Wednesday, December 31, 2008

Identity theft accelerated in 2008, and experts fear it will worsen in '09

By Mc Nelly Torres

Identity theft became the fastest-growing crime in the United States in 2008, affecting more than 10 million Americans, according to the Federal Trade Commission, the agency that enforces ID theft laws.

Hundreds of data breaches exposed sensitive information, and victims spent countless hours on the phone talking to banks, fraud investigators and credit bureaus. Businesses suffered millions of dollars in losses.

So, what's the outlook for 2009?

Identity theft experts predict more sophisticated schemes targeting unemployed people, consumers with poor credit and homeowners facing foreclosure, according to a report issued this month by the Identity Theft Resource Center, an advocacy group based in San Diego, Calif.

"Identity thieves learn all the tricks of the trade," said Linda Foley, one of the founders of the Identity Theft Resource Center. "This is a job for them."

Many real estate-based schemes have been reported nationwide this year. This trend, the report says, will carry into 2009 with more sophisticated schemes, such as those involving bogus mortgage-rescue outfits that target homeowners facing foreclosure.

Adam Levin, chairman of Identity Theft 911, a company that educates and helps consumers keep their information safe, predicts more economic crimes as the economy continues to falter, giving ID thieves more opportunities.

"We are in the midst of a perfect storm," said Levin, citing the combined effects of a down economy, unemployed people struggling financially, and homeowners facing foreclosure. "So people need to be more careful than before and try to minimize exposure of personal information."

The Identity Theft Resource Center report also predicts an increase in schemes that attempt to trick unemployed people into giving out sensitive information with the promise of a job.

Also, as companies reduce staff to cut expenses, some disgruntled employees — including those who work in information-technology fields — may turn against former employers and hack information for profit.

"There's more data on the move that is not being guarded, and human errors happen," Foley said. As of December, 638 confirmed data breaches had been reported this year, compared with 446 in 2007, according to the ITRC.

"You've got companies that can't afford to spend on a security system, and also businesses that don't care, so they will use this as an excuse," said Levin, adding that he expects to see more data breaches next year.

Other predictions include:

Credit cards: Consumers with poor or no credit may become a target of fraudulent deals that offer a credit card regardless of credit history, and schemes promising to consolidate credit card debt or to renegotiate interest rates. Also, a fraudulent technique known as "skimming" — a duplicate scanning of credit cards or debit cards that are later used by thieves — will become increasingly common.

Check fraud: As credit becomes less available to consumers, identity thieves may carry out more check fraud schemes by using stolen checks or using checks thrown into the trash by unsuspecting consumers.

Cyber crime: Experts said the Internet would continue to be ID thieves' favorite playground. Cyberspace is now used to transport and sell large amounts of stolen personal information, including stolen credit card numbers. This trend will continue next year, Foley said.

Crime to boom as downturn blooms

By Mark Ward

Technology correspondent, BBC News

With the economic downturn affecting every corner of the globe, it is perhaps no surprise that it is likely to affect hi-tech criminals over the next 12 months.

In contrast to many ordinary people, hi-tech criminals are likely to see opportunities to prosper rather than suffer in the downturn.

So say some experts looking forwards to 2009 and what it will mean for the computer security world.

"Crime tends to rise when you have more unemployment," said Mikko Hypponen, chief research officer at F-Secure.

"If you look, in general, where the attacks are coming from you can find social reasons behind them," he said.

"It's not a technical problem, it's social," he said.

Easy money

Layoffs of many people familiar with net technology may tempt more into crime, he said, simply because their chances of being caught are slim. Equally, he said, the punishments for those that are caught are not harsh.

Those that did turn to hi-tech crime would find, he said, an underground service economy that will sell them all the bits they need to get started as a net criminal.

Some security firms fear that making people redundant could also trigger a wave of crime as aggrieved workers strike back at their employers.

This could mean that the intellectual property that a company relies on to keep going, such as its customer database, is copied and walks out of the door when employees pack up and leave.

"The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick," said Adam Bosnian, a spokesman for Cyber-Ark.

"With a faltering economy companies need to be especially vigilant about protecting their most sensitive data against nervous or disgruntled employees," he said.

Card games

"I would imagine that fraud is going to increase next year," said Carl Clump, chief executive of Retail Decisions that helps firms spot and tackle credit card fraud.

Even with the global economic slump, he said, fraud had been increasing year on year and there was no reason to expect that 2009 would buck that trend.

Widespread economic malaise would only act as a fillip to that rising tide, he said.

"It's a lucrative area and it's relatively easy to do," said Mr Clump.

Security initiatives such as chip and pin may have tackled fraud at some points, said Mr Clump, but that meant fraudsters had focussed on the next weakest area.

In particular, he said, many fraudsters have moved on to so-called Card Not Present fraud which is typically carried out via e-tail sites on the net.

Figures released in September by the Association of Payment and Clearing Services (APACS) which represents the UK's card firms showed that CNP fraud was up 18% on 2007 to £161.9m. Over the same period losses from UK online banking fraud rose by 185%.

Those unwilling to become spammers or phishers, said Mr Clump, might well be a tempted into low-grade fraud - especially if they have lost their job or are struggling to make ends meet.

"In times like these people take desperate measures," he said.

Dan Hubbard, chief technology officer at Websense, said the grim times could tempt people to make choices they would not make in better times.

"Gambling tends to go up when economies are down," he said.

This might make people more willing to work alongside web criminals and act as money launderers or mules.

Mr Hubbard said the ongoing development of the web, mash-ups and semantic technologies could introduce new vulnerabilities.

"These will all add another level of complexity to the web," he said.

"It will create a rich user experience but behind the scenes it is grabbing data from all over the place," he warned.

Unless that was properly managed and thoroughly checked for security loopholes it could prove tempting for criminal groups.

"There are more targets than ever," said Mr Hubbard.

Tuesday, December 30, 2008

Fraudsters Run One-Stop Shop Online to Sell Data-Stealing Code

(December 29, 2008) Online fraudsters are running an online trading post for highly sophisticated code that allows criminals to more easily steal consumers' log-on credentials, Social Security Numbers, PINs, and other confidential information, according to the latest report from RSA Security Inc.'s Anti-Fraud Command Center.

The fraudster Web site, which RSA analysts call a "Web Injection Shop," sells so-called HTML injections, or bits of code that can allow phishing perpetrators to mimic the look of a financial institution's Web pages, including pages that ask for log-on credentials. The code also allows fraudsters to add fields to the pages to ask for information the legitimate pages don't ask for. The injections usually accompany Trojans, code that fraudsters install on the computers of unwary users when they visit certain sites or click on unknown e-mail links.

While these HTML injections are nothing new, the creation of what RSA calls a "production-scale central repository" for them is. Indeed, the sophistication of the code and of its merchandising online has led the Bedford, Mass.-based security firm, part of EMC Corp., to called the trend "fraud as a service," or FaaS, after the more familiar and legitimate trend toward software as a service (SaaS), in which companies sell solutions for specific online functions.

The Web site sells two types of injection, according to RSA. With one, fraudsters can weave new content into a financial institution's actual pages. The new content typically consists of fields asking for mother's maiden name, PINs, Social Security Numbers, or other sensitive data. The other type allows the buyer to insert a completely fabricated page into the user's browser, again asking for information not requested by the legitimate site.

