There's no doubt a symbiotic relationship has developed between IT security vendors and the cyber-underworld, especially when it comes to marketing and public relations. Take this press release as an example:

Sydney, Thursday, January 11, 2007– RSA, The Security Division of EMC, (NYSE: EMC) announced today that its 24x7 Anti-Fraud Command Centre (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters.

New worms, viruses, vulnerabilities and scams have become prized nuggets of PR juiciness, distributed maniacally by agencies and in-house marketing flacks. One could suggest vendors are peddling FUD, but the sad truth is this stuff is newsworthy. It also generates site traffic for online news outlets, which would dutifully dress up the above release as such:

New phishing toolkit may end world

SYDNEY, Australia -- A new, automated phishing tool-kit being distributed online by baby-eating Russian criminals could empty your bank account and send the information economy spiralling into a depression-magnitude collapse, analysts have warned.

Wanting to take a different tack, I asked RSA if they could send me the kit. I could have a play with it, and maybe top up my income in the process! Here's the response I got:

Dear Patrick

Unfortunately the kit is unavailable to download or review, however, I am able to set up an interview with a representative from RSA that can discuss this kit with you.

Let me know if you are interested and I will organise a suitable time. He is in New York this week.

Lucky for him!

So, as it turns out, vendors are happy to discuss a menacing new fraud tool with the media, but they're not actually prepared to hand it over. Interesting.

Indeed, the marketing of IT security products actually irks the hell out of the boffins who work in the field. Security company Fortinet compiled this excellent report in November. It even linked to an mp3 recording of a two-pronged phishing and voice-mail box scam. The mp3 makes for a fascinating listen.

Of course, various marketing teams all over the globe have dubbed these scams as "vishing". Quoting from the report: [It's] a phishing attempt directing the potential victims not to a rogue site, but to a voice box... this has often been hyped as "vishing".

So it seems the guys at Fortinet consider the term hype. You know, marketing speak. Not useful.

Which is what made the press release touting the report so deliciously ironic: (Bold added.)

Stration, Vishes and MySpace

During November, the Fortinet Threat Research Team has been kept on its toes by busy hackers. Stration is back and more persistent than ever, vishes are resurfacing and MySpace, well, MySpace continues to be a target of all kinds of depravity.
...
In other news, "vishing" is back (email attacks that lead end users to VoIP -- and untraceable -- calling centers), once again targeting unassuming, and potentially desperate, folks who need to clear their credit.

The growing trend steals phone numbers, and any other recorded data, and often delivers it to vultures awaiting in cyber crime forums. This month's
report includes details on the latest "vish" as well as a recorded MP3 of the VoIP calling center prompt.

...