How is this happening? The basic reason is that almost half all computer users connected to the internet have no or ineffective security protecting themselves and their systems while they web browse or even when using email. That doesn't even take into account new threats spreading into instant messaging, VoIP and even cell phones.
Estimates of losses from internet and other computer-related fraud in the UK alone are over $4 billion annually. And the losses come in all forms – from small sums scammed out of people via email up to blackmail, extortion and outright theft of very large sums from large corporations. Some of these attacks come with collusion or inadvertant access inside organizations to secure systems, but most come from some form of trickery that exploits naïve and insecure practices in all kinds of ways. And because of the embarassment, many of these frauds go unreported.
First up, WHAT criminals are up to - the top types of internet, telephony, email and credit card scams.
Top Scams
1: Credit card and telephony billing fraud. Example: The Gambino family telephony scam – a couple of telephony company executives organized a billing fraud for credit card and telephony services and a related internet pornography ring on behalf of the Gambino family – that netted over $500 million over a five year period.
2: Nigerian (and Eastern European and Indonesian and...) scams – if you never received a Nigerian scam email you have probably never received email at all – that's how much of it there is – now also known as a 419 scam after the Nigerian anti-fraud law code.
3: Phishing – typically an email supposedly from a bank or credit card company or anyone that has an online financial account that tries to tempt you to log into a site that LOOKS like the real site but is really just a way to watch and capture your account information. These have gotten much more sophisticated and just this past week a kit was made available online to help criminals automatically build sites that transparently pass the data on to the real site and that report that they are the real site – making it even harder to detect the fraud. More recently VoIP and IP Phishing scams have become more prevalent.
4: Zombies – these can be a really subtle scam – you may never even know that you were involved. In this scam your PC is taken over subtly to help run almost every other form of scam. A piece of code gets run on your computer – and it sets itself up as one of a big network of computers (aka a botnet) that hackers have taken over. Once it gets activated, the zombie computer gets used to deliver spam or to infect other computers or to install keyloggers or other malware or even distributed denial of service attacks – then at some later date it just gets turned off again until another time.
5: Extortion – this is one of the big time mob moneyspinners. They infect computers with zombies – often paying unscrupulous hackers something like 20 cents per infected PC – until they have many thousands of infected computers – and then they block access to a major site by having all those zombie PCs access it simultaneously. Depending on circumstances they deliver an extortion demand before or after the attack. This technique has been used successfully against offshore gambling sites and with mixed success against all kinds of other sites. Demands are typically kept in the $50,000 range to make it easy for companies to pay rather than lose business.
6: Wifi Spying and Packet Sniffing – sure it's fun to kick back and surf the web at Starbucks or the local library. But as David Pogue of the New York Times has illustrated, it is incredibly easy for any hacker to watch everything you do and to also install software onto your laptop without you knowing. And packet sniffing techniques can be combined with devices that read data right off a wire to rebuild network traffic and capture data on the fly.
7: Buddying Up – cyber criminals are also making friends online – on MySpace, Facebook and even business-oriented LinkedIn – it is easy to fake an attractive identity and then suck in new online friends and harvest personal information – many social network posters are willing to give up information that reveals enough to aid in identity theft.
8: Insider Trading – organized crime is starting to hire and train employees to get inside target companies and then steal information and access codes. There is also evidence that some hackers are getting sponsored through college courses to improve their knowledge of IT and security systems purely in order to make them more effective at creating and running attacks.
9: Event Piggybacks – whether it is the World Cup, the Superbowl or a hot celebrity scandal, current events are now part of the social engineering attacks used by malicious hackers. An example is online games or downloadable screensavers associated with an event – prior to the 2006 World Cup, German hackers created downloadable screensavers for many of the teams that enticed fans to download them. Along with the screensaver came a pile of trojan malware.
10: Dumpster Diving – not really a scam – just taking advantage of people disposing of (or losing) storage devices without taking security precautions. Take your pick of the scare stories – either the US military USB drive with highly confidential data that was for sale at an Afghani bazaar or the German police computer hard drive that was full of criminal data that was sold on eBay.
11: Invisible Links – the latest trick – borrowing techniques from the latest web practices – is to run a piece of javascript code when the user simply hovers over a link – that code looks for holes in browser security and downloads a trojan like a keylogger to your PC – all without you even knowing. Plus lots of other Ajax and javascript nastiness is possible.
12: Feed spam – Feed spam is basically a way of feeding real sites that use aggregated RSS feeds with bogus information and malware links.
13: Up And Coming – video and multimedia trojans – the next big target is going to be online media – streaming audio, streaming video, flash movies, animations and games and more. It is quite feasible that someone will find a way to have a YouTube link trigger a method of loading malware onto your computer. How well do you really know that person sending you the latest awesome online video?
Now lets look at WHY hackers are exploiting technology and human nature to get access to your PC.
Billions Of Dollars
Here's the bottom line – money and lots and lots of it. Industry estimates for the US are that at minimum several billion dollars were made in the US in computer and internet fraud last year. Some estimates go as high as over $20 billion. So how do they make that kind of money?
1: Identity theft – most people know about this by now – get access to enough data about someone and you can pretend to be them to get money or false documents. The simplest purpose is to get enough information to access credit cards and use them to get money. But it can go as far as usurping and destroying a whole life by running major criminal enterprises under an assumed identity and then walking away and leaving the real person to be held accountable. This is now a serious problem and probably the number one individual concern in online crime. Any one crime may not be all that big, but multiply it by millions and the potential damage is huge.