With yet another product offered by the new fraudster site, buyers can install code on users' machines that searches for the balance field when users log on to their bank accounts. This so-called balance grabber then copies and transmits the account balance back to the fraudster's server. Armed with this information, online criminals can set prices for log-on credentials according to the richness of the balance to be plundered.

The going price for HTML injections is $10 to $30 each, depending on the target institution and the type of code, according to RSA's report. The report says these injections could follow a path similar to that of phishing kits, online tools that standardize the launch of phishing attacks. These tools have dropped in price as they have proliferated in underground forums. "When the fraudster market is saturated by HTML injection offerings, their price may drop since HTML pages are fairly simple to design," says the report.

Some 207 financial-institution brands were attacked in phishing campaigns in November, up significantly from 167 in October, the report says. The total includes 23 banks whose sites had not before been targeted by fraudsters. Regional U.S. banks were the target of 48% of the attacks, with credit unions accounting for 30% and banks that operate nationwide accounting for 23%.

Monday, December 29, 2008

'Boom year' for hi-tech criminals

By Mark Ward

Technology correspondent, BBC News

If 2007 was witness to the rise of the professional hi-tech criminal, then 2008 was the year they got down to work.

"The underground economy is flourishing," said Dan Hubbard, chief technology officer at security company Websense.

"They are not just more organised," said Mr Hubbard, "they are co-operating more and showing more business savvy in how they monetise what they do."

Statistics gathered by firms combating the rising tide of computer crime reveal just how busy professional cyber thieves have been over the last twelve months.

Sophos said it was now seeing more than 20,000 new malicious programs every day. 2008 was also the year in which Symantec revealed that its anti-virus software now protected against more than one million viruses.

The vast majority of these malicious programs are aimed at Windows PCs. Viruses made their debut more than 20 years ago but the vast majority of that million plus total have been created in the last two-three years.

Tidal wave

Criminal gangs generate so many viruses for two main reasons. Firstly, many variants of essentially the same malicious program can cause problems for anti-virus software which can only reliably defend against threats it is aware of.

Secondly, in the past security firms have tended to focus on the big outbreaks. By staging a series of small outbreaks the criminals hope to go unnoticed while their family of viruses racks up victims.

Another statistic from Sophos reveals how the tactics of the online criminal groups are changing.

Before 2008 the preferred method of attack was a booby-trapped attachment circulating by e-mail.

Provocative, pornographic and personal subject lines were used to trick people into opening the attachment. Anyone doing so risked having hi-tech criminals hijack their home computer and turn them to their own nefarious ends.

In 2008, said Graham Cluley from Sophos, the main attack vector started to shift. Increasingly, he said, attackers have tried to subvert webpages by injecting malicious code into them that will compromise the computer of anyone that visits.

By the close of 2008, said Mr Cluley, Sophos was discovering a newly infected webpage roughly every 4 seconds.

The type of page being booby-trapped had also changed, he said. Prior to 2008 gambling, pornographic and pirated software sites were much more likely to be unwitting hosts for the malicious code used to hijack visitors' machines.

In 2008 the criminals turned their attention to mainstream sites that had very large audiences and were vulnerable to the code-injection attack.

Bug report

For Mikko Hypponen, chief research officer at F-Secure, 2008 was the year in which some hi-tech criminals got much more sophisticated.

The best example of this, he said, was the virus known as Mebroot.

"We saw it very early in the year and it continues to be a very complicated case," he said.

One of its most remarkable features is its built-in bug reporting system, said Mr Hypponen. When Mebroot is detected or malfunctions revealing its presence it sends off a report to its creators who then turn out a new version with the bug fixed.

"It's amazing that the bad guys were capable of pulling this off," said Mr Hypponen.

Dan Hubbard from Websense said 2008 was also notable for some hi-tech criminals turning away from viruses completely and embraced another way to make money.

Many, he said, were turning out bogus security programs that look legitimate but do not work. Once installed they purport to carry out a detailed scan of a machine and always turn up many instances of spyware and other malicious programs.

Cleaning up a machine using one of the bogus security programs always involves a fee, said Mr Hubbard.

"They are testing legal boundaries that are a grey area right now," said Mr Hubbard.

In mid-December 2008 the US Federal Trade Commission won a restraining order to shut down several firms that ran so-called "scareware" scams.

Research by Israeli security company Finjan suggests that up to five million people around the world have fallen victim to such scams.

A US court granted the FTC an injunction which stopped those behind the scareware products advertise their products, from making false claims about their efficacy and froze assets in the hope that duped customers could be refunded.

2008 also saw other big successes against criminals. In mid-November spam volumes around the world plummeted briefly following the closure of US network firm McColo.

Despite this, said Mr Hypponen, 2008 was a good year for the bad guys. The successes, he said, came due to action by ISPs, other net bodies and the media rather than from the action of law enforcement agencies.

This was mainly due, he said, to the trans-national nature of hi-tech crime that made it very difficult to quickly carry out an investigation and make arrests.

"The vast majority of these cases do not seem to go anywhere," he said.

Russian hackers target U.S., Europe for profit and politics

By Alex Rodriguez | Tribune correspondent

December 26, 2008

MOSCOW — Not long ago, the simple, anonymous thrill of exposing chinks in American software was enough of a payoff for a Russian hacker.

Today it's cash. And almost all the targets are in the United States and Europe, where Russia's notorious hackers pilfer online bank accounts, swipe social security numbers, steal credit card data and peek at e-mail log-ins and passwords as part of what some estimate to be a $100 billion-a-year global cyber-crime business.

And when it's not money that drives Russian hackers, it's politics—with the aim of accessing or disabling the computers, Web sites and security systems of governments opposed to Russian interests. That may have been the motive behind a recent attack on Pentagon computers.

A new generation of Russian hacker is behind America's latest criminal scourge. Young, intelligent and wealthy enough to zip down Moscow's boulevards in shiny BMWs, they make their money in cyber-cubbyholes that police have found impossible to ferret out.

From behind the partition of anonymous online hacking forums, they boast about why they use their programming savvy to spam and steal, mostly from the West.

"Why should I take a regular job after graduating and exert myself to earn just $2,000 a month, rather than grab this chance to make money?" says a Russian hacker on a cyber-crime forum that specializes in credit card fraud.

Cyber-crime, by some estimates, has outpaced the amount of illicit cash raked in by global drug trafficking. Hackers from Russia and China are among the chief culprits, and the threat they pose now extends far beyond spam, identity theft and bank heists.

Besides the recent attack on computers at the U.S. Defense Department, which may have originated in Russia, according to military leaders in Washington, Russian hackers also are believed to be behind highly coordinated attacks that brought down government Web sites in Estonia in 2007 and in U.S.-allied Georgia when war broke out between Russian and Georgian forces in August.

They're even suspected of hacking into the computer systems of Barack Obama and John McCain during the presidential campaign; technical experts hired by Obama's campaign suspected the attacks may have come from Russia or China, according to Newsweek.

So far there has been no evidence of a link between the Russian government and any of the attacks on American, Georgian and Estonian Web sites and computers. Nevertheless, the need to ramp up security of American cyberspace is being discussed with greater urgency in Washington. Earlier this month, a commission on cyber-security delivered a report to Congress calling for the creation of a new White House office that would gird the U.S. against computer attacks from hackers and foreign governments.

According to the commission, "unknown foreign entities" in 2007 hacked computers at the Departments of Defense, Homeland Security and Commerce, as well as NASA. Hackers broke into Defense Secretary Robert Gates' unclassified e-mail and probe Defense Department computers "hundreds of thousands of times each day," said the commission, a panel of leading government and computer industry experts.

