I read a lot of “If you’re smart you’ll be fine” posts on the internet about information security. “Just don’t go to shady websites” and the like. This is a really common attitude, even (or especially) among those with backgrounds in security. But it’s really just not the truth anymore, as has been demonstrated time and time again. Sophos reports have shown that the majority of attacks go through hacked legitimate websites, and Google’s malware transparency reports have shown the same thing.
Recently Ubuntuforums.org was hacked, and I feel like it’s just the pinnacle of “being smart doesn’t do shit for you”. I post, on occasion, on the ubuntu forums to give security advice and whatnot. There are some really smart people there, people with certifications in security, and who do this sort of thing for a living. These are not stupid people, they are definitely more informed than your average user. But they visited ubuntuforums.org. And for six days that website was under the control of an attacker, and for six days that attacker had the opportunity to put up an exploit page, knowing full well that everyone was running Linux.
The attacker did not do this, he pulled passwords and emails, and as far as we know that’s all. But being “smart” didn’t stop anyone from visiting a website that was under the control of an attacker.
Instead of putting up a page saying “You just got hacked” he could have put up an exploit. Being smart would not have saved you, common sense would be useless.
I think people need to consider that being smart is not a strong security policy. If someone’s got a gun on you does being smart help much? Not really, you’re kinda at their mercy. Attackers are actively working against you, and it is to their benefit to do things that you can’t anticipate. Blaming people for visiting a hacked site is just as silly as blaming anyone on the ubuntu forums for visiting a webpage that they go to often.
Keep that in mind when you think that ‘average users’ must be so stupid to get infected.