Hackers shift focus to financial gain
Internet criminals not content to just wreak havoc online
By Daniel Sieberg
Usernames and passwords are valuable information for hacker identity thieves.
YOUR E-MAIL ALERTS
(CNN) -- Internet criminals want your computer, your money and your identity. And their tactics are becoming increasingly refined and organized, according to security experts.
The prime objective for hackers and online thieves has shifted from largely hitting major corporate networks to gaining control of home desktops, both to steal data and collect processing power.
"Attackers are increasingly seeking financial gain rather than mere notoriety," said Vincent Weafer, senior director at Symantec Corp. "During the past year we have seen a significant decrease in the number of large scale global virus outbreaks and, instead, are observing that attackers are moving towards smaller, more focused attacks."
Symantec this week released its Internet Security Threat Report. The company says it is compiled from data from 500 Symantec customers, 20,000 sensors that monitor network activity around the world and Symantec's database of vulnerabilities, which includes about 11,000 entries.
The report echoes what many analysts say is a rise in malicious code for profit; in other words, stealing your sensitive data and selling or using it. The report's authors also worry that with this tempting opportunity to make money, virus writers will find stealthier ways to disable firewalls and other security measures.
"Criminals today view home computers as resources for committing crimes," writes Jason Milletary, Internet security analyst at the CERT Coordination Center. "One resource is the increasing amounts of information of value that we store on our computers, including user names and passwords for online banks and commerce sites, e-mail addresses, instant message IDs, and software licensing keys. This information can be used directly or sold for monetary gain."
Online organized crime
It's that monetary gain that has many security analysts concerned that the coordination and sophistication behind recent worms and viruses has escalated to the level of organized crime. Gone may be the days when it was mostly about kids experimenting with their newfound hacking skills, though that tendency remains.
With the global nature of the Internet, it's difficult to track down offenders who hide behind countless networks and often erase their digital footprints. High-level criminals could be anywhere on the planet and may recruit younger computer hackers half a world away to carry out their plans, each one getting a cut of the action, say law enforcement and security experts.
While terms such as "worm" and "spam" have become part of the Internet-user vernacular, people should also become familiar with "bots" and "phishing."
Symantec's Weafer explains bot networks as computers controlled by an attacker or attackers to launch harmful activities, such as spam, fraud, extortion and spyware. Symantec's report found that bot network activity has doubled in the past six months, and these bot networks often are used for illegal financial gain and are readily available for third-parties to purchase or rent.
Phishing e-mails appear to be from a reputable source or company, complete with logo and language, and often ask for personal data. Symantec found the volume of phishing messages also has doubled in the past several months, from 3 million messages a day to almost 5.7 million. Often, phishers simply are identity thieves looking for victims.
And the money can add up.
Profits from online scams can range from a few dollars to several thousand and in some cases, much more.
In 2004 the average loss to consumers who reported Internet-related fraud to the Internet Crime Complaint Center (a partnership between the FBI and the National White Collar Crime Center) was $240 for credit card fraud and $907.30 for identity theft.
In June 2005, two men in the UK were sentenced to four to six years in prison for conspiracy to defraud and conspiracy to launder money. Their operation was connected to phishing scams, which netted them at least $11.8 million over a couple of years.
Dan Clements, who runs CardCops.com, a service that helps consumers and companies deal with identity theft, said many phishing e-mails are designed to get people to launch a virus by opening an attachment or clicking on a link.
If the hidden program, or Trojan horse, is launched, it could then look for keywords on your computer, such as "password," "username" or "login," and send them to the thief's e-mail account. In some cases the phishing messages contain key-logging software that will enable a thief to record all your keystrokes, Clements said. Your data can then end up for sale online in underground chat rooms.
Clements recommends changing passwords and logins every 90 days, and getting new credit cards every four to six months. If you receive an e-mail asking to confirm your personal information, he says do not click on the link in the message. Instead, Clements says to open a new Web browser window and type in the link. And then delete the message.
Beyond money, the motivations for hackers or computer criminals can vary. George Spillman is a computer security expert and the event coordinator for ToorCon, an annual gathering that attracts both hackers and security professionals. Spillman said hackers sometimes break in to networks simply because they can; to gain credibility within the hacking community or because they see it as a puzzle or challenge. But many times it's more predatory and profitable.
Securing your computer
"The most obvious aspect is trying to steal things like your credit card number or your passwords to important accounts or, even more general, just trying to steal 'you' by being able to take your identity," Spillman said. "Most people don't think much about securing their computer. They lock their front door when they leave the house but don't bother to lock their computer."
So what's the best defense?
Howard Schmidt, former White House cyber security advisor, and president and CEO of R&H Security Consulting, says it's not enough for people to install a few security programs and move on.
Schmidt offers these tips:
|© 2007 Cable News Network LP, LLLP.
A Time Warner Company. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines. Contact us. Site Map.