A senior State Department official told the commission that the department had lost thousands of gigabytes of data due to computer attacks, and among the Homeland Security divisions reporting computer break-ins was the Transportation Security Administration. Hacking attacks compromising intellectual property have cost U.S. companies billions of dollars, the report stated.

"The damage from cyber attack is real," the report continued. "Ineffective cybersecurity, and attacks on our informational infrastructure in an increasingly competitive international environment, undercut U.S. strength and put the nation at risk."

After the Soviet collapse in 1991, Russian hackers were primarily motivated by mischief. "Back then it was simple hooliganism," said Vladimir Dubrovin, a hacker in the late 1990s and now a Russian computer security expert.

Today, however, most hackers in Russia are in it strictly for the money. Cyber-crime gangs approach computer programming graduates from Moscow's technical universities with offers of making sums of $5,000 to $7,000 a month, a far cry from Russia's average monthly salary of $640, says Nikita Kislitsyn, editor of Hacker, a glossy Russian magazine with how-to information for budding hackers.

Yevgeny Kaspersky, chief executive of Moscow-based Kaspersky Lab, one of the world's leading computer security firms, says Russian hacking flourishes as "a cyber-criminal ecosystem" of spammers, identity thieves and "botnets," vast networks of infected computers controlled remotely and used to spread spam, denial-of-service attacks or other malicious programs. A denial-of-service attack floods a Web site with inquiries, forcing its shutdown.

To ply online banking accounts, Russian hackers rely on viruses that record keystrokes as customers type log-ins and passwords. Russian-made viruses are believed to be behind several major online heists, including the theft of $1 million from Nordea Bank in Sweden in 2007 and $6 million from banks in the United States and Europe that same year.

Viruses and other types of "malware" are bought and sold for as much as $15,000, Kislitsyn says. Rogue Internet service providers charge cyber-criminals $1,000 a month for police-proof server access.

Botnets relied on for cyber-crime can also be used to lash out at political enemies, computer security experts say. Most analysts agree that criminal botnets were used by Russian hackers to shut down Estonian government and banking Web sites after the tiny Baltic republic angered Russians by moving a Soviet war memorial from downtown Tallinn in 2007.

"The Internet can now be used to attack small countries," Kaspersky said. "There are Russian and Chinese hackers that have the power to do that."

Sunday, December 28, 2008

E-payment fraud will hit $4 billion in 2008, or 1.4% of sales, study says

E-commerce fraud losses in the U.S. and Canada are expected to reach $4 billion this year, an 11% increase from $3.6 billion in 2007, according to CyberSource Corp.'s 10th annual survey of e-commerce fraud, which was released today. However, the percentage of online revenue lost to fraud held steady with 2007 at 1.4% of online sales.

Chargebacks, the most often cited metric for online payment fraud, continued to account for almost half of fraud losses, the report says. Merchants fight only about 50% of the fraud chargebacks they receive, with a third of merchants challenging less than 10%. But merchants that do challenge chargebacks recover, on average, 28% of their fraud chargebacks.

The consumer electronics category showed the highest fraud rate at 2%, nearly double the average among the eight industry segments measured.

International orders continue to be highly risky, with merchants reporting that fraud on international orders was 3.6 times higher than on domestic orders, CyberSource says. Fraud on international orders has grown to 4% from 2.7% in 2006. This year, 52% of merchants say they accept orders from beyond the borders of the U.S. and Canada. International orders constituted an average 17% of those merchants' total orders this year.

Merchants with online revenue of $5 million to $25 million faced the most fraud. When compared with merchants with online sales of more than $25 million, mid-sized e-commerce merchants showed higher order-rejection rates (4.3% vs. 2.4%), higher manual review rates (34% of orders vs. 15%), and higher fraud loss rates (1.6% of revenue vs. 1.2%).

"We believe the largest merchants are simply better at fighting fraud—they make better use of fraud-detection tools and other resources," says Doug Schwegman, director of market and consumer intelligence at CyberSource. "As they work through the growing pains of becoming a large merchant, mid-sized merchants' fraud metrics may actually spike if they haven't implemented the tools and established the review expertise to sufficiently protect them from the increase in the volume of fraudulent activity."

The survey also found increased interest from merchants in automated fraud detection tools, by as much as two to three times in some cases, from 2007. However, merchants that manually review orders for fraud examined on average one out of every three orders, the same rate as in the four previous years.

The annual survey from the electronic payment services vendor also found that order-rejection rates tied to suspicion of fraud showed a significant drop to 2.9% of incoming orders, down from 4.2% in 2007. On average, 1.1% of accepted orders were fraudulent, CyberSource says. Merchants have made little progress in minimizing the time spent manually examining good orders, CyberSource says. Merchants this year accepted an average of 73% of orders they manually reviewed, roughly the same percentage as last year. About half of merchants accepted 90% or more of the orders they reviewed. "If you're a merchant and you're accepting this level of reviewed orders, there is a real opportunity for you to reduce costs and profits—simply through better initial automated order screening," Schwegman says. The survey, conducted between Oct. 21 and Nov. 11, was based on the responses of 400 online merchants in the U.S. and Canada.

New threats to online security

By Richard Waters in San Francisco

Internet security has deteriorated markedly this year as a new generation of invasive computer attacks, often masterminded by criminal gangs, has reached a heightened level of sophistication, according to the latest studies of online threats.

"It's getting worse year after year," warned Pat Peterson, chief security researcher at Cisco Systems, who blamed the deterioration on the fact that computer "hacking" is quickly turning into big business. "Capitalism is working against us," he said.

"It's a step back after things had gotten better," added John Pescatore, a security analyst at Gartner.

In particular, computer security experts warn that so-called botnets, or networks of "slave" PCs whose owners do not know their machines have been infected, have become both more prevalent and sophisticated.

By planting a piece of software on an unguarded PC, criminals are able to assemble large networks of machines to carry out tasks for them, such as launching attacks on other internet users.

PCs that are part of botnets, some of which span 1m or more machines, have become harder to identify and root out in recent months as the rogue software has burrowed deeper into the machines, said Paul Wood, a senior analyst at MessageLabs.

Botnets have also become more dangerous as their controllers have learnt how to repurpose the slave networks to carry out different tasks, Mr Peterson said. One network that was originally used to steal users' passwords and send out spam was given an overhaul this year so that it could attack legitimate websites, according to Cisco.

A second big new threat that has become notable this year has been the commandeering of legitimate websites and e-mail accounts to spread malicious software. Rogue software is used to scrutinise public websites and "inject" code into those that are found vulnerable, so that later visitors to the sites can be infected.

The setback for internet security follows several years in which the biggest online threats were successfully held at bay or, in some cases, pushed back. The use of the internet to exploit vulnerabilities in millions of PCs first emerged as a significant threat in 2001, after an outbreak of fast-spreading computer viruses and worms.

Those threats were largely thwarted after a concerted effort by Microsoft and other software makers to plug flaws in their code, and after anti-virus software became more widely used. A subsequent wave of spyware that emerged in the middle of this decade was also pushed back.

However, the prospect of making large amounts of money by stealing sensitive information from millions of users, such as their passwords or financial data, has led to a new and more insidious outbreak of mass internet attacks.

Thursday, December 25, 2008

Companies Feel Secure Against Data Loss But Are Not, New Study Shows

Data breaches have been in the crosshairs of corporate security departments for most of this decade.

Data loss is a big corporate problem

Each year, administrators spend millions of dollars to enhance security measures they believe will keep private, personal information just that – private.

Despite their efforts, the loss of data continues at a significant pace among North American corporations, according to a new survey.

The survey, from enterprise Strategy Group, found that 56 percent of large corporations suffered at least one data breach in the past year – a percentage higher than in previous studies.

Executives believe they are protected, but their businesses frequently are not, said Tom Bain, director of marketing and communications at the research firm. There is a lot of confusion in the market, he said.

Equally alarming, said Bain, is that 33 percent of companies admitted they failed a security audit and 42 percent said they failed a Payment Card Industry security audit designed to measure how well they guard credit-card information.

Enterprise Security Group surveyed 179 companies with 1,000 or more workers in October and November.

Monday, December 22, 2008

Touched Yet by Cybercrime's Pandemic? Don't Worry; you Will!

Etienne A. Gibbs, MSW asked:

The following is adapted by an article in eWEEK.com entitled, 2004: Year of the Cyber-Crime Pandemic. Although written in 2004, the epidemic appears to be getting worst, not better.

But wait a minute! Notice I said, "appears to be getting worst". On the surface, it seems like the epidemic has become a pandemic. While cybercrime might have increased so, too, has online security to combat it. Although cybercriminals might be a step or two ahead of authorities, they don't stay there long. As soon as authorities close in on them, they shut down operation and move on. In a way that's a small victory. The small battles may be won by the authorities and experts, but for them the war against cybercrime and cybercriminals wages on.

Now, here's what eWEEK.com had to say, in paraphrased fashion:

Internet crime and security have become increasingly complicated in the past years. In November alone, there were 8,459 new, unique phishing e-mail messages reported to the Anti-Phishing Working Group. That's nearly four times the number received in August and represents an average monthly growth rate of 34 percent since July.

What's uniquely alarming about this epidemic is that phishing is such an alluringly lucrative cybercrime: It involves duping victims into revealing personal financial data, including credit card numbers, account user names and passwords, and/or Social Security numbers.

The sophistication of these attacks has grown by leaps and bounds. For example, as eWEEK.com's Matthew Broersma reported in December, researchers have found that most Web browsers handle pop-up windows in a manner that makes them vulnerable to a simple phishing technique that allows fake content to look genuine.

Even fully patched, standard versions of globally used browsers including Internet Explorer, Firefox, Opera, Konqueror, and Safari—used by trusted sites such as banks—allow malicious sites to insert their own content into any pop-up window, as long as the target name of the window is known.

Over the past year, experts also warned of new attacks that not only circumvent DomainKeys but, adding insult to injury, even exploit the fledgling e-mail signing technology for their nefarious ends.

As eWEEK's Dennis Fisher reported, the technology once regarded by many in the security community as one of the best hopes for preventing e-mail address forgery is now being used to make bogus messages appear legitimate, thus undercutting confidence in the system.

"It proves that people will get to the point where they can't trust e-mail from anywhere," one security expert, who requested anonymity, told Fisher.

During a quarter in which analysts declared a 500 percent increase in global phishing activity over the previous quarter, Veterans Day was the nadir. Beginning in the early morning and continuing into the weekend, the Internet exploded with attacks against companies including eBay, Citibank and other financial institutions.

Indeed, financial institutions are traditionally the likeliest targets of Internet crime, yet chief security officers in the industry said they got scant help from the Feds over the past year, eWEEK's Fisher reported.

Dave Cullinane, president of the Information Systems Security Association, gave a speech at the CSO Interchange gathering, during which he said that the FBI and other federal agencies are generally unresponsive to requests for help from banks on phishing attacks unless the bank can show substantial financial losses. "If you're running on the assumption that calling the FBI will get you assistance, it won't," he said.

The growing threat of spyware. Beyond the phishing epidemic, spyware was on track to replace mass-mailing worms as the biggest security threat in the coming year. This technology, which uses covert techniques to install itself on computers and track user activity, is dangerous because malicious code can be executed on infected systems.

As eWEEK.com's Ryan Naraine reported, spyware, also known as adware, has become the preferred way to deliver malicious Trojans, which can relay information to other computers or Web locations, thus putting user passwords, log-in details, credit card numbers and other personal information at risk.

Notwithstanding financial chief security officers' complaints, the Feds spent a good deal of the past year studying cyber-crime, pondering and passing legislation to thwart it, and even handing down the first-ever felony conviction of a spammer. The spammer, Jeremy Jaynes, received a sentence of nine years in prison when a jury in AOL's home county convicted him and his sister.

Meanwhile, a federal sweep, named Operation Web Snare, nabbed 150 individuals and 117 criminal complaints between June and August. As eWEEK's Dennis Callaghan reported, the effort, largely directed against phishers, was thought to be the largest one yet taken against cyber-criminals.

Reactions to the cyber-criminal sweep were mixed, however, as some legal and online fraud experts opined that it was too little, too late.

Finally, if there's any silver lining to the dark cloud of cyber-crime that's blossomed in the past year, it is this: Congress is finally taking these issues seriously.

As eWEEK's Caron Carlson reported, the Senate in June approved legislation aimed at stopping identity theft by increasing criminal penalties and creating a new crime of aggravated ID theft, which the president has since signed into law.

The House took on the task of probing spyware in April, and legislation targeting spyware was introduced into the Senate and House, with Utah ahead of the curve in enacting an anti-spyware law.

The House in September approved legislation that prohibits "taking control" of a computer, surreptitiously modifying a Web browser's home page, or disabling anti-virus software without proper authorization.

With all of these busts, and with all of this legislative pondering, does it finally mean we have some tools to beat down the alarming rise of cybercrime? eWEEK.com's Larry Seltzer earlier in the year had read various versions of bills pending at the time, and he wasn't optimistic, given that the legislative language had too much wiggle room.

The upshot: In 2005, you'll have to be more vigilant, you'll have to demand more from vendors vis-à-vis secure products, and you'll have to go through legislative wording with a fine-toothed comb.

Is that different from other years? No. But take it much, much more seriously this year.

To protect yourself, you need an Internet security team of experts making sure that you, your family, and your business computer are always safe and secure. The best protection you can have in today's rapidly changing world of cyber-attacks is to have expert support for all your Internet security needs that will provide technical support without any hassles and without charging you extra fees. It will become even more critical than it is today as time goes on. You need to find your own personal team of experts to rely on. If you ever have a security problem, you will want to have a trusted expert you can call for professional help, without any hassles and extra costs!

Because cybercriminals are becoming smarter and more sophisticated in their operations, they are real threats to your personal security and privacy. Your money, your computer, your family, and your business are all at risk. These cybercriminals leave you with three choices: (1) Do nothing and hope their attacks, risks, and threats don't occur on your computer. (2) Do research and get training to protect yourself, your family, and your business. (3) Get professional help to lockdown your system from all their attacks, risks, and threats.

Remember: When you say "No!" to hackers and spyware, everyone wins! When you don't, we all lose!

Hackers Acting Faster, Study Concludes

Siobhan Chapman, Computerworld UK

Saturday, December 20, 2008 10:16 AM PST

Zero-day malware accounted for 26 percent of blocked threats in November, says web security firm ScanSafe.

In its monthly Global Threat Report, ScanSafe said the rate of zero-day malware blocks increased in November to 26 percent of blocks, compared to 16 percent in October. The number is also significantly higher than the 19 percent average reported for the year.

In a zero day attack, hackers are faster than software vendors and security providers by exploiting vulnerabilities before vendors have time to fix them.

The most recent zero day attack was the Internet Explorer browser exploit. The vulnerability was found and then mistakenly released by Chinese researchers. The result was an explosion of attacks. Microsoft released an emergency patch on Tuesday, 17 December.

"Throughout November, attackers were more intent than ever on ensuring the malware they used would bypass traditional security measures," said Mary Landesman, senior security researcher at ScanSafe.

"Given the dynamic and costly nature of today's web threats, real-time scanning of web traffic before it reaches the enterprise is more essential than ever."

Backdoor and data theft Trojans also factored prominently in November web malware exposures. In October, Trojans accounted for 13 percent of all Web malware blocks, but in November, it accounted for 30 percent. Five of the top ten web malware blocked in November were a result of this category of threats. The bulk of these Trojans include an autorun component that enables the malware to spread via infected USB and mapped drives.

"The recent increase in backdoors and data theft Trojans very concerning given the seriousness of this category of malware," said Landesman. "Heightened exposure indicates attackers are going to new extremes to get their malware in front of users, perhaps as a result of the declining economic climate."

One third, 33 percent, of all web malware blocks were through compromised websites. This is actually lower than the October peak of 65 percent. But this decline in exposure to compromised websites was offset by a boom in zero-day threats as well as an increase in social engineering techniques. The end result: despite the decrease in website compromises, the overall rate of web-based malware was only 2.4% less than the rate in October. October was, according to ScanSafe, the highest web malware month in history.

The ScanSafe Global Threat Report is based on analysis of more than 20 billion web requests the company processed each month for customers in over 80 countries.

Wednesday, December 17, 2008

Cisco: Cyberattacks growing, looking more legit

Sees 90% growth in threats originating from legitimate domains, report says

Jim Duffy

December 15, 2008 (Network World) Internet-based cyberattacks are becoming increasingly sophisticated and specialized as profit-driven criminals continue to hone their approaches to stealing data from businesses, employees and consumers, according to a report Cisco Systems Inc. released this week.

The 2008 Cisco Annual Security Report found that the overall number of disclosed vulnerabilities grew by 11.5% over 2007. Vulnerabilities in virtualization technology nearly tripled, from 35 to 103 year-over-year, and attacks are becoming increasingly blended, cross-vector and targeted, according to the report.

Cisco says its researchers saw 90% growth in threats originating from legitimate domains, nearly double what was seen in 2007. And the volume of malware successfully propagated via e-mail attachments is declining. Over the past two years, the number of attachment-based attacks decreased by 50% from 2005 and 2006 levels.

This is at least the fourth study on security released this year by Cisco. Three others, conducted by an external research firm but commissioned by Cisco, assessed insider threats, data leakage and security policies.

According to Cisco, spam accounts for nearly 200 billion messages each day, approximately 90% of worldwide e-mail. The U.S. is the biggest source, at 17.2%, ahead of Turkey (9.2%), Russia (8%), Canada (4.7%), Brazil (4.1%), India (3.5%), Poland (3.4%), South Korea (3.3%), Germany (2.9%) and the U.K. (2.9%).

More online attackers are using real e-mail accounts with legitimate Web mail providers to send spam, which makes it harder to detect and block, Cisco says. The company estimates that in 2008, spam resulting from e-mail reputation hijacking of the top three Web mail providers accounted for less than 1% of all spam worldwide but made up 7.6% of the providers' mail traffic.

Botnets have become a nexus of criminal activity on the Internet, according to Cisco. This year, numerous legitimate Web sites were infected with IFrames, malicious code injected by botnets that redirects visitors to malware-downloading sites, the company says.

The use of social engineering to entice victims to open a file or click links continues to grow. Cisco expects that in 2009, social engineering techniques will increase in number, vector and sophistication.

And targeted phishing -- spear phishing -- is also expected to become more prevalent as attackers personalize spam and make messages appear more credible, Cisco says.

The follow are some 2009 trends to look for, according to Cisco:

* Insider threats: The global economic downturn may prompt more security incidents involving employees.

* Data loss: Companies will adopt technology, education and clear, well-enforced data security policies to make compliance easier and reduce incidents of data loss due to carelessness, breaches by hackers, or malicious insiders.

* Mobility, remote working and new tools as risk factors: The trend of working remotely and the related use of Web-based tools, mobile devices, virtualization, cloud computing and similar technologies will be a challenge for security personnel, as the increasing number of devices and applications in use can make the expanding network more susceptible to new threats.

The free report is available on Cisco's Web site. Data sources for the report came from multiple Cisco divisions continuously assessing and correlating Internet threats and vulnerabilities.

Cisco posted three video blogs this week to review the report's results, including an overview of the report, and videos on botnets and reputation hijacking. The company is also conducting an Internet TV broadcast.

Hackers 'aid' Amazon logging scam

Hackers have helped logging firms in Brazil evade limits on tree felling, says a Greenpeace report.

The hi-tech criminals penetrated a computer system designed to monitor logging in the Brazilian state of Para.

Once inside the system, hackers issued fake permits so loggers could cut down far more timber than environmental officials were prepared to allow.

Greenpeace estimates that 1.7m cubic metres of illegal timber may have been removed with the aid of the hackers.

Massive attack

Drawing on information released by Brazilian federal prosecutor Daniel Avelino, Greenpeace believes hackers were employed by 107 logging and charcoal companies.

"Almost half of the companies involved in this scam have other law suits pending for environmental crimes or the use of slave labour," said Mr Avelino in a statement issued by Greenpeace.

Mr Avelino is suing the companies behind the mass hack attack for two billion reals (£564m) - the estimated value of the timber illegally sold.

The Brazilian investigation of the hackers began in April 2007 and more than 30 ring leaders were arrested during the summer of that year. The ongoing investigation means that now 202 people face charges for their involvement in the subversion of the logging system.

The hack was made possible by a decision in 2006 to do away with paper forms to help monitor whether logging and charcoal firms were keeping to the quotas they were set.

Instead, the Amazon state of Para turned to a fully-computerised system that issued travel permits for the timber logging firms were removing. The intent was that travel permits would stop being issued once logging companies had reached their annual quota.

With the help of the hackers, Brazilian logging firms were able to issue fake permits allowing them to bust through these caps.

"We've pointed out before that this method of controlling the transport of timber was subject to fraud," said Andre Muggiati, Greenpeace campaigner in Manaus. "And this is only the tip of the iceberg, because the same computer system is also used in two other Brazilian states."

Tuesday, December 9, 2008

Opinion: Card breaches shake faith in e-payments

Jeremy Kirk

In the past three months, all three of my payments cards -- one credit card and two debit cards -- have been compromised.

That means somewhere, in some database, various fraudsters have my name and enough card details to attempt a shopping spree anywhere in the world. The cards have all been replaced by the issuers and, luckily, I never discovered any fraudulent transactions.

The card breaches are particularly disturbing since I cover computer security. So what happened? I still have no clue. Investigating a card breach as a consumer, or a journalist, is a black hole.

Stealing card numbers isn't hard. A PC can be infected with a keystroke logger that records card details used during online transactions. Insecure databases at merchants can be hacked. ATM machines can be fitted with "skimmers" that record a card's magnetic strip information, which can be used to create a cloned card.

Point-of-sale devices can be modified to record card details. Unscrupulous employees can also steal information during merchant transactions. All of the methods can allow a hacker to eventually use the details and attempt an online transaction, known as card-not-present fraud.

It's impossible for me to trace where and when the card details were acquired. The only common element between the three cards is that I've used them all on my PC for e-commerce transactions at one time or another. But I'm pretty sure I've never been phished, and the various antivirus programs I've had on my PC have never detected malicious software.

Wachovia, my U.S. bank, sent me a new debit card unprompted about a month ago. I thought it was strange since I didn't request a card. I called the bank, and was told the card number had been compromised. Wachovia, though, included absolutely no notification with the new card saying that the old number had been compromised.

Although troves of card numbers are obtained by online thieves, banks will only reissue cards if there's a high fraud risk, said Avivah Litan, a card fraud expert at Gartner. It costs banks around US$20 to reissue a card, so less than 10 percent of the cards that are compromised are replaced, she said.

Upon hearing two of my cards had been compromised, Avivah said, "That is very, very unusual. You should be worried. I would be worried if this happened to me. I tend to be more paranoid than average."

This wasn't making me feel any better.

Wachovia spokeswoman Jennifer Darwin refused to give any information about the breach, such as where it happened and if a law enforcement agency is investigating.

Without information, it's impossible for me to follow up. I can't check in with the police. I can't check to see if a merchant is complying with data-breach disclosure laws that exist in many U.S. states. It's a dead end.

Darwin further downplayed the potential for identity theft. "The physical card was compromised and not your personal information," she said.

Nonetheless, Litan said online scammers will build profiles on people that include card details and sell those profiles to criminals who perpetuate ID theft.

Since Wachovia isn't straightforward with its customers about card compromises, most consumers just start using the new card. They wouldn't know to go back through their statements to ensure there are no funny transactions since Wachovia doesn't tell them.

That's dangerous and irresponsible, since it can be an administrative pain to try and claim money back after a fraud has happened. At that point, the fraudsters could be well on their way to executing a more serious identity theft.

Credit card companies and banks "don't want to alarm people because they think it might be bad for business," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. "They're making money on every transaction and don't want to scare you."

In the case of my U.S. credit card, neither Citibank -- which issued the card -- nor MasterCard would say if law enforcement is investigating. Chris Monteiro of MasterCard said there are "legal implications" around giving information about a breach.

Card companies often say that, even though law enforcement agencies never say they've told companies not to release breach information, Stephens said.

"You get stonewalled," he said.

But consumers should be able to get a more clear view of what happens when there is a chance for fraud, Litan said. Companies such as Visa and MasterCard have the information and "you have a right to get it," Litan said.

The opacity of card theft investigations is astounding considering how card fraud is exploding.

In the U.K., phone, Internet and mail-order card fraud increased 18 percent from January to June compared to the same period in 2007, according to the Association of Payment Clearing Services, the U.K. payments association. The fraud amounted to £90.6 million (US$144 million) in the first half of 2005; it hit £161.9 million for the first half of 2008.

In 2007, U.S. card fraud totalled $1.24 billion while 10 years prior fraud amounted to $760 million, according to The Nilson Report, a card payments analyst.

Since the breaches, I've developed severe card-payment anxiety.

The cards have all been replaced, but I'm leery about ever buying something on the Internet again. I've reinstalled my home computer's Windows XP operating system in case there was some secret keylogger on the PC that Symantec's antivirus software was missing.

And I'm considering going back to paper checks.

E-tailers ready for cybercrooks this season

PCI security standard has delivered better controls, say security experts

Jaikumar Vijayan

December 5, 2008 (Computerworld) One predictable trend in recent years has been a sharp increase in online attacks directed against retailers during the holiday shopping season.

This year is proving to be no different either, with malicious hackers mounting all out efforts to breach retail networks, steal payment card data and compromise customer accounts -- and during one of the busiest online shopping seasons. What's different is that more retailers are better prepared because of their implementation of security controls mandated by the major credit card companies under the Payment Card Industry (PCI) data security standard, say security analysts.

A new report from security vendor SecureWorks Inc. confirms that cybercriminals are not letting the economic gloom to dampen their efforts to go after the online retail community in a big way.

A review of traffic on the networks of three dozen of SecureWorks' retail customers shows the usual dramatic increase in attempts to break into retail systems in the buildup to this holiday season. The number of network scans looking for open ports and other entry points into retail networks, for example, increased from an average of 56,000 per retailer a month in the first six months of the year, to an average of 202,000 in October. Such scans are sometimes seen as a precursor to targeted attacks.

The increase in scanning activity was followed by a surge in the number of attempted authentication attacks, which are attempts to compromise user names and passwords on retail networks. Such attacks jumped more than four-fold, from an average of 34,000 per retailer per month in the first five months of the year to 137,000 in November.

There's little doubt that retailers are the ones being specifically targeted. SecureWorks found an 161% increase in attempted attacks against retailers overal from the first six months of the year to the last five months of the year, compared with an 11% increase in attacks against banks during the same period.

Wayne Haber, director of infrastructure at SecureWorks, said the numbers were predictable, but the amount by which the malevolent activity had surged this year still was "somewhat surprising."

"We usually see an increase, but not an increase of this level," Haber said.

The reasons for such increases are not hard to find. Gartner Inc. analyst Avivah Litan said that with online shopping about two to three times heavier between Thanksgiving and the new year compared with the rest of the year, fraudsters know they can get away with their crimes more easily. "Their fraudulent transactions get lost in the 'noise' of the higher volume of legitimate transactions, and retailers don't have time to review the increased suspect transactions so they often let them go through," Litan said.

Retail systems such as inventory, shipping, sales, orders and customer service are much busier during this time, so criminal activity such as network intrusions, "can much more easily be hidden amidst the mad shuffle," she said.

However, Litan said that with the money spent on PCI-related security improvements, she expects to see attackers turn their sights on smaller, more vulnerable retailers. "...The truth is that determined crooks can likely make their way through at least a third of the large retailers who think they are secure," she added.

PCI standards require all companies that accept payment card transactions to implement a variety of security controls for protecting card data. So-called tier-1 companies which process more than 6 million card transactions annually, and tier-2 companies face a variety of penalties for non-compliance, especially if they are breached. Although industry-wide PCI compliance is still a work in progress, many of the largest companies are believed to be compliant.

"From our experience, dealing with retailers that have complied with the majority of the key PCI regulations are definitely better prepared for these threats then those that have not," Haber said. This is especially true if the retailers have remedied issues found in previous PCI audits, he said.

Retailers that have not yet implemented measures needed to observe best practices to thwart those seeking to attack them, Haber said. For example, Web services and systems that require user authentication need to require complex passwords and employ password aging measures to ensure they are routinely changed.

Also, many automated authentication attacks use brute force methods to guess at passwords. One way to radically slow down such automated methods is to implement authentication delays and automatic lockouts after repeated failed login attempts, Haber said.

Web firewalls should be used to block everything that is going in and out of a network except for explicitly allowed traffic. Companies need to also scan and test their Web applications to ensure they are not vulnerable to Web attacks such as SQL injection, Haber said.

Security concerns cloud holiday shopping

New survey reveals consumer fears about data privacy, ID theft and online fraud

Jaikumar vijayan

November 30, 2005 (Computerworld) The big increase in online sales expected this holiday shopping season comes amid what appears to be unprecedented consumer concerns over data privacy, online fraud and identity theft.

