You may not care where you download software from, but malware does


One of the pieces of advice that security practitioners have been giving out for the past couple of decades, if not longer, is that you should only download software from reputable sites. As far as computer security advice goes, this seems like it should be fairly simple to practice.

But even when such advice is widely-shared, people still download files from distinctly non-reputable places and get compromised as a result. I have been a reader of Neowin for over a couple of decades now, and a member of its forum for almost that long. But that is not the only place I participate online: for a little over three years, I have been volunteering my time to moderate a couple of Reddit’s forums (subreddits) that provide both general computing support as well as more specific advice on removing malware. In those subreddits, I have helped people over and over again as they attempted to recover from the fallout of compromised computers. Attacks these days are usually financially motivated, but there are other unanticipated consequences as well. I should state this is not something unique to Reddit’s users. These types of questions also come up in online chats on various Discord servers where I volunteer my time as well.

One thing I should point out is that both the Discord and Reddit services skew to a younger demographic than social media sites such as Twitter and Facebook. I also suspect they are younger than the average Neowin member. These people grew up digitally literate, and have had access to advice and discussions about safe computing practices available since pre-school.

A breakdown in communications

Despite having the advantage of having grown up with computers and information on securing them, how is it that these people have fallen victim to certain patterns of attacks? And from the information security practitioner’s side, where exactly is the disconnect occurring between what we’re telling people to do (or not do, as the case may be), and what they are doing (or, again, not doing)?

Sometimes, people will openly admit that they knew better but just did a “dumb thing,” trusting the source of the software when they knew wasn’t…

Source…