With no actual Halloween-based security threats to report, it looks like the security vendors have had no choice but to start reporting scary stuff that might happen to your data instead. While I have no qualms about genuine warnings to 'be careful out there' this Halloween, a little reminder about not clicking like an idiot on something stupid just because it is seasonally apt is never a bad thing, I do have a bit of a beef when that advice is wrapped up in a press release in order to get some column inches for the vendor concerned.
I will come clean, I actually hate Halloween. Not because I am some Christian-fundamentalist playing the 'it celebrates evil' card, but rather because I am a Pagan and feel that the commercialisation of the ancient festival of Samhain and the Feast of the Dead (the Pagan new year if you like) just cheapens what is, for some of us, a very spiritual time. Needless to say, I am in the minority and the masses will be out there wearing their cheesy masks and bullying old folk into handing over candy in exchange for not having dog poop shoved through the letterbox. Yet others will seek to exploit Samhain in an altogether different, yet just as capitalistic, way: they will use the season to distribute phishing emails in order to lure the weak of mind to websites offering everything from witch-themed porn to money off vouchers for pumpkins, while delivering nothing more than malware and bad will.
Or at least, like the majority of the security vendors, I'm guessing they will. The truth is that nobody has actually spotted much in the way of Halloween-themed and malware-riddled spam so far this year. Believe me, as someone who specialises in writing about the IT security threat landscape, vendor PRs would have been knocking my door down to tell me if there had of been. And they have not. Instead I have got email from the same folk which just recycles the same old same old in terms of generic scam warnings but with a Halloween headline attached to grab my attention.
Here is a selection of the non-news Halloween security warnings that I have found myself reading so far:
- ESET Threat Blog: "Of course there's always the old-fashioned physical threat. After all, there are people walking around dressed in disguises and carrying bags, presumably half-full of candy. It would be easy to imagine a would-be thief getting a good look around at what you have with a mind for future theft - maybe peering in through your front door and noticing the style of locks installed."
- ZoneAlarm Blog: "On Halloween night, ghouls and goblins abound, aiming to scare anyone they can. And though these mini monsters only show up on your doorstep one night of the year, did you know that actual monsters exist online all year-round?"
- Avecto press release: "This is what we call a malware flashpoint in the IT security industry - the times of the year when the risk of staff clicking through onto something that they would normally avoid suddenly rises."
- GFI news story: "The fake Halloween party invite is a regularly exploited scam used by criminals to launch a malware attack or deploy a botnet Trojan."
- Verizon at Home blog: "As Halloween Approaches, Don't Be Tricked By A Phishing Scam."
The last of these perhaps sums up my frustration at the swathe of Halloween scare stories that are not best of all, possibly because the passage I quoted was the headline for the entry and the only mention of Halloween was in that headline. Trick or Treat? I get the feeling we are being tricked, folks...