The results of a new survey of 1,005 consumers released today shows that while 78% of U.S. Internet users plan on shopping online this year, more than 69% of those shoppers will limit their online purchasing because of concerns about the possible misuse of their personal information.

The survey was conducted by San Francisco-based Truste, a nonprofit privacy organization, and market research firm TNS Global in New York. It found that privacy concerns would deter more than 40% of the respondents from buying from smaller online retailers, and about 22% said they will not be purchasing online at all.

The survey was conducted online between Oct. 27 and Nov. 1.

"There's definitely a reason for both consumers and merchants to feel more concerned" about data security and privacy issues compared with previous years, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc.

For consumers, the biggest risks come from the increasing use of keystroke logging and password acquisition tools by hackers, Pescatore said. Such remote access tools allow cyber thieves to capture sensitive information such as credit card numbers from consumers who are doing business online, he said. A Gartner study in March showed that despite a higher awareness of phishing scams, a large number of consumers continue to be fooled into visiting Web sites that download such hacker tools.

Dan Clements, founder of Cardcops.com, a Malibu, Calif.-based company that enables consumers to check for stolen credit card numbers, said that the number of stolen credit cards and pieces of personally identifiable information appears to be growing. "There is a definite underground where you can buy and sell this stuff without the threat of law enforcement," he said.

Much of the stolen information appears to have been snagged through hacks into systems containing confidential data and from phishing scams, he said.

"Almost every day we see a new merchant being hacked" and information being stolen from their systems, said Clements, whose company scours known hacker sites, chat rooms and other online locations for stolen credit cards and personally identifiable bits of data.

Over the past three years, Cardcops has alerted more than 500 merchants about data compromises resulting from potential hacks into their systems. Clements said the company has also found more than 1 million stolen credit cards and between 7 million and 10 million pieces of personally identifiable information associated with those cards, such as last names and addresses, he said.

Most of the time, the merchants involved appeared unwilling to take responsibility for their security lapses, he said. "When you show them the data, they only fess up to what is put in front of them," Clements said.

But Cathy Hotka, senior vice president of technology and business development at the Retail Industry Leaders Association in Washington, said that much of the concerns about online security is overblown.

"I don't believe for a second that anybody's enthusiasm has been dampened" by online security concerns, Hotka said. "The track record of online security is great. We've demonstrated safe e-commerce for years, and consumers love it. If anything, there's concern about phishing and the effect that it can have on brands."

The results from the Truste survey appear to reinforce the findings of other recent research that reveals similar consumer concerns.

In a nationwide survey of 1,009 consumers conducted by Forrester Custom Consumer Research for the Business Software Alliance, one in four consumers said they would not shop online because of Internet security concerns. Another survey of 2,008 consumers released on Nov. 22 by Sun Microsystems Inc. showed that 83% of the respondents think they're most susceptible to identity theft during the holiday season.

Monday, December 8, 2008

Thieves Winning Online War, Maybe Even in Your Computer

By JOHN MARKOFF

SAN FRANCISCO — Internet security is broken, and nobody seems to know quite how to fix it.

Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught.

As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year.

With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race.

"Right now the bad guys are improving more quickly than the good guys," said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group.

A well-financed computer underground has built an advantage by working in countries that have global Internet connections but authorities with little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency. That was driven home in late October when RSA FraudAction Research Lab, a security consulting group based in Bedford, Mass., discovered a cache of half a million credit card numbers and bank account log-ins that had been stolen by a network of so-called zombie computers remotely controlled by an online gang.

In October, researchers at the Georgia Tech Information Security Center reported that the percentage of online computers worldwide infected by botnets — networks of programs connected via the Internet that send spam or disrupt Internet-based services — is likely to increase to 15 percent by the end of this year, from 10 percent in 2007. That suggests a staggering number of infected computers, as many as 10 million, being used to distribute spam and malware over the Internet each day, according to research compiled by PandaLabs.

Security researchers concede that their efforts are largely an exercise in a game of whack-a-mole because botnets that distribute malware like worms, the programs that can move from computer to computer, are still relatively invisible to commercial antivirus software. A research report last month by Stuart Staniford, chief scientist of FireEye, a Silicon Valley computer security firm, indicated that in tests of 36 commercial antivirus products, fewer than half of the newest malicious software programs were identified.

There have been some recent successes, but they are short-lived. On Nov. 11, the volume of spam, which transports the malware, dropped by half around the globe after an Internet service provider disconnected the McColo Corporation, an American firm with Russian ties, from the Internet. But the respite is not expected to last long as cybercriminals regain control of their spam-generating computers.

"Modern worms are stealthier and they are professionally written," said Bruce Schneier, chief security technology officer for British Telecom. "The criminals have gone upmarket, and they're organized and international because there is real money to be made."

The gangs keep improving their malware, and now programs can be written to hunt for a specific type of information stored on a personal computer. For example, some malware uses the operating system to look for recent documents created by a user, on the assumption they will be more valuable. Some routinely watch for and then steal log-in and password information, specifically consumer financial information.

The sophistication of the programs has in the last two years begun to give them almost lifelike capabilities. For example, malware programs now infect computers and then routinely use their own antivirus capabilities to not only disable antivirus software but also remove competing malware programs. Recently, Microsoft antimalware researchers disassembled an infecting program and were stunned to discover that it was programmed to turn on the Windows Update feature after it took over the user's computer. The infection was ensuring that it was protected from other criminal attackers.

And there is more of it. Microsoft has monitored a 43 percent jump in malware removed from Windows computers just in the last half year.

The biggest problem may be that people cannot tell if their computers are infected because the malware often masks its presence from antivirus software. For now, Apple's Macintosh computers are more or less exempt from the attacks, but researchers expect Apple machines to become a larger target as their market share grows.

The severity of the situation was driven home not long ago for Ed Amaroso, AT&T's chief security official. "I was at home with my mother's computer recently and I showed her it was attacking China," he said. " 'Can you just make it run a little faster?' she asked, and I told her 'Ma, we have to reimage your hard disk.' "

Beyond the billions of dollars lost in theft of money and data is another, deeper impact. Many Internet executives fear that basic trust in what has become the foundation of 21st century commerce is rapidly eroding. "There's an increasing trend to depend on the Internet for a wide range of applications, many of them having to deal with financial institutions," said Vinton G. Cerf, one of the original designers of the Internet, who is now Google's "chief Internet evangelist."

"The more we depend on these types of systems, the more vulnerable we become," he said.

The United States government has begun to recognize the extent of the problem. In January, President Bush signed National Security Presidential Directive 54, establishing a national cybersecurity initiative. The plan, which may cost more than $30 billion over seven years, is directed at securing the federal government's own computers as well as the systems that run the nation's critical infrastructure, like oil and gas networks and electric power and water systems.

That will do little, however, to help protect businesses and consumers who use the hundreds of millions of Internet-connected personal computers and cellphones, the criminals' newest target.

Despite new technologies that are holding some attackers at bay, several computer security experts said they were worried that the economic downturn will make computer security the first casualty of corporate spending cuts. Security gets hit because it is hard to measure its effectiveness, said Eugene Spafford, a computer scientist at Purdue University.

He is pessimistic. "In many respects, we are probably worse off than we were 20 years ago," he said, "because all of the money has been devoted to patching the current problem rather than investing in the redesign of our infrastructure."

