Sidewinder on how not to get too click-happy

Expert journalist Davey Winder reviews the latest evidence on the security threat posed by link-clicking and says: just don’t do it.



According to the Annual Security Report from MessageLabs Intelligence, 2007 was notable for the diversity of the threats that faced the world of IT and the host of new techniques that entered the fray.

However, what really caught my eye was a double whammy of facts that reinforced my belief that spam remains the dominant delivery mechanism for getting malicious intent into workplace.

The first was that annual spam levels reached a depressing 84.6 per cent by volume of email passing through the MessageLabs filtering system (and since it deals with an astounding 2.5 billion email connections every day that equates to one very large pile of spam). “A double whammy of facts that reinforced my belief that spam remains the dominant delivery mechanism for getting malicious intent into workplace.”

The second was that spammers were also responsible for some of the more creative new threats, such as the Storm botnet. Storm appeared on the security landscape early in the year and quickly dominated the statistics, using techniques such as distributing 15 million messages with infected MP3 attachments.

Not idiots, unfortunately

The people behind the likes of Storm are not, contrary to popular belief, idiots. In fact, these guys are actually rather accomplished at what they do – it’s just what they do is not very nice.

Rather than stick to using infected attachments, the Storm spammers and others like them have gone back to using malicious links in messages to spread infection. Far from being a retrograde step in terms of technological savvy, this demonstrates a real understanding of how IT security and end-users work.

Using links shifts the infection trigger away from the perpetrator and hands it to the user. Given the popularity of signature-based anti-virus technology, this makes a lot of sense for the bad guys, as links can easily travel under the detection radar - and they tend to provoke little by way of suspicion among the vast majority of users.

Want to know how much of a problem link-clicking has become? The MessageLabs Intelligence report says that at the beginning of 2007, only a meagre 3 per cent of email-borne viruses contained a malicious link. By the end of the year, that had increased to 25 per cent. “An added layer of effort is usually enough to drive away all but the most determined of link-clicking fools.”


The threat landscape starts to become clearer when you add some background detail to these figures; detail such as nearly half a million new websites dishing up malware appeared across the year. Put another way, that’s 1,250 new sites appearing every single day with no purpose beyond sending you something nasty.

Now throw in the 1 in every 48 emails being delivered across the planet which contain a virus or a Trojan or a link to the same, and all of a sudden the picture gets very dark indeed.

Did I tell you the bad news?

But wait, it gets even worse. It isn’t just email that you have to worry about when it comes to the link-clicker brigade; there are search engines as well.

McAfee updated its Safety of Internet Search Engines report last year and concluded from a survey of the five most popular that sponsored results are three times more likely to lead unsafe sites than “natural” links are. "Simple rules such as telling end users never to click links within emails and instead to always manually type the URL into a web browser client can be remarkably successful."

Yet which links come at the top of a search results page? Which are highlighted, or conspicuously listed in a sidebar to grab attention and clicks? Yep, the sponsored ones, of course.

Not all sponsored links are dodgy and search engines will remove those that are as soon as they are discovered; but there’s still no escaping from the fact that the links that populate their ever-so-tempting contextual advertising spaces are far more dangerous than those that sit at the top of the natural search tree.

You’re a rational adult...

Defining a transparent framework for user behaviour within an Acceptable Usage document, and ensuring that some kind of education programme and auditing capability comes as part of the package, can avoid many link clicking problems.

Simple rules such as telling end users never to click links within emails and instead to always manually type the URL into a web browser client can be remarkably successful. Not least because that added layer of effort is usually enough to drive away all but the most determined of link-clicking fools.

Ultimately, though, until everyone stops clicking on links in email the problem will be with us. So just remember you’re a rational adult – and try telling your system users that they are too.

The promised joke isn’t funny, the lithe young lady isn’t really interested in meeting you and that bargain really is too good to be true. You haven’t won the lottery (in a country you’ve never visited) and you don’t stand to inherit a fortune from an African Prince (you’ve never met). That you can rely on.

Related links

• See the MessageLabs Intelligence report
• Read Davey Winder’s guide to spam, bots, Trojans and other nasties