percent of the malicious software that Symantec encounters exploits a technical vulnerability. The other 97 percent of malware is either "piggybacking on that 3 percent," or more likely trying to trick a user through some type of "social engineering" scheme, according to Zulfikar.
Tricking the User
In other words, most attackers now target human, not technical, vulnerabilities. The key is to trick someone, usually via psychological manipulation, into compromising their own security by installing malware, for instance.
One such attack is when an organization's chief financial officer (CFO) receives an email claiming to be from the IRS. "It says you haven't paid your taxes, and if don't open up this attachment and fill out this form, we're going to fine you," Zulfiker said.
A similar scheme involves a bogus inquiry from the "Better Business Bureau." The attacker(s), claiming to be the BBB, email a company's CEO and say they've opened a complaint file against the firm. The email then instructs the CEO to open the attachment to find out more about the complaint.
Of course, in each case, the attachment propagates malicious software onto the recipient's system.
So what's a business to do? First, treat any inbound inquiry with a healthy degree of skepticism. "That should apply through all forms of communication--not just email, but even phone calls and things of that nature," said Zulfiker. And make sure that all of your employees are aware of these risks. "It's important to educate people, even on the front lines, to be careful what you divulge to the outside world about the company," he added.
Microsoft: Still the Biggest Target
No computer or operating system is 100-percent secure, of course, and different types of systems are vulnerable to different exploits.
"Microsoft, being the biggest company in the software space, has attracted the most attention," Zulfiker said. "People have tried to attack Microsoft's products because of the (huge) market share. If I'm an attacker, and I want to make the most profit from my attacks, I'm better off going for the company with the most machines out there. That tends to be Microsoft."
And if Google's upcoming Chrome OS takes off in the business and consumer market, it'll have a big target on its back too.