The cyber-criminals appear to be at least as technically advanced as the most sophisticated software companies. And they are faster and more flexible. As software companies have tightened the security of the basic operating systems like Windows and Macintosh, attackers have moved on to Web browsers and Internet-connected programs like Adobe Flash and Apple QuickTime.

This has led to an era of so-called "drive-by infections," where users are induced to click on Web links that are contained in e-mail messages. Cyber-criminals have raised the ability to fool unsuspecting computer users into clicking on intriguing messages to a high art.

Researchers note that the global cycle of distributing security patches inevitably plays to the advantage of the attacker, who can continually hunt for and exploit new backdoors and weaknesses in systems. This year, computer security firms have begun shifting from traditional anti-virus program designs, which are regularly updated on subscribers' personal computers, to Web-based services, which can be updated even faster.

Security researchers at SRI International are now collecting over 10,000 unique samples of malware daily from around the global. "To me it feels like job security," said Phillip Porras, an SRI program director and the computer security expert who led the design of the company's Bothunter program, available free at www.bothunter.net.

"This is always an arm race, as long as it gets into your machine faster than the update to detect it, the bad guys win," said Mr. Schneier.

'Russian mafia is largest cyber crime syndicate'

7 Dec 2008, 0013 hrs IST, Aditi Utpat, TNN

PUNE: While cyber criminals world-over are driven by similar knowledge of technology, the key difference lies in the "motivation behind the crime", says Chris Goggans, a celebrated American hacker and computer security expert.

Pointing out that internet security issues are as a rising concern all over the world, Goggans said that the Russian mafia account for the "most organized" cyber crimes. "The most serious cyber crimes are from Russia and China. While most of the cyber crimes from Russia are financial in nature (stealing credit card number, bank account details), crimes emanating from China are related to theft of intellectual property, government information and military data," Goggans said.

"The cyber criminals in South America, Brazil, Korea, Europe are not involved in very sinister crimes. They are mainly into hacking for proving themselves," he added.

Goggans has the unique distinction of having broken into the system of America's Federal Bureau of Investigation (FBI) within six hours to uncover potential security threats for the US government. "Often, making leeways in the norms set by the parent company for small comforts creates major hurdles in the security system," Goggans said.

Claiming that he hasn't "seen much cyber crimes" from India, Goggans said that it may be because of the low proportion of cyber crimes, or simply that it may have skipped his eye.

Explaining the nature of cyber crimes in the US, he said that it is motivated mostly by revenge and malicious intent. "Holding network administrators hostage by stealing passwords, crashing database by a sacked worker, sending hate email... those are the crime Americans indulge in. While it is certainly annoying to clean up after such a crime, it is not threatening," he said.

Goggans put forth a simple two-point agenda to ensure cyber security of the average person connecting to the world wide web. "Keep your software and computer updated every day. As soon as Microsoft, Apple or whatever system you use issues an update, install it. And do not open suspicious or random emails. If you receive an email from someone you know but it doesn't seem to be normal,' check with the alleged sender of the email before opening it. These small things will keep you safe and increase your cyber-security multifold," he said.

Wednesday, December 3, 2008

ID Fraud Resolution? Yes. But Banks Need To Prevent It.

Bank Technology News | December 2008

By Holly Sraeel, Editorial Director

CIOs only have to hear it once to know they have more than potential bad press on their hands: If one out of every five victims of identity fraud leaves his or her bank after the incident, the bank has customer attrition problems as well-and they can snowball. Why? People talk.

But a greater focus on prevention, detection and resolution of ID fraud over the past four years has translated into big advances for banks, according to Javelin Strategy & Research's 2008 Banking Identity Safety Scorecard.

The average ID fraud currently costs $5,574 per victim and takes 26 hours to resolve-an improvement over 2007, when banks lost ground on the resolution front, and 2006, which lagged this year's aggregate score by two percentage points. Overall, the upper half of U.S. depository institutions collectively gained nine percentage points for their resolution efforts.

Javelin employed mystery shopping (averaging 5.8 calls per institution) and Web site research to score 25 leading U.S. financial providers against prevention, detection and resolution criteria developed by the research firm. The study's findings represent 50 percent of the U.S. market in 2008 by dollar value of deposits, according to the FDIC. Washington Mutual, Wachovia and National City were treated as independent entities, according to Javelin.

One key to the gains made by financial institutions has been the empowerment of customers to participate in protecting their own deposits and identities. Javelin put the cost of such crime at $45 billion.

Ninety-two percent of banks offer fee-based security services such as credit monitoring to detect new account fraud. But just 16 percent of institutions partner with security vendors such as Kaspersky, Trend Micro, Symantec, and McAfee to protect customers from online fraud (One standout: Barclays PLC, which began giving its customers Kaspersky software free of charge earlier this year).

Of those banks and credit unions surveyed, multi-factor authentication has been fully implemented for online banking. Not true for mobile and telephone banking, with fewer than half and only 28 percent, respectively, deploying similar account protection for these channels. Javelin officials contend authentication must occur across all channels and that alerts could play a vital role in soliciting customers' participation in fraud mitigation.

While the overall scorecard results are encouraging, banks need to address prevention more aggressively. "Identity fraud, which continues to be a scourge in the industry, continues to be attacked by banks in the way organizations typically respond to large emergencies: first rescue the victim, then work to prevent more victimization from occurring," says Javelin's Mary Monahan, managing partner and research director. "Prevention builds the foundation to strong security; clearly more work remains."

FBI warns of holiday cyber scams

Phishing, drive-by malware downloads are likely

By Tim Greene , Network World , 12/01/2008

With cyber Monday comes an FBI warning against spam containing malware and phishing attempts that appear to be greeting cards and ads for shopping bargains.

The goal is theft of money and personal information, according to Shawn Henry, the assistant director of the bureau's cyber division.

Read the latest WhitePaper - Protecting Data on Laptops: Why Encryption Isn't Enough

E-mails attempt to lure victims to dummy e-commerce sites in hopes of gleaning credit card numbers and passwords, the FBI says. By mimicking legitimate sites, they lull unsuspecting shoppers into giving up the information as they make what they think are legitimate purchases.

The e-mails look real, often containing legitimate company logos and live links.

In some cases criminals direct users to genuine Web sites, but trigger popups over them to capture personal information that they use to run up credit-card bills and drain bank accounts, according to the FBI.

The information entered will most likely be sold to other criminals who will exploit them for cash and merchandise, the bureau says.

Greeting card scams come in the form of e-mails urging recipients to click on a link to read a greeting card that has been sent to them. When they do, they are directed to a site where malicious software is automatically downloaded to their machines, the FBI says.

Other attacks come in the form of e-mails informing recipients that one of their accounts has a problem and to click on a link to clear it up. When they do, they are taken to a fraudulent site where they are asked for account numbers and PINs.

One scam is in the form of a survey, at the end of which participants are asked for account information so funds can be transferred to them in appreciation for their help.

FBI tips to avoid becoming a victim:

* Do not respond to spam.

* Do not click on links contained within unsolicited e-mail.

* Be cautious with e-mail containing attachments and open only those from known senders.

* Don't supply personal information via e-mail surveys.

* Compare the links in e-mails to the links they connect to in order to determine if they match. If they don't, leave the site.

* Log on to Web sites that are advertised in unsolicited e-mail rather than connecting via links in e-mails.

* Contact the business that purportedly sent the e-mail to verify if it is genuine.

The FBI urges victims of cyber crimes to report them to the Internet Crime Complaint Center at www.ic3.gov.

Secure online Identity