When SANS released its top 20 vulnerabilities again today, its press release said that targeted attacks against users have set information security back six years.
Well, duuuh, I could have told you that. That's why I write security awareness courses and am writing a book about how bad things are - all in language the non-technical end user can digest, enjoy and understand.
Criminals combining all sorts of social engineering with malicious technology I reported on back in the mid 90's (Rootkits, trojans, self-spreading viruses and worms), can make anything look urgent and legitimate enough to get someone to click on things. For example, in my previous blog, I mentioned my mom, who calls regularly to tell me about her popups saying she needs to secure her computer. Because of my preaching, she knows how unsafe it is out there, and she's worried about her security, so the alert makes her want to click the link. Hell, I was nearly tricked yesterday myself with an unsolicited Windows popup dialog box telling me I typed in my email address wrong, please type my email in again here, with a field for the address AND THE PASSWORD. I'm getting these things despite running two types of anti-spyware, AVG antivirus, and about 4 other types of security technology on my XP.
Do I get these popups on my Mac? NEVER. No matter how much security we throw at it, I doubt we'll ever be able to secure the Windows environment.