For a start: never, ever, ever allow the browser chrome (address bar, nav buttons, status bar, etc.) to be hidden, or allow the browser window itself to be hidden/resized/moved/etc. I know Firefox has settings that allow you to enable or disable these things, and I always disable them. That way you at least get *some* indication that the window you're looking at is a website and not a real application, and it's harder to pull windowing tricks that make you lose track of what just happened.

How about some combination of sandboxing and whitelisting by default? There's a very powerful presumption that, ultimately, the user has to have 'control' over what goes on his or her computer-- maybe this presumption needs to be revisited.

Web Browsers are responsible for a major part in fighting these types of attacks.

Identifying and blocking specific types of scripts can also prevent these attacks rather than trying to block just a single website.

It happens everyday, and had happened with me once. You take care a lot of times, but once in a while, you do falter( And I am a hyper-techie type of person). And FUIs(good term) do increase the technophobia for elderly people

Problems like this will persist as long as
1) People insist on using tools that they openly do not understand. Like web browsers.
2) Microsoft continues pitching products to people who use tools that they openly do not understand.
3) Microsoft continues to produce tools that are insecure by design.

Or, to be less verbose

This problem will persist forever.

The FUI looks convincing but I think the file download dialog should give it away for most people. At least I tell my family and friends to never download and run any files from the web or e-mail like that.

Users are getting sophisticated enough, but the attacks are getting more sophisticated. Social engineering attacks like this almost always work atleast on a small subset of users.
When taking the amount of traffic in the internet into account, this small percentage becomes a very scary number.

My sister recently came to me with 'Antivirus 200' (or something like that). I immediately knew what happened, but she thought she was doing the right thing.

The solution seems to be simple - end the monoculture of static themes. If every user had to pick colors and styles for his desktop theme on the first login, with NO DEFAULT VALUES, it would be much harder to successfully spoof a window. Alternatively, it shouldn't be that hard to write a browser plugin that automatically hides images behind a warning if they contain typical Windows elements, just like certain programs detect porn by looking for certain commonalities.

In the end, though, nothing is ever 100% secure, and it doesn't need to be. Viruses aren't actually the major threat people perceive them to be. While yes, they do make your PC slower, so does the new Office you installed, and while yes, they send your clicks to nefarious advertising companies, my mum just really doesn't care.

> The FUI looks convincing but I think the file download dialog should give it away for most people.

I don't know, Kalle. You think users are actually reading and understanding the file download dialog, much less the warning?

http://www.codinghorror.com/blog/archives/000114.html

Dialog boxes usually say "If you want to tech the tech, you need to tech the tech with the teching tech tech. Tech the tech? Yes / No"

This is really difficult. With the graphical expressiveness that people need to build meaningful applications, you'll always be able to fake web applications.

I think it will be pretty hopeless to prevent websites from faking real UIs. The better way to go is making the warnings even bigger when crossing a security line. In this case, you stop visiting a website and start downloading executable code that will be executed outside of the sandbox.

This should give a really huge, really annoying warning. Maybe you should even be required to type your password, or the sentence "I realize this might fry my computer", before being able to execute code from the internet outside of a sandbox. After all, this should be a very uncommon operation, so it's reasonable to bug users about it.

Mac OS X at least displays an additional warning about downloaded code, where it came from and the time when you downloaded before executing the program. But something that requires typing would be a lot better, as people tend to dismiss dialogs without thinking (being trained by gazillions of annoying senseless messages in Windows programs).

A part of my friend's business is to talk to people through messenger type application, so it got them all, and he has a lot of people he doesn't know about.

So, some week ago he got this MSN type message popup from some random guy named with a common name, so he just clicked it. Luckyly, he didn't seem to get anything from this click after scanning his computer.

Even if I browse with NoScript, I find it hard to know what's fake or when it comes to download files from Filefront or anything like this. The file could be anything.

Naive users can not be protected until they get sophisticated

Being a non-administrator would definitely help, but it doesn't prevent the problem. All it does is limit the scope of the infection. Someone in Vista (or Gnome or KDE or OSX) running Firefox as a limited user can still run "systemscan.exe", and that program can still send itself in emails, set up fake webservers (on higher number ports, of course), scan the network, steal passwords, and set itself to start up again when the user logs in.

It would be a bit easier to clean up, I suppose.

Poor English is also usually a dead give-away.

"Your may have Spyware!"

Java applets, when launching new frame windows, had some piece of chrome that was impossible to remove; can't remember if it was the titlebar, or I think it was a status bar kinda thing. And I think for some of the browsers/VMs it was an annoying yellow-background type of style. Not a complete answer, but better than nothing. Setting other limits also probably makes sense, like not allowing absolute screen positioning, so that you can conveniently 'hide' the browser's "This is a FUI!" chrome off-screen, or with a second FUI window, etc.

I recently saw something very similar, animated to look like the real thing, but it was hilariously obviously faked in the browser - I was running FF2 on PC Linux OS.

Back in Windows, one thing that helps is to change your colour scheme (title bars, fonts) and not use the defaults, these spoofs always use the most popular defaults. So if you've set your system to use purple title bars and the browser spoof comes up in XP blue or silver, it's obvious. (Also comes in handy to tell the source of pop up dialogs when running virtual machines, or VNC etc).

"The very first thing this page does is minimize the browser (...)"

Javascript that resizes the browser should die.

One word: NoScript

Poor English is also a dead give away: 'Your may have Spyware!'

Maybe the OS can constantly scan the UI for instances of certain security icons and graphics? But then we would inevitably get into a reverse CAPTCHA problem.

Maybe it should be a hardware solution... Microsoft could bundle a USB light that only they can turn on when using Windows Update, Defender, or other approved programs. Kind of like when browsers change the address bar color when on a secure site. Then you tell grandma to never trust any security warnings unless that light is on.

My uncle had something like this come up for him, but at the time he was already infected with something on his machine which was causing these popups to appear. He called me up before clicking on one of the dialogs that came up. The guy is not a dumb guy, but the window that came up looked very convincing, windows logo the whole bit, claiming that he needed to download such and such antivirus to clean his machine off.

I explained that his machine was already infected and that was why he was getting these popups (they would come up whenever he opened the browser).

I had him install and run SuperAntiSpyware and that found a crapload of stuff on his machine. Seemed to fix everything.

I think he recently switched to a Mac.

How about having a way to customize your "native" window headers in a way that the spoofer will have not way to anticipate? Perhaps it's not possible on an OS which by default runs everything as the equivalent of "root", but I'm ignoring that pathological case.

I've noticed that on linux, the spoofed dialogs that look like windows dialogs really stand out as being fake. Yahoo mail has this thing where you tell it the location on your local machine of a custom icon file, which it will display. Yahoo-mail spoof sites won't have this info, so won't be able to display the icon. Similarly, the window manager could put some custom image in the window header, or whatever, and spoof windows would lack this feature, making them more obviously fake. Now if the browser allows websites to create "native" windows, this won't work, of course.

I'm with the first poster though -- why in the hell does the browser permit web pages to minimize it, hide various UI features, prevent clicking on window close buttons, block 'ctrl-W', etc? What is the point of having these capabilites?

I wrote about it 4 months ago: http://cranked.me/2008/04/zomg-viruses.html

Please don't forget comments that look like a part of official messages from your blogging engines, from authentic blogging engine domain, and look like 'Please see 'here''

The solution? Use a safe operating system. Your sister/mom/dad/granny will not be able to break anything if they run under their own account with stripped rights.

When I was looking into OpenID I noticed that MyOpenID (https://www.myopenid.com/) has an anti-spoofing feature where you upload a custom image which is displayed on every page once you are logged in. This allows you to (hopefully) spot if the web page isn't from the correct source.

Applied to this problem, by making your UI unique in some way, you should be able to spot when a user interface element is fake.

The "giveaway of boxes where you have to click "OK" or "Yes" is also zero for the vast majority of computer users, educated or not. There are so many boxes to click OK/Yes in your daily routine that people just don't read them.

When the confirmation for "Are you sure you want to close Word" and "Do you want to install this nefarious executable" look identical safe for the words, people are going to click OK almost every time.

The reason for this unexpected behavior is that we have learned to decide what we want BEFORE the box pops ups. When we click the X, we have already decided that yes, we want Word closed, so we click OK. When we click on the FUI Virus scanner, we have already decided that yes, we want to proceed and remove the virus. We aren't going to consider clicking "Abort" on a box that we expect to lead to the removal of the virus, and because of that we don't read it.

The solution to the problem is, of course, to make the user actively do something that forces him to consciously recognize that he has to make a serious decision. If instead of a Yes/No box there was a text field, where the user had to enter "yes i really want to install this suspicious file", I'd expect the amount of people who still want to see the dancing bunny to go down considerably.

2 Ciaran: NoScript won't help in case of non-tech-savvy user. They will just use IE because "Firefox doesn't show pages correctly."

On the resizing and hiding firefox windows:

http://goodblimey.com/archives/2004/06/05/stop-browser-resizing-in-firefox/

In the end, though, nothing is ever 100% secure, and it doesn't need to be. Viruses aren't actually the major threat people perceive them to be. While yes, they do make your PC slower, so does the new Office you installed, and while yes, they send your clicks to nefarious advertising companies, my mum just really doesn't care.

Excuse me ....
viruses are big business today. Having a virus infested PC these days means in most of the cases that you are now a part of a botnet. Sending spam and contributing to DDOS attacks to whomever the controller wants. In essence, your PC is no longer yours, It wont be long until we see ransom asked to have your PC functioning again.

Virusses are a very grave threat these days, but not to the infected PC, but towards everyone else. That is why most virusses are so harmless to the PC they infect. It is beneficial for them that the PC ramains functioning and operational.

I get these on my Mac and giggle at the idea that my Windows directory is infected on it. You'd think they'd do some basic OS filtering...

Eleven words: NoScript is tedious if you already know what you are doing.

As I've tried to explain to my parents and so many others, although the UI is convincing, the dead giveaway is usually in the atrocious spelling and grammar, random capitalization, and excessive use of exclamation marks and the word "FREE".

The first paragraph in that dialog is something you'd never see in even an alpha version of a Microsoft product, or any commercial spyware/virus scanner. Then of course there's the message on the "scan" window below that says "Your may have Spyware" (my what?). And, like I said, random capitalization and exclamation marks everywhere. Everything up to the lame "Protect Now" vs. "Ignore" choice (why would you ever be given these options?), and the whole UI is positively littered with that phrase ("Protect Now").

One of the most valuable classes I had in elementary school was a "media" class where they taught us about the different types of advertising claims and marketing language. Unfortunately, I think that most schools and boards have done away with this. Although people like you or I are able to recognize these spoofs because they make no technical sense, even the most techno-illiterate user would be able to infer from the language itself that they're being "sold" something.

These phishers can be brilliant hackers and scammers but the one trait they all seem to have in common is god-awful writing skills. Forget about educating users on how the system works - if we can just educate them enough to intrinsically mistrust the words "free", "download", "now", and anything with an exclamation mark or ALL CAPS, I think we could save 9 out of 10 victims.

And I know that's an uphill battle too, and there will always be people who can't even be educated on that either. For those people I recommend shock therapy.

@Marting Probst,

I think you are correct that this should be an uncommon operation (downloading and executing code from a website). However, the reality (and maybe the problem) is that it is not.

As an admin, I am installing things constantly, but that is not much of a problem. Except the problem is, when I see my not-too-web-savvy friends on the web, they are constantly downloading things (I mean constantly). Even more than I am. Regular users constantly download and execute things—that's why they use the internet. They get music, screensavers, games, videos, demos, and whatever else says "download me!"

People are generally just clicking on whatever looks like fun, and honestly they might not even really care if it breaks something in the OS. It's not like they have to fix it.

So, I would have to agree, the solution would be to make it so they can't install things if they do not understand the implications—but would they use a computer then?

"Why won't it let me do this!?"

Not have the windows for programs and documents use the same ui.

2 Craptaculus: go visit a site that starts with 'g00d-stuff' and ends with '.com' without NoScript and tell us how the fact that you know what you are doing helps.

Similarly to what J. Stoever was saying about not using the default GUI, one approach to the problem is to undermine the attacker's ability to spoof the GUI by using a different GUI than the attacker expects. As a Linux user, whenever I see these sorts of things pop up on my desktop, I just slough it off because I know those Windows-style widgets and mock Windows apps don't belong on my XFCE desktop.

It's not enough just to break the homogeneity of the UI though, as the user may still be duped. If you're using an entirely different OS than the attacker expects, then even if you download the payload it isn't going to do the attacker much good.

I have to say, I disagree that Microsofts security model would make any impact on this type of hack.

This FUI is making you think it is one of the good guys and therefore even if by default you weren't in as an Administrator, you would want to be in order to get this virus checker to work, right?

The only way around this problem is to educate all internet users that what they see isn't always real. More importantly, if you have specifically asked for something, don't do it. Any recommendations by any website should be considered completely unreliable.

Obviously this isn't an easy thing to do and as always us "techs" will continue to get calls from friends and families asking us to unwravel the horrendous state their home pc's have gotten into.

One thing I've started doing is installing a virtual temporary pc onto friends computers. If you want to browse the web, use this. A small lesson to explain everything will be gone as soon as they shut down and they're as safe as houses.

Robin

@ Aaron G: What will you do once your dad will come with infected machine and tell you that the website didn't contain bad spelling/grammar, random capitalization, exclamation marks and a word 'FREE'?

I bet a bottle of Jack Daniels' there exists at least one malware site with perfect grammar and no phrases like "Your may have Spyware!"

Lynx

> Poor English is also usually a dead give-away.
> "Your may have Spyware!"

I'm not so sure about that. The latest versions of McAfee have some blatant spelling and grammatical errors in the installers of their Dutch software :)

Best regards,

Onno

>> The FUI looks convincing but I think the file download dialog should give it away for most people.
>
>I don't know, Kalle. You think users are actually reading and understanding the file download dialog, much less the warning?

Well I hope most people do. But of course there will always be people who don't know what they are doing. But I'm not sure there is anything that could protect them... ;-)

My mother uses FF3 with NoScript ^_^

Keep in mind that sometimes the faking of thick clients is intentional and not with bad intentions at all..

More and more web pages try to offer the full package.
Part of the expirience is showing a full interface with elements the user already knows from other software.
So any technique that disables/scans for those elements is out of the question.

A great way to block about 80% of the threats is block all exe's. Your average grandma has no need for anything executable on the pc. If she wants something installed for a particular purpose, she'll be on your phone anyway because the step-by-step wizard is too hard.

also, browse opera ;)

@Lee Many people who don't have English as their first language (or even second language), will not noticed mistakes in grammar or spelling. Also, as Jeff already pointed out, many (most?) users don't actually read the contents of the dialogs.

Although some people will always be tricked, I think many problems can be avoided by following two simple rules:

1) Always read the message text.
2) Never agree (i.e. click "Yes") to something you don't fully understand.

This will work most of the time, as long as the dialogs themselves haven't been hijacked or faked (i.e. in Jeff's example, both the JavaScript dialog and the download dialog are genuine, so just clicking "Cancel" and "No" would prevent infection).

@ Practicality

the problem is not people downloading stuff, but people downloading stuff that crosses the security barrier which the browser sandbox forms. So downloading MP3s is ok, and there is a whole class of applications that are totally ok and harmless - nobody needs real hard drive access for a funny flash game.

I think there was once at a time some Microsoft .NET stuff which was supposed to give such fine-grained access levels to downloaded applications, where apps could request only small permissions. That doesn't seem to have worked yet, but if the incentive for developers is "users will be bugged by a scary password dialog if they run my app", that might work.

Java web start and I think regular Java apps also once had something like this, where apps running on the client (not applets) could request only some partial rights. But the only distinction was "no rights" or "all rights", which doesn't really help :-(

Jeff,

An important aspect of these attacks is that fooling users generates money through various pay-per-click schemes, worms which deliver the cookie payload (or worse), later used to "click the unique click"... In other words, fooling users is a serious business which, for some, generates an income far better than the best consulting fees in IT business.

Sad fact is that a black-belt in fooling users pays better than a black-belt in not-fooling users. But that's a topic unto itself.

Keep in mind that fooling users is not illegal and gets officially classified under "Online Marketing".

Wow, lot of comments. Anyway, interesting stuff, and I really like the term FUI.

Wait? I thought JavaScript was the bestest!?!?!

-N

Now if the popup said "Woe betide you if you don't save this file!"

Listening to some old songs this weekend Jeff? :)

For what it's worth, my girlfriend has been educated by me about these things, so as soon as that FUI popped up, I heard a plaintive cry from her computer room: "Ryyyyyyyannnnn! I've got spyware popups!"

She knew to click the X's, not the 'cancel' buttons, and a thorough scan of her system showed us that while the installer was downloaded, it didn't execute.

Disaster averted.

Who knew how dangerous gardening could be to your IT health?

That's quite a clever attack; it even gets around Google's protection against sites that "may harm your computer".

Firefox's NoScript plugin does an excellent job, disabling JavaScript, Flash, and more by default and using a whitelist approach to turn it back on.

Did you or Ryan inform MRLS of this, Jeff? I tried the link to Ryan's page, but got a "we're still building this site" message.

I love your site, but is there any chance you could be a bit more diverse with your examples of useless users? I'm pretty sure this isn't the first time you've used "your wife" or "your mother" for this. I'm neither wife, nor mother, nor indeed female, but am beginning to feel offended. For the record, my mother is indeed pretty gormless about such things, but my wife is a smart non-IT-industry user.

Some background:
http://www.tbray.org/ongoing/When/200x/2005/03/20/Women

Perhaps one to post about? In the meantime, keep teching the tech!

>>> As much as I admire distributed phishing blacklist efforts, there's no way they can possibly keep pace with the rapid setup and teardown of hacked websites. How many compromised websites are out there? How many unsophisticated users surf the internet every day?

I think that is why it is up to the companies developing Anti-virus software to design a way to prevent the "bad-guys" from being able to spoof them. As a security initiative, Anti-virus software should be developed so that it is easily identified by the person using it (based on What you have, What you know, and/or Who you are). This could be something as simple as a big, bold label that has some kind of unique trait about yourself, always in the same spot. That way, if you don't see "Mike T." in green, bold letters in the upper-right hand part of the window, you know it's not your software. I know this wouldn't prevent everyone from clicking the wrong thing, but it might help.

Gary Schubert: "go visit a site that starts with 'g00d-stuff' and ends with '.com' without NoScript and tell us how the fact that you know what you are doing helps."

If you really know what you are doing you don't visit sites with "g00d-stuff" in their names. I don't have NoScript. I also know what I'm doing, therefore I didn't go to that site.

Do I win a prize?

I clicked on the direct link, nothing happens, page renders fine.....

I clicked on the google search link, click on the first results from google, nothing happens, page renders fine.....

I typed in the url my firefox address bar, nothing happens, page renders fine....

Oh.. shit, I forgot, I'm using Ubuntu with Firefox 3.

Actually, on Vista, no account is "administrator by default," that's the whole point of UAC.

I know that it's just going to become "another prompt" to some people, but if you were on XP as a standard user, you'd get the same prompt, it would just ask for a password too (it's the same on Vista if you're not admin btw).

The biggest problem is not that people are uneducated about these things, but that they simply don't want to know. MS already puts about 10 warnings saying "this may harm your computer" and "only click continue if you trust this publisher" etc, but people just ignore it because they want thier dancing bunnies, or, in this case, free antivirus.

I've always thought that JavaScript alerts look far too much like regular system alerts.

I'm not a Mac zealot or anything (far from it), but use OSX. Apple have strict standards as to how applications should look, so a FUI like that would look out of place. On Windows, design decisions are left solely up to the developer (*cough*Itunes*cough*), so it's far easier to trick users into thinking they are looking at a real application.

@allied: People don't generally run windows xp as non-administrator, because it's such a bitch to get _anything_ working then. A lot of the same goes for Windows Vista, unfortunately, because UAC is necessarily a bolt-on, meaning some software publishers still force their customers to run as administrators.

Not that it helps much. The goal of this kind of software is to get itself installed on your system and use your resources, whether to run as part of a botnet or to steal your credentials for whatever. (your bank, myspace, world of warcraft, you name it) The only upside of running as administrator (for the trojan, anyway) is that it makes it a lot easier to install a rootkit and hide its presence from the user. But other than that, execution of the binary in a normal (non-sandboxed) environment is already game over.

Oh and I was also wondering about the perpetual wife/mother examples. How's your wife with computers Jeff? :)

Sometimes when i'm watching a screencast, and the person scrolls to another piece of code, i find myself clicking on their scrollbars to jump back up and look at something.

I had to fix a friend's computer a few days ago, which seems to be infected as it was prompting some unwanted 'beware, virus spotted'. After a few tries, I discovered the computer was truly infected, but by a virus specially designed for selling antivirus.

He altered the wallpaper to emule a virus warning and replaced the screensaver by the well-known 'blu screen' followed by a fake xp boot. On top of that he was also pretty tough and gave me hard time to evict him.

A couple of thoughts:

0. Build a decent OS. Upon reviewing the following items, it's apparent this is the only solution.

1. Build browsers that actually sandbox the web. For example, throw ActiveX out the window. It was a really bad idea to begin with. Also, javascript should not take full control of the browser. Every time the browser wants to download something, only allow the user to save the file. Never ask about immediately running a downloaded program.

2. Fix virus scanners. Between all the crap that McAfee/Norton/etc installs on a machine it's really hard to tell them apart for adware/malware. As a matter of fact, just build it into the OS. Those guys are ripoff artists anyway. I personally believe opening the windows kernel back up for them was a really bad idea.

3. Education will never work so get off that horse already. No one has time to read all of the boxes that show up on a daily basis. Which leads to my next item. Hell, I'd actually be surprised anyway read this far in my post.

4. Get rid of pop ups completely. They are only used for adware, marketing, and techno speak. Normal people stopped reading them long ago. As a matter of fact they usually just close their eyes and click randomly on the screen until they go away. If you have to pop something up as an alert then the application is already doing the wrong thing. Besides the fact that Apple has proven with Time Machine that Infinite Undo for EVERYTHING is much better.

5. Simplify application installation / uninstallation. Honest to god why are apps allowed to install anything near the OS? The Registry is a waste of space. I should be able to go to an application directory, push the delete key, and have it GONE. Why do OS's even allow hidden files (even from itself) to begin with? Stupid.

Everything an application needs to run should be installed in ITS application folder, sharing that crap was a bad idea to begin with.

Maybe if all the browsers supported some type of "Report Spyware" button. So that when someone like Jeff or another techy notices its a bad site they report it and the rest of the noob people benifit.

Gary Schubert: "go visit a site that starts with 'g00d-stuff' and ends with '.com' without NoScript and tell us how the fact that you know what you are doing helps."

Bob: If you really know what you are doing you don't visit sites with "g00d-stuff" in their names. I don't have NoScript. I also know what I'm doing, therefore I didn't go to that site.
Do I win a prize?

I won't say that it is possible to click on a link in a text message from a trusted friend who is a tech-savvy.

I will choose another scenario. Page shows on a first page of search engine result pages. Your action?

You have two choices (even if the link will look suspicious to you):
1. Pee your pants and don't go there
2. Boldly go there and either find the information you need or laugh at puny attempts of "Antivirus XP 64 2008 (c)(R)(tm)(nt)" to scan 'C:\Windows\System32' folder on your Linux box.

Great timing. I actually went through this very with my mother on the phone last week. The key to diagnosing it on the phone was the right-click then view source. Otherwise it was very hard to distinguish.

My first thought has already been commented above -- the showstopper should be the "do you want to run native code?" dialog. I try to encourage family+friends _never_ to say yes unless they already understand the software they're installing. This goes for Java Web Start, Webex, etc. etc. -- which could count as malware depending on who you're talking to.

This tends not to work because of the tendency towards instant gratification.

My second thought was, we should start smacking (or smacking harder) the growing population of Ajax developers who are calling for the relaxation of well-placed security mechanisms in the browser. (You know, all those nasty sandbox restrictions are forcing them to write code properly, which takes too long.)

A family member's computer was infected with "antivirusxp2008" just recently. The screen-shots above look eerily similar. I was wondering how in the world it got on there. I think you've answered that one for me. The malware/virus itself was about as nasty as they come. Given that there was no real data on the machine, I wiped it clean and reinstalled the OS (it was the fastest solution). When I give them the computer back it will have Norton, Spybot, Defender, and IE's phising filter installed or enabled, along with a stern warning from me about clicking on dialogs like the ones above.

In addition to the quest for a phishing solution for the flower searching masses, the concept of spear phishing takes this FUI to a new, more personal, level:
http://www.microsoft.com/protect/yourself/phishing/spear.mspx
It seems that you have been practicing spear phishing on yourself…? So maybe the real question is "How can Jeff protect his computer from himself, and still be happy with his quality of life?"

"me -- possibly the world's most jaded and cynical Windows user "

Ha! A truly cynical user would surf with JavaScript disabled.

Gary Schubert: "1. Pee your pants and don't go there
2. Boldly go there and either find the information you need or laugh at puny attempts of "Antivirus XP 64 2008 (c)(R)(tm)(nt)" to scan 'C:\Windows\System32' folder on your Linux box."

Actually, I go for option 3, which is similar to option 2 but snazzier:

3. Use OSX.

The heart of the problem isn't the web browser or user awareness, it's the spammers/hacker's themselves.

Too often, they face no consequenses for their actions. What's to detere them?

We had a website hacked at my old company and a PayPal spoof was put up on our page (which the URL was then sent to unsuspecting prey).

We sent the FBI our server logs and other information we dug up about what had happened. Do you know what we got back? A confirmation email is about it.

We had the State Police come in to investigate too and they pretty much told us that nothing was going to happen, they get too many of these complaints to handle.

And because they're out of country, it's hard to get the juristiction to do anything. Too many forgein countries are lacks on these sort of laws... just look at where the hacking is coming from, I'm willing to bet it's mostly outside of the US.

How to combat spoofing? Easy. Customize the web site per user. Spoofing only works when users have basically the same view of the website (one spoof - many victims). So if, for example, eBay would let you configure a custom background color, you should be able to notice that the page you're viewing is some spoof (that won't know your choice of color). A real solution is a bit more complex (like maybe a secret keyword configured in the browser that only the browser can render within password controls or into the url bar, etc.), but the idea is the same. Customize the UI per user so spoofing (which relies on most users expecting to see basically the same UI) stops working. It can be a browser based solution, or something web sites offer to their users (some already do).

"But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a "system security scan". Or maybe they just wanted to see the dancing bunnies."

Not any Linux operator worth their salt. Even a mildly savvy junior Linux scout know which apps ask for the root password; any app which did so unexpectedly would stand out like so: OH_MY_GOODNESS_SYSTEM_ATTACK_IN_PROGRESS.

Ubuntu, unfortunately, is probably making this much more likely than I'd like to think....

I've always thought a new R needs to be added to the education system. Reading writing and arithmetic are fine till they are all done on computers. At which point you really need to start teaching computer use to everyone. These problems would vanish if you were thought from primary school how computers work. Its hard to find analogues given the scope that computers change how things work to show by example. But its becoming necessary that everyone be thought to a basic level of computer literacy.

The slickest hack I've seen was on one of my sites... someone got in and changed my Google Adsense ads to their's.

Of course I reported them to Google when I realized it, but who knows if they did anything about it and who knows how much money they raised before they were stopped.

If you want to prevent the FUIs, you need to make errors significant.

For instance, if every time you started your car, your oil light came on, "just to remind you to check your oil once in awhile" your car would probably be in pretty bad shape after a few missed oil change dates.

At Microsoft I think one of their metrics for measuring success of code, is how many error boxes it pops up (higher = better).

Instead of blaming the "stupid users" or Microsoft, how about some actual technical suggestions?

For example, if JavaScript dialog boxes looked different, and were visually "attached" to the browser pane that spawned them (kinda like how some OSX popups are attached to the window frame), then it would be much easier to see that the web page is the one putting up the message. Right now it just says "The page at X says..." which is really easy to miss.

Browsers should, by default, not allow for resizing the browser window, hiding it, or hiding any of the chrome. I know FF has options for this, but those capabilities should never be granted for web pages.

@Anders:"Many people who don't have English as their first language (or even second language), will not noticed mistakes in grammar or spelling."

I'm here to tell you that even native English speakers often will not notice mistakes in grammar and spelling, either because their brain "auto-corrects" or (more often) they routinely make exactly the same mistakes themselves. Most Americans can't write worth a spit.

Bob: Actually, I go for option 3, which is similar to option 2 but snazzier:
3. Use OSX.

http://www.channelregister.co.uk/2008/03/28/mac_hack/

99 security updates for Safari: http://search.info.apple.com/?q=safari+security&type=kbdload&search=Search&lr=lang_en&search=Go

I'm sorry to tell you that, Bob, but Apple sucks even more than Microsoft. The only reason Apple customers are safer now is because noone needs them.

Conspicuously absent from the discussion on how to avoid getting infected by a virus is the best current solution - antivirus software.

The best solution to keep grandma from "installing" fake antivirus software isn't to try to teach her about browser chrome and the mechanics of malware, it's to get there first and install a trusted antivirus program first.

I know you've dismissed antivirus software as worthless, but that doesn't really make sense in this case. AVG protects against antivir64. Done.

I just clicked through and installed from http://scanner.antivir64.com/?aff=1050. AVG (of course) detected the trojan install, and the AVG UI is well designed so ignoring the threat takes several steps and is not easy to do. Grandma is safe.

I don't run AVG on all my development machines - I'm running Vista as a limited user and that's good enough security on those machines (they don't have an e-mail client, etc.). I do run AVG on my communication computer (outlook, browsers, chat) and it has caught virus install attempts in the past year.

But, I absolutely install AVG on my parents, wife's, and other friends' computers. For precisely the reason you spelled out in your post.

Windows Vista runs as a non-admin user by default, even when running as Administrator. Had you attempted to run this software, you would have received a UAC prompt if you were running as Admin and a password prompt if you were running as non-Admin.

I agree that this is a problem and it's really, really easy for non-technical users to be fooled. Right now, the best defense against this stuff is education combined with updated software and anti-malware protection.

I work on Macs most of the time. The argument that "Apple advocates standard interfaces, so these spoofs don't look right on a Mac" is laughable - almost every Apple Design Award winner uses nonstandard interfaces.

But what IS important is the font used; every screenshot of a WIndows (or "windows-esque") dialog looks wrong on a Mac, since the FONTS are just plain wrong. Dead giveaway for me. Not for Mom or Grandma, sure, but it is for me.

How can 3 fellow programmers create a successful business?
-the 1st one writes viruses
-the 2nd one writes anti-virus software
-the 3rd one writes an operating system to reduce the size of the (anti-)virus executables.

Back to FUI issue:

Build a REALLY good anti- virus/spyware in the OS so whenever something get's downloaded from the Internet (Web, FTP, E-Mail, Instant Messaging, p2p, etc) it gets scanned before it's allowed to run.

To all of you OSX fanboys: what about a site that determines the client's OS a presents you with a different, native FUI?

The major problem to me here is the system message box. Why should a website be allowed to create a message box? Anyone who has now used an AJAX based site knows its possible to display an in-page message box to ask the user questions.

Something that might help is turning these style boxes in to modaless boxes that are rendered at the top of the page in a banner-ad esq style rather than a system style. This also means you could place security warnings more easily next to this box.

Doing this would encourage real website owners to use custom boxes within their pages so they are noticed, regular users meanwhile would be more inclined to ignore these style boxes, thinking its a banner ad.

>> As always, we can lay a big part of the blame at Microsoft's doorstep for not adopting the UNIX policy of non-administrator accounts for regular users. But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a "system security scan".

My comment is totally off-topic but whenever I see a note where it states that UNIX might be safer because how the root/admin account is managed and the system parts are secured with it, it makes me want to post a comment like this.

Let's split up the files on a computer in three different categories: 1) the system's file (c:\windows\system, /sbin/, etc etc), 2) application files (c:\program files\, /usr/bin/, etc) and 3) user files (application data, my documents, /home/username).

Which of these does the user of the computer actually care about? Indeed... the user couldn't care less if all the system files were deleted, broken or infected, as long as the user files are OK!

So what if some virus installs from the browser and quite clasically deletes all files it has access too... oh, it deleted all the files in /home/username/, but at least /sbin is untouched...! Not pretty.

These guys are amazingly obnoxious and successful...

http://blog.spinn3r.com/2007/07/post-mortem-of-.html

They've busted a LOT of .edus.... They seem to target them directly as I think they're after pagerank boost and potentially weak security.

A number of top universities have been busted this way.

For example..... here's a short list of .edus we've seen compromised.

(Having a crawler which indexes 50-100M sites means we can compute interesting statistics).

http://southernct.edu
http://mtholyoke.edu
http://uvm.edu
http://cadc.auburn.edu
http://webtango.ischool.washington.edu
http://dpc.edu
http://atoc.colorado.edu
http://dm.ucf.edu
http://philosophy.missouri.edu
http://stanford.edu
http://bers.asu.edu
http://asu.edu
http://sbu.edu
http://missouri.edu
http://ucf.edu
http://connectivecorridor.syr.edu
http://syr.edu
http://tactilegraphics.ischool.washington.edu
http://washington.edu
http://brown.edu
http://stkate.edu

> Forget about educating users on how the system works - if we can just educate them enough to intrinsically mistrust the words "free", "download", "now", and anything with an exclamation mark or ALL CAPS, I think we could save 9 out of 10 victims.

That doesn't work, as intrinsic distrust of "free" is the main obstacle for me convincing people to use FOSS.

I agree with Anti-sexist Pig. The "You and I may understand that distinction" juxtaposed with "Your wife?" (and no "Your husband?") seems to imply that the "we" who understand this distinction and are reading this article are by default heterosexual males. I am not. As a female, I find this pattern of "your wife/your mother/your grandmother" (but not "your husband/your father/your grandfather") as examples of noobs annoying.

I encourage everyone to DOS the spammers
my own way: ab -n 10000000 -c500 http://scanner.antivir64.com/?aff=1050

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 91.0.0.0 - 91.255.255.255
CIDR: 91.0.0.0/8
NetName: 91-RIPE
NetHandle: NET-91-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: SUNIC.SUNET.SE
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2005-06-30
Updated: 2005-07-22

At first, I thought this was going to be an article about usability :)

As far as phishing goes, there's no way to differentiate a legitimate UI from a fishy one. All an attacker needs to do is copy the legitimate UI. Even if they could somehow be differentiated, statistically speaking, there will always be a large number of users that will always respond to certain prompts with muscle memory, and there will always be a variety of newly deployed social engineering attacks that don't attempt to spoof any famous vendors in particular.

Profiling is pretty ineffective too: there's no correlation between language proficiency or graphics design skill and the intent to harm for profit. Also, just because you can tell a js popup from a real AV one, doesn't mean everyone else can do it too: keep in mind that Jeff's question pertains to a naive user.

Sandboxing also only does so much. If the user says "yes yes yes password yes uac yes I'm the administrator for this computer, so install and run this already", the whole sandbox goes right out of the window. Proclaiming one-sidedly to be the super admin for your aunt's computer seems kinda awkward too imho: it's like gifting her with a kitchen knife set and saying "i'll keep the keys to the scabbards, just in case". There was even a case in the news recently where a tech support kid hacked a woman's webcam by abusing that meme of "putting trust in the technical expert".

There are way too many attack vectors. If users can't decide on their own when to click on the close button instead of the ok button, no amount of code or UI tweaks ever will.

I can't stop laughing here...I just spent the weekend reformatting my father in law's laptop this weekend because he clicked on those links.

He's now running FF3 and I made every attempt to hide the IE icon from him.

Take a gander at this: http://www.webloyalty.com and tell me if everyone involved with the web these days is going to hell. If we had any kind of "citizen" protection left would any of this crap happen? Note that I said "citizen" because we should be collectively protecting ourselves but since we are all "consumers" and no longer "citizens" the predatory scum of the earth are allowed to feed on us. What the fuck is freecreditreport.com and why has that site not been shut down? Because aside from your open mouth and available bank balance you don't matter to anyone who matters in this world anymore. "We are using our own skins for wallpaper and we cannot win."

Has anyone considered suing the web site owner (the redirect-host not the infected site) for this deceitful practice? The website claims to have found something that it actually has not and is attempting to sell you a product based on false advertising. That is actionable, is it not?

Here's what I believe, and I think it coincides with your blog:

1 - No matter how many borders or messages you put around a message, people will still be able to make an FUI that will fool quite a few people.

2 - No matter how hard you make it for users to get themselves into trouble (typing a secret password, su, etc) they will jump through all the hoops to see the dancing bunnies.

So if you accept #1 and #2, the only recourses are:

1 - Prosecute the criminals.
This is very hard due to where they are, another country, etc. and whether there are laws even written for this.

2 - Make it easier to see when you are infected and easier to fix.
Windows has too many places hiding what runs when you start up: Start menu, the registry Run setting, services, etc. And then when programs are running, you can't always tell. Unless you're going to go get procmon or something it's very difficult to figure out if a process in task manager is malicious. Assuming it's even showing up in task manager.

@Luke on August: It is virtually impossible to track down the false advertisers. And even if you do, they have hundreds (if not thousands of sites) hosting these bogus "ads". Shutting down one site and creating another is not a big deal (obviously).

Marketing practices can be summarized with an old adage "there is a sucker born every minute". For every sucker, there are people feeding on suckers and making a bit of money on it. This is the "Internet economy" everybody is harping about.

If Internet was a serious business, a licence should be required to open a business (even an online business). That would make all fraudsters illegal overnight and their hosting companies directly liable.

But why? Money is good.

You know what saves me from FUI all the time? I never use the default theme. Skinning is just one line of defense and it seems flimsy, but it can be incredibly effective.

Sometimes I wonder if there is a market for a managed PC appliance. The problem is that we are expecting ignorant users to manage their own PC - running antivirus, installing programs, that sort of thing. I wonder whether anyone would pay a service a month to get a remotely administered system where someone else automatically deals with your security, updates, etc like at a corporate environment, and all they have to do is use it and put in occasional requests for new user applications/abilities they want to do.

Remove the power and responsibility of that class of user to administer their own computer and they can't break it either. The real problem is that people are so sold on having a powerful system that they don't understand.

randomize the colorscheme on installation of $OS. So no website can fake with a screenshot. prefix all alert()s with website name in title ...

I'm digging the vista-esque website and then the XP style popup with, "Your may have spyware."

On another note. I agree with everyone whose said education is the answer. If we could just educate all the non techno-savvy users to be somewhat techno-savvy I believe that 80 percent of the people who get fooled by this type of site wouldn't anymore.

Atwood, of course there is a good solution, but its not obvious, and from seeing so many misguided suggestions in your comments, its no wonder that we are where we are.

very helpful of you to point out the problem but what about offering solutions Ian.

what i ended up doing on my sister's pc was changing all the browser shortcuts so that they would start in limited user mode. seams to work but i get the feeling she is just more careful after i whinged the whole time i was making her pc "run properly" again.

I am going to talk to my local FUI expert. He is working from home and does not seem to mind it.

My Wife ran into this exact same scam last week on some other web site. Luckily this was on my Mac Book Pro laptop, so all I had to do was delete 15 or so exe files from the download folder.

Re: Antivirus programs:
http://www.shadowserver.org/wiki/pmwiki.php?n=Stats.VirusYearlyStats

This is a table with the percentage of malware infections detected during the last 12 months by various AV programs on day zero, before anyone had distributed copies of those particular samples. Even the best program missed one malware program in twenty, and some well known and well respected programs did miserably. (I don't know about anyone else, but I've seen a lot more than twenty emails with links to malware in my inbox lately, almost every one of them on an innocent site that has been hacked.) If you check the short term stats elsewhere on the site, you will also see that individual AV programs move up and down the list as variants of malware come out that they are not good at detecting -- no one program is consistently "the best."

I regularly download samples of the malware I find through links in spam and submit them to www.virustotal.com, virusscan.jotti.org and until recently, Castlecops.com's Unknown Files forum. The results are quite discouraging. A sample is considered pretty well detected if no more than 50% of programs miss it.

In short, I would never assume a download is safe based solely on a lack of complaint from my fully-updated, high quality AV program. You have to look at the provenance of the download. Before I download something that appears to be legitimate, I want to know who wrote the software, who else recommends it, and whether anyone is posting on forums asking how to remove it. You really can get some very high quality free programs on the internet, so the fact that it is free isn't necessarily a red flag. But people don't know they should research a program before downloading, and they don't know which sites' recommendations are reliable if they do. If you google the name of a scam antispyware program, your top hits will include a lot of scam product review websites recommending it.

Similarly, if I come across a download via suspicious means, I don't need anyone to tell me it's probably malware. For instance, I don't subscribe to CNN updates, so any links in an email that claims to come from CNN is certain to be malware -- if my AV program doesn't think so, I submit the sample to them to add to their definitions.

Of course, with so many otherwise harmless sites being hacked, and now with cache poisoning, even following a bookmark to a site a user knows and trusts is not 100% safe. I use NoScript to block javascript with all but the most trusted sites. Whether I know what I'm doing is beside the point; I don't get to see the source code before the site loads in my browser.

As far as non-administrative accounts for users: It's a great idea. We do it for our employees' computers, since our business requires us to interact with companies that insist we use Internet Explorer. Unfortunately, it also seems to prevent Windows Updates from installing in XP unless an administrator logs into each computer every week (and then sits there during the download while logged in with our own passwords). It may be blocking some AV program updates as well. It's insane.

In Firefox go to tools > options > content tab, then click "advanced" to bring up the advanced javascript options configuration menu. Unclick everything on that dialog, this will disallow scripts from being able to move, resize, raise/lower, etc. existing windows.

In my experience, these features are never worthwhile, more often than not even when they are used by non-malicious sites they are an annoyance, and they allow malicious sites to manipulate your browser window and trick you. Note that this does not prevent a site from opening up a new window (when you click on a button, for example) which has a specific size, etc. so it really does not limit web designers to do "fancy" things with new browser windows, it just makes it so that nobody can surprise you with those features.

I've noticed banks in particular have tried to jack up the security by having every user pick an image and then forcing every user to confirm that it's the right image when they login. Not quite the same thing as the FUI but the goal here is to add a bit of personalization that cannot be spoofed in an easy way. (I'm sure there are clever ways to get around such a thing, of course.)

If every OS window had some tiny thing in it that made it clear that it was real and the browser was not, or vice versa... anyway, but to dream.

@AlphaCentauri A somewhat effective AV program is much better than none at all, especially when it comes to uneducated users. AVG scores 90+ percent on zero day threats, climbing to around 98% soon thereafter.

Focusing on the zero-day threat is a strawman argument, like dismissing airbags because they don't protect you from astroids and zombie attack. A virus takes time to propogate, so the statistics show that you're unlikely to win the un-lottery by being the unlucky one to encounter a virus first.

AVG protects from the virus listed in the blog post.

Installing one of the top AV programs immediately lowers the risk of interent usage from fairly certain to rather unlikely, especially for unsophisticated users (or sophisticated users who get sloppy).

I agree with Jon that some AV should be run (I use the free AntiVir and have been very pleased) but Jeff rather scoffs at this idea which I think is like promoting driving without seatbelts (I don't have the links to his posts handy).

The web is "dangerous", period. When you connect you are open for attack. Many people should probably not use it because the attacks are so sophisticated.

Like driving, if you surf the web you must accept some risk.

Oh, I was in no way implying one should not have an AV program! After all, if you trust a website and allow javascript for it, you are vulnerable if it is hacked. In fact, after submitting some of these viruses and seeing my own AV program not performing too well, I abandoned it mid-subscription and bought a different one because I do consider them very important -- I just don't abandon my own better judgment just because I've got a good one.

BTW, here's an analysis of one I got spammed for just now. 8/35 programs were able to detect it (jeez, you'd think anything named "ecard.exe" would automatically be detected by now ;) )
http://www.virustotal.com/analisis/28b64d84673fb36d4812353e8360a403

It was missed by AntiVir, Avast, AVG, Dr. Web, Kaspersky, McAfee, Microsoft, Norman, TrendMicro, and Webwasher, among others, and two of the ones that did raise alarms only called it "suspicious." (Some of the other top programs were not among those tested, so they won't get a copy of the sample to add to their definitions in case they don't detect it on day 0.)

I like the comment above about allowing for customizable sites, but you know, that's really not practical. What is practical though, is a themed user interface on the OS. During install of the OS (or the first load if it's a store-bought machine) Have a few really easy screens with some basic theme choices. "Choose your color" with no default. "Choose your window style" with no default. Make the combinations of choices too robust to bother trying to find a common scheme.

This is exactly like the ATM keypad FUIs.

Train people in such a way they get jaded about these warnings.

Browsers should not offer you the option to execute downloaded files directly. The user must then separately navigate to the download folder and run the downloaded file.

That should solve 90% of the problem i reckon.

I think part of the problem is how browser security has been misrepresented in the past. People worry that websites will put cookies on their computer that will somehow infect their system and that just using a browser somehow opens their computer to all kinds of attacks. What they didn't hear is that browsers and websites don't have access to their entire system unless they allow it. No one tells them that their browser can't know that their "system is infected" and whatever else, and they should ignore and cancel anything that tells them so. Users should be informed that they shouldn't download anything that they didn't seek out unless they research it first. Basically, if they didn't directly ask for it, they should be very cautious.

FUIs are just going to become more and more sophisticated and will evolve with the look of operating systems and browsers. I think that if we could teach people to avoid things they didn't ask for that we could go a long way towards avoiding the problem.

I cant wait for macs to get enough market share to become a virus target.

It's hard for people to understand that browsers can't know their systems are infected if Windows Update can look into their computer and know which updates they need.

If you've installed Vista then you have got so desensitized to clicking 'Yes' every 5 minutes that this is just going to sail right by. Security requires education about difficult topics and isn't really going to help since most people just want to watch videos and read email.

Use Lynx ;-)

"Grossman, for example, uses Firefox with the NoScript, Flashblock, SafeHistory, Adblock Plus and CustomizeGoogle add-ons for most of his web surfing, all to improve on the less-than-ideal state of today's web.' http://www.theregister.co.uk/2008/06/23/marginal_browser_security_protections/

I think the search engines and web sites need to be more aggressive and proactive, and held accountable. In one respect, ease of entry is a good thing, but someone or something has to bring the infrastructure or technology to a - whole - new - level.

"As always, we can lay a big part of the blame at Microsoft's doorstep for not adopting the UNIX policy of non-administrator accounts for regular users. But then again, if the spoofing is good enough, the FUI extra-convincing, even a Linux or OS X user could be coerced into entering their admin password for a "system security scan". Or maybe they just wanted to see the dancing bunnies."

I agree with this 100% but the thing that annoys me is that people
complain about this and then they complain about the new security features
in Vista and how it nags and prevents anything from happening and then
they go and disable the UAC and now they are just as vulnerable as any Windows XP user and then they complain when they visit a site like
this and their computer is compromised.

I see much room for improvement versus Linux' security measures
but still I believe Windows Vista is the best thing to happen to the
Windows lineup since Windows 95.

Sorry, nothing personal against you Jeff but I just have to rant about that every time I hear "Windows" and "Security" in the same sentence.

Well, assuming there is no exploit here, the only danger is downloading and running that executable. I've taught my parents well that just like in the real world on the streets of a large city, the web is full of crooks looking to scam you, so be cautious and alert of ANYTHING out of the ordinary. Basically, I've gotten my mom very familiarized with the concept of downloading files from Firefox, and to NOT click 'OK' on a download window that was not requested. In this case that would work, but obviously with major exploits that is not going to work.

Also, I can see how hacked legitimate websites are a really difficult thing to protect against.

On a related note, why in the BLEEP are you using Internet explorer for god sakes?? The first thing I do for novice users is to immediately switch them to firefox for basic security against most drive-by malware installs...

