[LINK] Study shows pop-up warnings are ineffective

Malcolm Miles mgm-ns at tardis.net
Wed Oct 1 00:37:49 EST 2008

On Tue, 30 Sep 2008 08:18:53 +1000, you wrote:

>A realistic example of how this might happen:
>- A web forum or blog software (eg. vBulletin, WordPress, etc) running
>on a server was subtly hacked and code injected into the HTML;
>- Instead of the usual page the user was expecting to see, a fake
>dialog box was displayed informing the user that a virus was detected
>on their PC.  With CSS or JavaScript coding techniques it's possible
>to keep this fake dialog box in the same position on the screen
>despite the use of the vertical scroll bars;
>- The fake dialog box asks if they would like to install a free
>antivirus scanner with a convincing name, eg. "Antivirus XP 2008";
>- The user is gullible or inexperienced, clicks "yes";
>- A malware-infected .exe installer is downloaded by the user's
>- Despite the web browser's warnings against running programs from
>untrusted sources, they run it;
>- Game over. 

If they are running as a default Vista user, then the game doesn't
even start. When they run the malware installer, the user will get a
UAC dialog, prompting them for an adminstrative userid and password.
As a default user, they don't have those credentials so the malware
installer won't run. In a corporate locked-down environment you can
configure Vista so that default users don't see a UAC prompt and any
installs will fail.

Best wishes,

More information about the Link mailing list