EXPERT ADVICE
The Mac Cybercrime Immunity Fallacy

Recently, ESET commissioned a poll to identify the knowledge, beliefs and experiences of Americans with respect to cybercrime. One of the findings was that 2 percent of Americans think that PCs are not vulnerable to cybercrime, while 9 percent feel a Mac is not vulnerable to cybercrime. Twenty-nine percent felt that a PC was only somewhat vulnerable to cybercrime attacks, where 42 percent felt a Mac was only somewhat vulnerable to cybercrime attacks.

It has been extrapolated from the poll that Americans have lost US$11 billion to cybercrime, and the results of the poll show that both Mac and PC users are victims of cybercrime pretty equally. Despite the perception that a Mac is significantly less vulnerable to cybercrime, the reality is the ratio of Mac users to Mac cybercrime victims is essentially the same as the ratio of PC users to PC cybercrime victims.

The probable reason for the misconception is that there is far less malware that runs on a Mac than on a PC. If you think that your Mac is less likely to get infected with a virus or a trojan than a PC is, you are absolutely correct. If you think that your Mac is immune to malware (viruses and trojan horse programs) think again. The modern Mac is essentially running Unix. Back in 1988, the Morris Internet worm, which ran only on some flavors of Unix, demonstrated that worms can be exceptionally effective on Unix machines.

Phishers Don't Care What You Use

Mac users should take note of this, as viruses and worms are a very, very small subset of the malicious software that PC users encounter today. The majority of threats PC users are facing today trick users into installing them. A Mac does not make a user less gullible, nor does it make a user more educated about Internet security .

Malicious software is only a tiny bit of the cybercrime landscape, and the risk of becoming a victim of cybercrime is not significantly affected by platform. Phishing attacks do not rely upon an operating system. Phishing attacks rely upon social engineering and succeed due to a lack of security education, and in some cases due to greed. It doesn't matter what computer you are using when you go to a fake banking site and enter your account number and PIN. While Safari, Internet Explorer, Firefox and Chrome have some built-in antiphishing technologies, they are all far from being highly effective, especially in the first few hours of a new phishing attack.

The attacker who sends an email saying that Bank XYZ is offering $50 if you fill out a survey, and then asks for your bank account information in order to deposit the $50, doesn't care what operating system the victim uses.

When you receive an email claiming that your Gmail, Hotmail, Yahoo (Nasdaq: YHOO), or other account will be deactivated unless you provide your username, password, date of birth, and so on, if you give up this information, you will be a victim, regardless of what type of computer you own.

The type of computer you use is irrelevant if you believe that an email sent from "verifyscess@googledesk.com" has anything to do with Google (Nasdaq: GOOG) or Gmail. Send back the information, and your account will be hijacked.

Another common attack involves hijacking an email account and then sending a message claiming to be from your friend and indicating that he or she is stranded in a foreign country and needs immediate cash assistance. People have lost hundreds of dollars to this type of scam, and the type of computer they used was not a factor in the slightest manner.

Prickly Patches

One of the tricks the Morris Internet worm used was exploiting known vulnerabilities in the operating system. It doesn't take a worm to do this. Recently, Apple (Nasdaq: AAPL) released patches for 40 vulnerabilities in Snow Leopard, including many that could lead to arbitrary code execution. Hackers can use unpatched vulnerabilities to gain unauthorized access to a system and, on average, Apple leaves vulnerabilities unpatched longer than Microsoft (Nasdaq: MSFT) does.

Another trick of the Morris Internet worm was to guess a password. If you use weak passwords, the security of your Mac is weakened. If you use weak passwords for webmail and social networking accounts, then the fact you have a Mac offers you no protection against cybercriminals attacking those accounts.

When a TJ Maxx or a Heartland compromises your credit card information, it doesn't even matter if you have a computer at all. Yes, you can become a victim of cybercrime without even owning a computer!

When it comes to viruses and trojans, Mac users are distinctly more secure today. Don't expect that advantage to last forever. When it comes to cybercrime at large, choosing a Mac over a PC offers virtually no greater protection. It behooves you to be more Internet security savvy. When you hear talk of cloud computing, remember we are talking about making your data and accounts available on the Internet. The type of computer you use is fundamentally irrelevant to cloud-based security

One other interesting note from the poll: People who own both a Mac and a PC showed a significantly lower rate of being victims of cybercrime. The most probable explanation for the difference is that these people are significantly more security savvy.

Cybercrime is not a PC problem, it is a risk that all Internet users face and need to learn more about in order to protect themselves.