Sandboxing does work: We got this really nice computer, new, fast, perfect. And next to it an old wreck that does all our connections to the vicious outer world. With virus scanner and an image handy. If internet files are worth keeping, they get examined before they are transferred (usb) or back-upped. The tediousness of the process limits downloading too ;)
Nobody can claim he or she will see through any attack. There is good money to be made in this business so FUIs will get better:
they 'll start to understand that the details matter,
not a gif but an AJAX app which will use your purple toolbar and your font,
they will make you think that you yourself have surfed to that website ...
For the nonce it does help to be in a statistically uninterestingly small market segment: not using XP/WIN/IE, not speaking one of the major languages.

I'm confounded as to why alert boxes still don't have more flashing lights that yell "danger, danger!". Calling alert("Your may have Spyware! Plaese click OK!!") shouldn't yield a message box just saying "Your may have Spyware! Plaese click OK!!", it should:

a) Clearly tell you that the following message is is from the current website, and
b) the message was not issued by something that in any way can know anything about your computer, and
c) if it claims to have detected some kind of problem with your computer, it is lying, and
d) provide a way to immediately stop all scripts on the current page (like it does in Opera), and finally
e) "Your may have Spyware! Plaese click OK!!".

... preferably phrased by a non-developer.

It wouldn't solve all problems (the malwarers would switch to HTML FUIs, I'd reckon).

It'll probably still be kind of "This tech is tech from the tech, it cannot tech your tech, and if it says it does it's lying, do you want to stop the tech on this tech?".

But still, it's insane that a web page can allocate a _real_ UI element from the browser without the user being informed of its very unreliable source. IE gives the alert box the title "Windows Internet Explorer", while FF uses the title "The page at ${url} says:" (but honestly, who the crap reads the title bar of a message box? I don't, and I'm paranoid). Only Opera gives any clue that perhaps this message shouldn't always really be trusted, with their "stop executing scripts"-checkbox.

With the security arms race between the major browsers today, it's bizarre that nothing's been done about this. It's not like it's a big measure to take, or anything.

Or can anyone come up with any compelling reasons why alert boxes shouldn't add their fair share of the culture of fear, too?

That's why my wife is forced to do all her web browsing using lynx. Sometimes I let her use Firefox, but always with NoSript thingy doing its job... oh! And she doesn't have sudo privileges. See, that was easy!

The problem is the need to allow interesting applications to appear in a web browser. This is at odds with actual web browsing.

IT shops want applications in a browser, and they want those applications to appear like and behave like applications everywhere. That means being able to do things like resize windows from script, eliminate chrome, and more.

I don't want web sites I'm browsing to do that, but it's hard to turn that on/off. Maybe we need more zone-specific security settings?

You combat that very easy: Mark every webpage as a webpage and do it in such a way, that the webpage itself cannot (under no circumstances) remove this mark :-) I'm surprised the browser vendors never came up with that concept.

E.g. draw a border around every webpage and offer no way for JS code to remove this border. Then you only need to educate the user "If you see this border around something on the screen, it is a webpage, not an application, don't fall for it claiming otherwise! And being a webpage, it has no access to your local system (files or hardware devices), no matter what it claims".

This way hackers could only fake it the other way round. They could intentionally draw a border around their app window looking alike - but why would they do so? What advantage do they have to pretend they are just a webpage if they are in fact a local app and already have full access to your system? In that case they better present no UI at all, so users never detect that this app is even there and running.

However, no attacking website can remove this border and thus they will always be clearly marked as web content. Or use a semi-transparent icon in the upper right corner. Maybe put a transparent watermark over the page - it's always the same concept.

The real problem though is that all current operating systems are not secure enough. In a perfectly secure operating system, all code needs to be signed (as Apple started in Leopard). You can say that you trust a vendor and thus you trust their signature. If you trusted a signature, the app gets full access as every app gets right now. But if you never trusted a signature or the code is not even signed, the app shouldn't be allowed to access anything. No network, no files, no hardware devices, nothing. Whenever the app tries to do anything, the user is prompted for permission by the system, even if it just wants to read its own config file, doesn't matter. That way the app can't do anything without the users permission and the user will get exactly informed about every action of this app (e.g. which file it tries to read, which Internet server it tries to contact).

In practice most users will download software from vendors they know and make their signature trust and never get bothered again. The OS itself is trusted by default and all default binaries of the OS are signed with a trusted signature. But as soon as you download any application from the Internet (possibly without even knowing that it got downloaded and executed), the app is like in a sandbox and only the user can remove it from there.

Then it's only a question of educating users to not just allow apps they don't know anything about to jump out of the sandbox and to educate them, that rejecting an app request usually has no negative consequences. Very often I see users clicking on "Allow" because they are afraid, if they don't allow it, they break something and their system cease working. This is ridiculous. If a system stops working just because you once disallow a certain action, the system is a pile of crap and should be replaced by a decent system.

A good example of software that works according to a similar concept (but not for file or device access, only for network access) is LittleSnitch for Mac (one of the little utility apps I have actually bought as all freeware alternatives suck). Thanks to LS no app on my system (not even command line ping) can send any network traffic anywhere without LS popping up and asking me for permission. Then I can choose to allow this access once, till the app terminates or forever (because I trust it). Further if it says "Firefox tries to access www.google.com on port 80", I can generalize the request. Instead of just allowing this, I can say "Allow all ports on this server" (so 443, HTTPS would now work with Google, too) or I can say "Allow all servers on this port" (so all port 80 requests will work, not just those to Google) or I can say "Allow any request, any server, any port" to completely remove the protection of the app (again, just for the session or forever). If I made a mistake and allowed an app more than I should have or if I blocked it permanently and now certain features won't work, I can always modify the list of my permanent entries (and those for the current session as well) using a config tool. Further it detects if the hash of the binary changes, as someone could have replaced the app with another app to circumvent LS. Last but not least, LS works on kernel level using a kernel extension. A malicious tool could simply unload this kext (kexts can be unloaded at runtime in MacOS X), however, if it does so, network won't work at all anymore (this is an intentional protection of LS; it modifies the network stack in such a way, that no packets can go anywhere anymore if it's unloaded at runtime).

Don't do anything about FUIs.

Each infected computer brings its tech ignorant user one little step closer to a heart attack.

So hackers and FUIs are only a part of God's evolutionary plan to wither away tech ignorance and eventually -- make world a better place.

I work at a computer shop, and I can't tell you how many times I have seen similar viruses on customer's computers. From what I can gather, most of them dont' even READ dialogs before they click ok. They don't care. They just want to play their free online poker or whatever silly thing they're doing.

I have had several customers who have ACTUALLY BOUGHT vundo/virtumonde variants such as WinAntivirus Pro, XPAntivirus, VistaAntivirus, etc.

These things are fairly nasty and we usually have to scan with several tools before it's all gone.

"The very first thing this page does is minimize the browser (Firefox 3, in this case) and present us with this JavaScript alert:"

Certain irony in this sentence after your previous post extolling the virtues of JavaScript.

Possible solutions are blocklists at either the PC or the router level and the NoScript and plug-in for FF.

Themes, fonts, spelling errors, exclamation marks, textual style - using these to distinguish FUIs is a dead end. The FUIs will just start to emulate the native style more accurately. And pretty much any Windows machine contains applications with such widely varying visual themes anyway that the "pick your own theme" solution won't be of any use. (I don't remember when I last saw a media player of any kind that looked anything like the rest of the applications).

Remember how some years ago filtering messages with wrong To: field got rid of the vast majority of spam because the spammers didn't bother to forge that? They got smarter and now they put in not only the correct To: field, but often try to also use a plausible From: field too.

NoScript is a very useful extension to Firefox that would prevent this sort of attention diversion and spoofing. It's very easy to train users to temporarily allow a site to use Javascript; most of the time very little is added via scripts anyway.

I say this as a professional web developer who dearly loves Javascript.

I surf with scripting disabled and opt-in as needed. The world needs NoScript. The UI is fairly easy to use; clicking on a disabled section of the page will allow you to enable it. The only thing lacking IMHO is a good tutorial/walkthrough for new users.

Hmm... This simply could not happen on a real os. Even if the UI was more convincing than these and someone was going to enter their admin password for it, you just can't run code like this without the user knowing. ActiveX == BeyondFail.

"I agree with Anti-sexist Pig. The "You and I may understand that distinction" juxtaposed with "Your wife?" (and no "Your husband?") seems to imply that the "we" who understand this distinction and are reading this article are by default heterosexual males. I am not. As a female, I find this pattern of "your wife/your mother/your grandmother" (but not "your husband/your father/your grandfather") as examples of noobs annoying."

Werd. I don't think it's an unlikely scenario that there's a number of chicks reading this blog who get a bit irked at the way this is constantly used - certainly we've already found two (plus a sympathetic bloke-with-a-blog) who've commented.

Is it any wonder there's no girls on the internets when standard discourse about teching the tech tech all leans towards the ubiquitous suggestion that women are, like, totally thick and wouldn't know a tech if it teched right up to them and teched them in the face?

I don't think anyone has mentioned yet about the ultimate type of sandbox -- a VMWare appliance that (a) is linux based, and (b) starts from a clean image every time. I find it really useful if I'm ever in dancing bunny territory:
http://www.vmware.com/appliances/directory/browserapp.html

For those suggesting that changing the chrome will help: well, yes, it'll help a savvy user _a bit_, but consider the usual smattering of desktop apps and their popup windows that are skinnable, captioned vs captionless, odd-shaped, etc. I have my own choice of background texture, fonts and colours, but many apps have their own 'exciting' UI that takes no account of my preferences.

Yes, it looks like a Windows dialog. Well, it'll be pretty trivial to make it look like a Mac instead if they could be bothered. Your average mac user might bask in the glory of thinking they don't need a virus scanner, but if a message pops up telling them their computer is slowing down or has a virus, then huge amounts of them are going to hit the 'yes' button.

mandrill

Maybe we need two sorts of browsers.

One would be used only for browsing, and would only allow a limited amount of safe scripting. Nothing that could change the browser window, or open pop ups.

The other sort for web apps. This would allow the usual amount of scripting, but would only work with pages that had been specifically marked as an application. It might also require you to register a site before it could be accessed.

"That doesn't work, as intrinsic distrust of 'free' is the main obstacle for me convincing people to use FOSS."

No, the intrinsically crappy quality of FOSS is the main obstacle for you convincing people to use FOSS. People don't mistrust "free" at all, they LOVE free, as long it's also easy (which all those crapware toolbars and screen savers and wallpapers are).

Sandbox those user accounts for your wife, baby.

And Virtualize. I liked your post on that :) And keep your docs on servers so you can access them from anywhere.

For those who say that MS should build an AntiVirus into Windows, could you imagine the lawsuits this would cause: "Microsoft has an AV built into the OS and people aren't installing my program! WAHHH!!!!!"

Just use S&D - Spybot - http://www.safer-networking.org/index2.html
Has an app called "TeaTimer" which helps to prevent unwanted registry entries.

> As a female, I find this pattern of "your wife/your mother/your
> grandmother" (but not "your husband/your father/your grandfather")
> as examples of noobs annoying.

I agree that he probably should have said "spouse", but he never said "grandmother". Let's not make the poor guy out to be worse than he was.

As for the "mother" bit, he *was* talking about doing a web search for flowers (that was the specific site that was hacked). Perhaps your family's different than mine, but I can't imagine my dad ever visiting the Michigan Regional Lily Society website. Mom, om the other hand, I could see.

And while we are on the subject, let's not forget that women can have wives too. :-)

I suggest a minimum skills test and a licensing program before people are allowed to use a computer.... :)

@kyle: That alone is the best idea ever created.

The first thing I do with a new compy for the wife or family is to have her pick a completely nonstandard theme that she likes. That way, FUI sites that model their UI after the generic XP/Vista look, stand out visually. She may not know what the website is trying to get her to do, but she can easily recognize that the OK button looks different than normal, and different == skeptical.

Antivirus is a scam. All it ever does is clean up a bunch of cookies. It slows your computer no matter what, unlike the chance of getting a virus which can be quite low if you think before downloading

The way I've got it setup, I boot with only 18 processes. If a virus came along it'd be noticed
Perhaps that's a way of having a startup virus warning system, warn the user if the number of processes opened after x seconds after startup is equal to the number they usually have on startup

If you are afraid of sharks, don't go into the ocean...

What does that have to do with it?

These idiots that write all the attack, phishing, stealing and generally 'just plain wrong' software are the sharks...
And their fins sticking up out of the water are their UIs; so you better get good at spotting them on the approach otherwise you'r gonna get bitten...

Jeff, great write up in this post, you would be surprised at how many people, us techies as well, never think about this particular type of attack, bravo!

I think most people here are missing the point, most USERS will be pulled into this scam as it appears at first glance to tell you something is wrong. Any self respecting user will click OK as it seems to be the best bet.

Always tell everybody you meet, never click 'OK' always click 'Cancel' and if in doubt ask...

I tried to click on a bitmapped UI today. :-|

"Always tell everybody you meet, never click 'OK' always click 'Cancel' and if in doubt ask.."

Is that a good idea? How do you know what the 'Cancel' button will actually do? I'd tell them to always click the little red cross.

I got that fake virus scan UI a few month ago, simply by visiting The Drudge Report!!

It was launched by one of the pop up ads. This is apparently a big problem, a game of wack-a-mole for ad servers.

It's extremely worrisome, and I had contacted the site about it.

I was on Firefox on a Mac, so obviously I wasn't fooled.
But imagine.. a site *that* popular, and popular with people not necessarily tech savvy.

"How many compromised websites are out there?" Industry analysts have quoted something like just one in 30 websites is safe. Read more in the post "Is Your Website Safe?"
http://www.pcis.com/web/vvblog.nsf/dx/06122008033044PMVVIUEJ.htm

Microsoft is partly to blame, by numbing us with endless dialog boxes asking us if we're sure. They think it's safer, but it adds to the dialog numbness. Then it says you need some crap to get rid of other crap. who's the boss here??? who pays the damn electric bill, the net bill, who owns the pc?? You do. tell it NO, under no circumstances do you want anything it offers. Not "well maybe if it's free and good" - nothing. That's how you have to think to survive. Your own attitude and behavior is the only protection.

I am rather found of the Antivir's refund policy:

"Refund Policy
If you are assured that quality of services given by us mismatches declared, you can demand return of money not later than 30 days from the date of payment, but thus your card will be blocked for payment of our services in the future.

For this purpose it is necessary for you to send inquiry with the detailed description of a problem on support@antivir64.com"

I wonder how much it would cost to hire a translator - it's got to be a profitable scam.

Alt-F4 will save you all.

Wow. I had Norton doing a search in the background that I'd forgotten about. It popped up as finished about half way through the article and scared the cr*p out of me.

I love how the text "Now performing system components scan" is way out of line. IE CSS styling issues, anyone?

This kind of threat can really harm those that are not familiar with pc. For this reason I strongly suggested to everyone to have an antivirus like AVG. AVG in the 8.0 version has a plugin for IE and firefox that shows you a little icon in the google search page, showing if the link is secure.

But in the end I think that the only solution is to teach user how to protect themselves. But if you begin to teach people: Never install anything you are sure of, never click on a link on a mail...we came to a point where the user fears to click any button on the screen.

alk.

Great post with practical punch.

I'm not sure what the answer is. I'm pretty sure it's not user education -- that would never pass my "Mom test" (i.e. does it work for Mom). If prevention isn't possible, then I wish alert/recovery was better, but I think that's where backups/antivirus weight in.

Use some obscure operating system that looks completely different, like MacOS. The scammers don't target that OS because there is such a small percentage of people using it compared to Windows.

Hi to everyone:

while the Fake User Interface can be a burden for the users but also CAN HELP to developer

For example (a common example) a customer ask for developer a x-application but before he want to see some screen. Of course it's impossible or required to much effort and developer time only to show some fancy screen (and the customer can retract their offering). So what's the solution?, to fake a interface, create a interface using photoshop or any other graphics tool.

> I got that fake virus scan UI a few month ago, simply by visiting The Drudge Report!!

There's your problem right there. Seriously. This is a guy who exists to spread lies about the personal lives of people he disagrees with politically. You expect such a person to have moral qualms about taking money from "questionable" advertisers?

My webserver was also infected with the same Malaware could be due to some FTP client that I use !

They way they achive it by editing the .htaccess files and re-writing the redirect.

"how would you combat a perfectly spoofed FUI presented to a naive user?"

I wouldn't. If it is perfect (and we will see such FUIs), there's nothing you can do.

I would focus on making sure that the user can recover well from the inevitable resulting infection.

> I cant wait for macs to get enough market share to become a virus target.
> brian on August 18, 2008 06:09 PM

Wow - that's almost the kind of low-life misanthropic scumbag sentiment that would qualify you as one of these malware/spoofing goons. Congrats!

Yes, I know that there's an annoying strand of Mac users who bleat on and on about how secure they are in their smug little world (they annoy the hell out of me too), but I wouldn't wish this kind of misery (or the fear-mongering antivirus industry) on anyone - even smug Mac users.

(BTW, I am a Mac user who works with PCs all day long, and is thankful that Macs haven't substantially caught the interest of the scumbags - /yet/).

@Rob Uttley: I agree with you about the Mac sentiment. I too am a (recent) Mac convert at home. But at work it's all PC. I feel that a Mac tends to feel more secure, but it's all in how much security you implement in either system. Yes, a Mac can be a target, even without the market share. Anyone who thinks that just becuase they haven't seen an attack in a long time doesn't mean it can't happen. I remember a saying from someone that went kinda like: "The only secure computer is one that is locked in a box, secured in concrete, and sunk to the bottom of the ocean. Even then, I'm not so sure."

The irony of the beginning of the article is that not even ten minutes prior to reading this, I did that with a legitimate screenshot sent to me by support. I started to laugh when I read that.

But then the thought processes kicked in. It really isn't funny when you surf to what you thought was a safe website and get a message that looks almost exactly like a message from your antivirus software. I use AVG at home and have seen windows that look just like the alert messages from v7. I now use v8 and haven't seen a virus message window yet (fingers crossed). But I think I'd like to find a test file to see what it looks like with their new UI.

I think as a geek, one should know what the various messages look like in the preferred installed security software. This way, you will be more prepared to support your 65 year old mother who rarely does more than play solitaire, read emails, and surfs the latest political news from Michael Savage. Ok, that's my mom, but you get the point. She ISN'T going to know these messages and will call you with questions when she sees it.

And as far as making sure YOUR UI conforms to friendly and user safe ideals does nothing for the unscrupulous as***les out there that have nothing better to do than to push a virus/malware/adware onto unsuspecting, non-geek users just to maybe get a few sales out of their software redistribution site.

I had a friend who did the click and ended up disabling ALL of Norton Internet Security including the antivirus software and installing a freeware antivirus app that did nothing more than throw up ads and log surfing habits. It took me a three day, complete reinstall of Windows to clean that mess up.

> Is it any wonder there's no girls on the internets when standard
> discourse about teching the tech tech all leans towards the ubiquitous
> suggestion that women are, like, totally thick and wouldn't know a
> tech if it teched right up to them and teched them in the face?

I thought there were no girls on the internets because whenever one happens to log on (by mistake, of course), the standard discourse from all the teenage[-minded] male techs leans towards "hey baby, wanna tech my tech?" and "show me your tech!"

>> I got that fake virus scan UI a few month ago, simply by
>> visiting The Drudge Report!!