2: Data theft – stealing valuable information and reselling it – this is pretty rare and never publicized – businesses are too embarrassed to reveal that their intellectual property has been stolen – but this modern equivalent of industrial espionage is believed to be big business.
3: Extortion and blackmail – amazingly enough this now happens on a personal level as well as being directed at companies. On the personal level, imagine turning on your computer to see a blank screen with one message – 'click here to read about how to get access to this computer' only to be told how to pay money to an offshore account to get an unlock code to get into your own computer! All it takes to activate this is something as simple as technique #11 above. On the corporate side is where the big mafia money and attention. It has gotten to the stage where offshore gambling websites now expect extortion demands around big business days for them like Superbowl Sunday. The demand is simple – pay us $1 million or we will take your site down for the Superbowl using a distributed denial of service attack. The threat is to activate a botnet of hundreds of thousands of PCs to bombard the site with spurious access and download requests, effectively blocking real visitors from getting to the site. And organized crime is now known to be prepared to pay hackers to install these bots on computers worldwide – as much as 20 cents per installation. This may seem like a joke but it is estimated that as many as 5 million PCs are online at any moment that are infected with a malware bot of some kind.
4: Investment and drug scams – the most recent wave of spam is so-called image spam – where the spam text is actually a picture. This is purely to avoid spam detectors and the goal is still the same – one version is to get people to invest in penny stocks to drive the price up so the spammer scammers can sell high after buying low – leaving the victims to pay the price after the stock drops back down again to below the price they paid. The other is to buy pharmaceuticals for cheap on the internet – usually Viagra or a derivative. The reason the drugs are so cheap – they are basically talcum powder if they even exist – but by the time you find that out the 'merchant' is long gone.
There are many, many more but they are essentially all variations on these basic themes.
In order to make sure you are safe your best bet is to take the time to understand the HOW – how your information gets stolen, how your computer gets hijacked.
Exploiting Gaps
There are two parts to this – one is general life activity. For example, if you give your credit card to someone in a store or a restaurant and it gets taken away to somewhere you can't see it, then you have already opened yourself up to credit card fraud. If you sign up for an in store membership at the same time, you just opened yourself up to big time identity theft. Obviously, 99% of the time nothing is going to happen, but that does not mean it never will. Your objective should be to minimise your risk in a sensible way.
The other part is technological – some technologies are more of a target than others. For example, if you run a Windows system and use Internet Explorer as your browser you are automatically at higher risk than a Linux user running Opera or Firefox. While many people would tell you that is because Microsoft's software is full of flaws and buggy to boot and you are just asking for trouble by using it, that is only part of the reason. The other part is just a numbers game – over two thirds of all internet users browse using the combination of Windows and Internet Explorer – that makes a tempting target for the criminal. And if Linux and the Mac get more market share, they too will be targeted for these attacks. Complex software has bugs and sometimes these bugs show up as holes and vulnerabilities. There are Mac and Linux specific viruses and trojans out there – just not many of them – yet.
So how does this all happen? Basically someone somewhere finds a bug in a piece of software that allows an external piece of software to slip inside and gain control of some aspect of your computer or its software. These flaws can be in almost anything. There is even a current attack that uses a flaw in an older version of Symantec's enterprise anti-spyware software – a particular version of malware was written to exploit this flaw and take over computers it attacked and turn them into remotely controllable 'bots'.
HOW to know you've been targeted.
Danger Will Robinson
You want to know that you've been targeted by the mob as soon as possible – well before you turn on your computer to see a ransom demand and a password prompt – pay up or watch your hard drive get trashed. The problem is that many of these attacks aren't even aimed at you – all they want from you is as much processing time and bandwidth as possible over a certain period of time. You may not even know you've been targeted and infected. The botnet attack could run without you ever knowing. Of course, since the hackers have opened a free pathway into your computer, they are going to go back and take advantage of it in any way they can.
Here are a few of the basic signs that you might have a problem. In every case you should move to address the problem immediately.
1: Way too many pop-ups. It is practically impossible to eliminate pop-ups altogether if you ever browse the web. But they should be manageable. If you can hardly even use your computer because of the frequency of pop-ups then it is already too late – you've been infected.
2: Your computer slows down and the hard drive runs all the time – and this happens all the time. If you get worried, shut down your programs one at a time in case there is a big data transfer or backup or copy or virus scan running that is responsible. Then restart. If the problem comes back within a few minutes and you can't tell why, then you could be infected.
3: A HUGE increase in spam. This may or may not be a targeted attack. It might just be a new wave of spam that your anti-spam filters haven't learned to cope with. Or it could be a concerted effort to get you to click something that'll install a trojan. Or it could be a sign that you are infected and your email has been harvested and passed on to hundreds of other spam networks.
4: You start having data and program execution errors. This is a big problem. It can mean your hardware is failing. But it also means you could have a malicious virus or piece of malware.
5: Your friends start to complain about getting spam from you. Again, too late. You are already in trouble.
6: Your computer locks up and keeps locking up. Even worse if it does it with a password and demand for cash. If the latter happens do not do ANYTHING to the computer. Do not touch the keyboard, do not turn it off. Instead, call a computer security expert and the police. Your computer and data can be recovered by someone who knows what they are doing.
We will be posting a follow up piece on what you can do to protect your computer and your network next week. In the meantime, here is some background and some suggestions from McAfee and from the Justice Department.
Thanks to Owen Linderholm
