Updated: June 12, 2010
Occasionally, I go through my various so-called spam email accounts, which I use for registering to all kinds of products I do not really want, I do not really need or just plain wish to test software, without bombarding my more important inboxes with tons of mails.
To cut the long story short, I came across an email sent by a security vendor, reminding me, no urging me with the liver-transplant sort of urgency, to renew my subscription to their product, lest my pixels perish. I spent a minute or two staring at the email, thinking about all the poor souls out there who do not have the comfort of being a geek and who may actually take the advertisement seriously. And then I decided to write this article. And maybe a few people will heed it and make some good. Here's the image - Can you spot what's wrong with this image? If you can't, let me help you.
Who receives an email like this. Imagine you're a user who has read Dedoimedo recommendations on web and email security, so you understand all about risk, fraud, scripts, social engineering, and all that. Let us dissect this email, step by step.
I got this email because three years ago I downloaded the then-free version of McAfee security suite, which I used in my Design of Experiment (DoE) article. I needed a heavy anti-virus product, and McAfee fit the bill. I had it pitted against AVG, and along with two firewall products and two RAM settings, the low-high mix if you will, I had the perfect DoE with eight permutations. Since, an age has passed and I've totally forgotten about McAfee. Then, all of a sudden, I get this email.
Red indicates danger. Danger? How come? Why and when?
Critical Warning: Your PC is at risk, it says.
Well, first of all, my PC is at risk. It is at risk of being electrocuted, a hard disk failing, water damage, dust damage, earthquake damage, all sorts of things. But my PC may be running all sorts of operating systems, not including Windows, for instance.
If anything software related is at risk, it's the operating system and not the PC. I know that the marketing whizzes out there know that the common man can't tell the difference, but it's a misleading statement all the same.
Then, why is this a critical warning? Maybe I have other security software running? Maybe I'm a geek who knows his stuff. Maybe I'm running Linux. Maybe I'm smart. In the worst case, we have Uncertainty Principle at hand, so my PC might be risk. However, the service notification clearly states, with 100% certainty, that the PC is at risk. We do not know what risk, though.
If I only gave you the screenshot above, you could say this is a classic beginning of a classic phishing mail, intended to goad you into clicking and buying and whatever. Unfortunately, sadly, this email comes from one of the largest security companies in the world.
Part of the scare tactics is already evident in the first section. But now, focus on the big icon to the left:
The icon takes 20% of the advertisement real estate. It's red and frightening. It's designed to look like Windows Security Center notifications, so you get that involuntary twitch in your colon, associated with the loss of data, privacy and whatnot that come with malware infections.
And what does unprotected mean? Unprotected how? From what? My night life? My PC again? Why is it unprotected? Does it mean that if I'm using security products by rival companies, I'm unprotected?
In a way, the security vendor assumes that it is the one and only provider of related services. Running a different product with similar, possibly superior capabilities means nothing. It's a binary verdict. Either you run our stuff or you're all alone out there, naked and unprotected against the onslaught of Mongolian hordes.
It reminds me of the .NET framework installation. Not related to anything, just plain funny and totally audacious:
Thank you, I can disconnect now from the Internet. It's no longer useful now that I have the framework installed.
Then, there's the NatWest Recommended snippet, below the shiny icon. What the hell is NatWest? Well, googling, it turns out to be a bank. Is this merely an advertisement for a bank, within the context of another advertisement?
Security experts will tell you: use plain-text email, block scripts, block third-party images, all sorts of fancy things like that. And then, you get an email from a security company that breaches all these rules. How funny is that? It's a paradox.
The security message has a link that I can click and follow. I copied the link aside and examined it. Here's what it looks like:
Notice the eid field, which reads firstname.lastname@example.org. It's my actual email there. It was written there. The asterisks are mine. Never mind it's an unimportant address that I purposefully use for this kind of activities. And then notice the link: http:// ... So, my email is sent in clear-text, in unencrypted form to the security vendor server, along with tons of other numbers, all of which seem like unique identifiers.
In clear text. Sniffing may not be easy on a switched network, but it does not mean that security should be treated like a prostitute.
So, clueless users get an email from one of the biggest security vendor that informs them their PC is at risk. They click, they buy. Now, they are running two anti-virus products at the same time. Or worse, their credit card details have been stolen, because the security vendor advertisement looks exactly like the latest and greatest security scam.
Not only is this kind of tactics perpetuating the state of fear and the lack of knowledge among Windows users, enslaving them to the financial teat of security moguls, it actually increases the risk of their exposure to social networking tricks. If a user clicks on a security warning in a email once, they might do it twice. Only this time, the product will be called BestAntiVirus2014 or something like that. Indeed, going though my spam folder, I see these:
One of these is the legitimate offer from McAfee, the other two I have no idea about. I am having trouble deciding which should be opened and read, imagine what the common user is feeling. To sum it up, advertisements like these border on illegal. It's awful when security companies can afford such blatant misuse and abuse of trust and ignorance on behalf of computer users. This kind of thing should be banned.
This security offer, although legitimate and not very lucrative, has left me angry and sad. If one of the largest security vendors can afford to misuse security for its own gain, what will the average Joe do? What about some integrity, honesty?
The offer would have looked infinitely better if it just contained a coupon number and a reference to the vendor site. In plain text. Nothing more, nothing less. Instead, it looks like the very threats it is designed to protect from, it uses all the classic mistakes of dangerous mail practices, like embedded HTML and images, and it links to the vendor server using a clear-text string, which contains private information. Really sad.
Security begins with education. But education means users won't be easily impressed with scary emails and may not actually cash out money for a rather mediocre security product they don't need in the first place. Teaching people how to use their computers contrasts the primary goals of security vendors, which is to make profit.
It seems that security can only be good if it's free. Then, there's no hidden or plain agenda, no money interfering with the pure, simple goals of helping people gain intellectual independence that allows them to asset threats and risks and make wise, calculated decisions. Otherwise, the poor user stands no chance.This is a good opportunity to remind everyone that Windows security can be enjoyed easily, with no additional financial expenses. There's SuRun for Windows XP, a mighty tool. Then, you may want to read my article on Group Policies. Windows 7 users will appreciate my first and second security tutorials. And there's always Linux.
Don't be scared. Open your mind.