>There's your problem right there. Seriously. This is a guy who exists
>to spread lies about the personal lives of people he disagrees
>with politically. You expect such a person to have moral qualms
>about taking money from "questionable" advertisers?

I expected some American to reply something like this. You can't mention anything or anyone related to politics; with you guys, it's always about left vs right, black or white, and kicking anyone else in the face. Drudge is a top tier site, that's all. The ad banners are served by agencies that server THOUSANDS of web sites.

Google has also been fighting with the same problems of banner
http://www.e-consultancy.com/news-blog/363189/google-ads-used-in-spyware-phishing-scam.html
http://blog.taragana.com/index.php/archive/myspace-banner-ad-spreads-spyware/
Malicious Flash banner ad on USATODAY.com (the virus scan in this post)
http://securitylabs.websense.com/content/Alerts/3061.aspx
etc, etc..

There is a whole story about how these malicious software guys create fake companies to buy some ad space, and then the ads spew the fake virus scan very randomly, so it takes longer to get caught.

It's actually not a virus or a spyware. They sell a software that reports finding viruses, and then reports fixing them, but it actually does nothing. It begins to nag you about fatal machine problems when it's about to expire, to make you buy again an update. They basically sell Placebos Software. What's interesting is that they make enough money to buy ad spaces on large web sites.

I've seen several suggestions to just "click the little red X", but might that not also activate code?

Tried to duplicate googling Michigan Regional Lily Society to get to the FUI. Apparently they've fixed it now.

This reference to the screenshot as desktop background reminded me of thewebsiteisdown.com if you haven't seen it - it's hilarious!

The whole point of computers is to execute code. I should be able to safely download and run anything on my computer. The fact that you can't shows what a disgrace all operating systems are in.

** And I could care less that *nix not running as root will stop me from trashing the machine completely. If all my files are readable / deletable / corruptable you might as well take down the entire machine. Whee I can still boot, but all my files were scanned for info and uploaded to stealmyidentity.com

It's like going to an arcade where some of the machines will randomly cut your legs off at the knee, and you have no way of knowing in advance, regardless if you inserted your quarter or not.

What I don't get is this: why do they 'need' you to click the 'ok' button? Whats to say the 'cancel' button isn't also 'rigged' with whatever payload may be on the spage?

a friend of mine have been fooled by a fake UI as well. He got lost installing everything "they" proposed.

I took a thumbnail sketch and realized the fake because his OS was german and the faked XP security center screen english ;)

but they got him anyway ,(

To all who suggest that the Ok button isn't the only way to do this, you are correct. Clicking ANYWHERE on the window can do it; been there, seen that.

@insertcoin: Ironically, running a virus on your computer is safely done. Just had to put that out there.

As far as the faux desktops, I saw someone set their login wallpaper to their logged in wallpaper and the logged in wallpaper to the login wallpaper. Really confusing to the uninitiated...

What are you guys talking about? Why run noscript and other plugins that cripple the entire browser?

All major browsers are already sandboxed enough so that javascript won't be able to run executable code on your computer.
It won't matter if you click OK on a javascript dialog, nothing will happen. As long as you don't install any activex-crap or download any executables you'r fine.

The worst thing that can happen without noscript is an infite alart()-loop.

Running as non-admin certainly do help, but it only isolate viruses, not eliminate them. For example, a virus could still access your address book and files, but not someone else's. Anti-virus software would still be needed to eliminate them.
BTW, I can often tell fake UIs just by the cursor.

I don't know... it might not actually be FUI. It looks real to me and the installer worked. I mean, everything installed without a hitch and I now have antivirus where I didn't before.

I guess thanks would be in order.

Thanks Jeff.

Some time these things are really needed for some experiment.

I think that someone at Microsoft is having a good laugh at the way that we all fall for FUI...

This last few days, I've been forced to use the Snipping Tool in Vista to create screenshots of some of our apps here. Like you say, having a screenshot of a UI is bad enough in terms of me wanting to click all the buttons etc., but this little utility goes one further:

It doesn't matter where the Snipping Tool window is on the screen, if I am doing a 'Window Snip' of a relatively small window, once I select the window the tool automatically positions itself so that the screenshot is perfectly in line with where the actual real UI was. If I get distracted even the slightest while I'm doing this then I end up with blue dots on the screenshot!!

It's been driving me mad!

C

I blame Bill Gates. He gave everyone the rediculous notion that anybody can use a computer without education. :)

"He gave everyone the rediculous notion that anybody can use a computer without education."
No, Steve Jobs is more to blame for this.

"He gave everyone the rediculous notion that anybody can use a computer without education."
No, Steve Jobs is more to blame for this.

Well, I think this is a serious problem and it will be hard to solve this properly.
I is a problem, because there is software which just spoiled the standard error channel from the computer to the user - the dialog boxes, as other stated already.
For example, the "Do you want to close the application? You got unsaved stuff!" does not belong in this standard error channel. The application should just restore the state at exit upon restart and present some reset-button to get the current reseting restart.

However, the result of this dialog-madness is that no one reads all those dialog boxes anymore. Thus, you can pretty much forget to add more content to them - who is going to read all that? A user will prolly think "meh, its just more are you sure-yadda-yadda, yes, ok, go away". To be honest, I cannot blame them for that. I curse those XP-popup-bubbles everytime I start XP - "There are wireless networks!" "I know, but you have a cable connection, shut up." - "There is no firewall activated!" "There is a firewall, you just don see it, be quiet..." - "Look, I found a usb-device! Its a keyboard! yay!" "..." (but in general, I am too lazy to search for a way to deactivate them, heh).

I guess a mean way would be to remove the possiblity to just click on yes, heh. "Do you want to execute this untrusted code?" - click yes. "This software appears malicious. Shall I stop executing it?" - click no.The second step would be to remove as much techieness from the dialog boxes as possible. "This software comes from a site that was marked as dangerous. If you execute it, it might damage your computer and reduce your pleasure using this computer! Do you really really trust this?" (Observant readers will see that I assumed an operating-system-level site/application-flagging, like firefox does already on its browser level and possibly also remembering where software came from).

And by the way - a perfect FUI would fool everyone, because it is perfect. ;)

Bayesian filtering on the source?

There should be pictures of a file KILLING YOUR CAT and BURNING DOWN YOUR HOUSE on warning dialogs...

I'm dealing with this exact problem right now. A lady brought in a PC for me to fix and it has Windows XP Antivirus 2008 on it. One of those "You have 200 spyware/virri on your computer!" taskbar pop ups, then you pay them $30, put in a license code and it deactivates their popup. Add/Remove programs says that it's 2.6mb, obviously NOT an antivirus solution.

There's not much that can be done except continuous education on the subject by those who are kept in the loop. I always tell my friends/customers to never, under any circumstances download anything from the internet that says they need a virus scan, free coupons, free car, win an xbox, take a free vacation, free prostitute, etc. (Ok, so the last one was made up, but you get the point) But despite these warnings, there are those that let other people use their computer and they cause the problems. Like this lady I was referring to, it was her son that loaded this fake AV up on her machine and probably fell victim to a snazzy FUI.

I got this one yesterday evening - again, first Google hit searching for (IIRC) something about a Mail problem.
Fortunately, it rang all the alarm bells (and I hadn't seen this article yet), although I didn't notice whether the IE7 title bar mentioned '... from Dell' or not.

This evening it'll be new themes, and a training session for the rest of the family.

Then I'll be installing Ubuntu/FF on the other laptop...

Personaly, i get freaked out when i get automatically transfered to another website. Last time i got transfered, it was like a pop-up that said your computer is not 100% secure. Click here to get it checked or something like that. Obviously, im not an idiot so i clicked the little X to get me out, but no matter where i clicked it would transfer me and it would start downloading something...when that happens i shut down my computer straight away to prevent anything bad getting installed. I currently have an out-of-date antivirus, which is completely useless, but whenever i try clicking the renew button it sais i can't because the antivirus i have is too old. Also, i can't download anything, which means i can't download a better antivirus...This is really starting to annoy me and i think the best option would be to buy a new laptop/computer even though i really don't want to.
Any oppinion/helping facts would be appreciated

Thanks in advance

Has anyone here ever taken a nap after work or school and woken up in a Panic that it is 8am and run to work or school only to find no one is there?

Well, in reality, for me, it was the same day and 8pm not A.M. o clock...

I hope Dave does not delete with comment post, but Im gonna say that I run a Linux Distro as my Desktop and have not dual booted into my Windows Platform for quite sometime now.

All the viruses you describe Linux is immune from and the ones that could get through Firefox under which I am logged into the Linux OS as my username and not as root/administrator. Any virus that happen to get that far couldn't do anything major to the Operating System, although there is the possibility the virus could delete or mange or whatever files in my /home/user directory, thats about it.

I just came across this Google Chrome thing, and darned if this doesn't look like the savior of the Internet.

http://blogoscoped.com.nyud.net/google-chrome/

This bad program! It sou you money profit affiliate program!

Whenever things like that happen to me (it's been a long time since last time, some +2 years I think) I allways go Ctrl+Shift+Esc to open up the Task Manager and I just kill the entire browser. As suspicous as I am I don't give my 5 cents to any "close button" the malicious website has produced. But that's just me. :)

Jordani! This bad english! You are incomprehensible!

As others said before the problem is that everyone want to use a computer but no one except IT guys want to learn and understand what is a computer, how it works, at least at the software level etc.

Some will call me Facist (Godwin is always near...) But I don't understand why you need a license to drive but not to use a computer.

Cars travels by public routes, Computers too (internet)
Cars can be dangerous to other users , Computers Too (forwarding Viruses, beeing a Zombie PC, forwarding Spam etc etc.)

so IMHO there should be a Minimum level of knowledge required to be allowed to use a computer connected to the net (idiots can still use a computer but not conenct it to the net)

@Mee

By that same regard, let's add in a license for raising children to filter out the bad parents.