Saturday, January 27, 2007

The Birth of Phidgeting

As predicted, fake desktop programs are starting to appear, wrapped in brands that have nothing to do with the brand’s owners, or the program’s stated intentions. This combination of “phishing” and “widget” technologies was predicted in one of my earlier blogs: Widgets, Mashups and Brand Insecurity.

Now that it’s here, we need to give this threat a name. Based on the suggestion of Ray Dickenson, our head of Products, we have decided to call this activity “phidgeting” (PHIshing using wiDGETets).

Phidgeting is not good news for computer users. Phidgeting is what happens when identity thieves deceive computer users by building programs that look like security suites, video viewers, or desktop media players - but behave like the worst kind of spyware, viruses or root kits.

This week, a fake YouTube player appeared on MySpace and was downloaded by thousands of end users. It installed the ZangoCash toolbar on target machines and included links to “yootube.com” - a site containing bogus credentials, according to our friends at WebSense in San Diego. It could have easily been so much worse - once an end user makes the “install” decision, anything is possible, including root kits of the worst kind.

Phidgeting hasn’t yet moved into the area of bogus banking or stock trading browser toolbars and tickers, but these programs are so easy to make, and the widget-making tools so readily available, we should expect these bogus, yet highly-visible programs to start popping up *very* frequently - with potentially dire consequences.

What is Authentium doing about this? Keep an eye out for ESP Elements, our new controlled widget environment. It is based in part on the patent-pending, kernel-level technology we have used to build VirtualATM. We’re in beta as of today. IMH(and totally unbiased)O, it looks awesome.

How to make sure you don’t get caught by fake widgets or “phidgeting”? Easy. Don’t download anything you can’t verify the author of, or don’t know the origin of, no matter how pretty it looks. Or wait for the ESP Elements release.

No comments: