Matthew Hines wrote an excellent article last week on how malicious software vendors have 'mastered' search engine optimization to the point that, when breaking news hits, they are able to consistently beat legitimate news sites. The problem is that these malicious sites are getting to the top of Google's rankings, thus turning the search engine and people's natural curiosity about current events into a tool to distribute malicious software.

Hines cited some research conducted by Roger Thompson, who is AVG's Chief Research Officer. Thompson specifically focused on the recent earthquake in Samoa. In doing so, he discovered that 50% of Google's top stories contained some form of malicious threat. Sites that host malicious software even beat out such big names as CNN and the Guardian!

The United States Internal Revenue Service recently notified its clients that a phony email (claiming to be from the IRS) was circulating around the web. This particular email's subject tells recipients that they have underreported their income and advises them to login to a site to update their records. Problem is, if recipients click on the link, their computers end up infected with malicious software. While the I.R.S. has been the subject of many high profile phishing attacks, I think that this method is especially interesting.

Think about this for a moment - what thoughts would go through your mind if you got an email message that said you underreported your income? Would you be scared that you were going to face criminal charges? Would you worry that someone had stolen your identity and earned income under your name/social security number? Would you have images of serving time on tax evasion charges? And, if thoughts like this are running through your head, do you think you would make the most rational decision?

It turns out that, if you are so inclined, you can buy the 'Adrenalin botnet kit for $3,500. The 'premium product' includes built-in exploits (like a keystroke logger), the ability to steal digital certificates, the ability to encrypt any data that is stolen, the ability to conceal itself from security tools...and complimentary 24/7 technical support.

Oh yes, cyber criminals have become so brazen that they now openly offer technical support to anyone who can step up and buy their products. Not only is this a sad sign of how ineffective our current model of law enforcement is against cyber-crime, it is also a sad sign of the changing face of cyber-crime. Think about it - if they offer technical support, it must mean that they want anyone (with a criminal mindset and $3,500 kicking around) to be able to use this tool to set up botnets and steal as much personal data as possible.

Two major security companies released some very interesting numbers today. Symantec published numbers which showed that 12.3% of the malware it detected in September 2009 was new. And Panda Security published a report which demonstrated (amongst other things) that world-wide malware infections were up 15% in September. Sounds like another gloomy day in the security world, hey?

Not necessarily. Symantec also published some very positive news. For example, the percentage of email that are infected with malware actually dropped 0.09 percent in September. And, the number of phishing emails dropped 0.11 percent.

NSS Labs recently released the first in a series of lab tests to examine how much protection various anti-malware products provide. Their 'Live Testing' methodology claims to measure anti-malware performance in a real world environment. They test anti-malware the way an end user would use anti-malware and do not test against "stale samples" in a lab. Finally, their tests do not receive any funding from the anti-malware vendors whose products are involved in these tests.

When you combine malware that was caught (and blocked) while it was being downloaded with malware that was caught (and blocked) when it tried to run, Trend Micro's product finished in first place. It blocked an impressive 96.4% of all threats encountered over the 17 day testing regiment. ESET's offering finished last (of nine products) and only blocked 67.9% of all threats. The other vendors finished somewhere in between these two extremes.

I used to be so diligent.

Phonebusters would release their statistics for the previous month in identity theft and I would be right on it, frantically typing away in an effort to share the latest news with all of our readers. However, the last two months have seen a dramatic shift in my posting habits. Last month, I didn't write anything until the 20th and this month, I'm making my post on the 18th.

Websense released their State of Internet Security Report for the first half of 2009. While this report's conclusions are nothing new (malicious software, cybercrime, and spam are all growing more common), it does contain some particularly interesting statistics that I would like to share.

Here are some of the report's highlights:

• The number of malicious sites has grown by 671% over the last year.
• 77% of web sites with malicious content are actually legitimate sites that have been compromised by cyber criminals.
• 95% of comments on chat rooms, blogs and forums are either spam or malicious code.
• 57% of data stealing attacks are conducted over the web.

To celebrate its 20th anniversary, Pandalabs released an interesting list of the top cyber security threats it has investigated over the course of its history. Pandalabs 20th anniversary site is quite entertaining and I encourage each of you to go through and learn more about each of these security threats.

There are some familiar names in this list and some that you may not have heard of, so, to make it easier to learn more, I linked every one of these threats to a page that seems to do a good job of explaining it. Here is the list: