I was reading about the latest* Windows vulnerability over at the ISC diary and they point out there the vector is a bunch of old vulnerabilities and that the folks involved are tied up in banking fraud.
So, why wouldn’t they exploit the latest vulnerabilities to get a bigger victim base? Is it because they’re too lazy or incompetent to program for them?
No, I think they know exactly what they’re doing. By choosing to target unpatched machines they’re purposely limiting their user base. They’re limiting it to people who are clueless about security.
If you were a bank fraudster, whose account would you rather tackle, that of somebody who is fanatic about patching their Windows machine or someone who is security ignorant to the point of not having patched their machine in over a year? Why even bother with Mac or Linux users, if you have this perspective…
Notice, one of the exploits dates back to 2003. I wouldn’t be surprised if they push victims who were exploited through this one to the top of the list.
* I had to pick between two critical flaws today for ‘latest’ – allow me the literary license.