Already a subscriber? Log in
Huggins says the world of computer security has been transformed from geeky teenagers playing War Games to a global industry run by organised gangs. Jason Greenwood of VeriSign Intelligence Services, divides online crime into three main types: ‘phishing’, ‘malware’, and corporate attacks.
Phishing emails try to manipulate recipients into clicking on links which direct them to websites where they will divulge confidential information or unwittingly upload malicious software (‘malware’) that will steal data. (Why the annoying use of ‘ph’? The formulation is probably linked to hacker jargon: ‘phreaks’ were early hackers who broke into telephone systems.) According to a report by the Anti-Phishing Working Group, the number of unique phishing websites surpassed 55,000 in April 2007, a fivefold increase from a year ago; 174 different brands were targeted, mainly financial institutions in Europe, the US and Canada. Social networking groups and web email providers were also hit.
Why would anyone fall for such a ruse? Simon Church of VeriSign says the criminals have become incredibly sophisticated. Their emails and websites look identical to real correspondence from your bank or from familiar websites such as eBay or Paypal. ‘Trust is also a part of it,’ he says. ‘People want to respond quickly to an email from their bank — especially if it says urgent action is required.’
One recent scam lured 1,400 US executives to a website purporting to be the Better Business Bureau, a US corporate watchdog. The email, addressed by name, invited the recipient to review a copy of a recently filed customer complaint, by clicking on a link. If they did so using Internet Explorer, they unwittingly installed a ‘Trojan’ (after Trojan horse) virus that sent sensitive data to the attackers. The cache of data retrieved after the con was discovered contained bank and credit card numbers, passwords, online payment accounts and home addresses. Security expert Marc Rogers describes another Trojan called MetaFisher which rewrote bank websites: ‘As you connected to your bank’s website and it asked for two characters from your log-in, MetaFisher rewrote it to ask for all eight. The criminals got your password and the bank let you into its website.’
Malevolent websites are multiplying by the day. A study by Google in May found 450,000 booby-trapped pages out of a sample of 4.5 million pages. A further 700,000 looked likely to be dangerous. Most of the websites exploit weaknesses in Microsoft’s Internet Explorer browser: while some do annoying but harmless things like altering the start pages in your browser, increasingly common are sites that steal private details or turn your computer into a ‘bot’ — one which is remotely controlled by someone else. Bots can be used to harvest email addresses, send spam and conduct attacks on corporate websites.
IRM director David Cazalet says attacks on companies are much more common than you’d think. Companies are not obliged to tell us every time their security has been breached and ‘the last thing any company wants you to know is that they’ve been hacked’. A recent survey by database security firm Secerno found half of consumers said they’d take their custom elsewhere if they knew a company had lost their personal data. But the public is only informed when the violation is too big to hide. Cases that have made it into the public eye include Swedish bank Nordea, which lost 900,000 euros to phishers in the US and Russia. Between 2002 and 2006, cyber-crooks stole data from 45.7 million cards used by shoppers at TJ Maxx in the US. In 2005, the London offices of Sumitomo Mitsui nearly lost £220 million after a ‘cleaner’ installed a keylogger in one of its computers: the plot was discovered after one of the gang tried to transfer £14 million to an account in Israel.
Then there are the ‘Denial of Service’ (DoS) attacks, which use armies of ‘bots’ — or ‘zombies’ — to flood company websites with fake data requests. The words conjure up images from Night of the Living Dead and the reality is the online equivalent of consuming a living person’s flesh, as hundreds of thousands of ‘zombies’ attack a website until they’ve taken it offline — which can disable it for days and lose the company a fortune. Usually the attacks are accompanied by demands for money. Gambling and porn sites were among the first to get hit: reluctant to seek police help, they paid the ransom — often to accounts in Russia or Eastern Europe. Last month, the Telegraph website was taken down for several days by what Edward Roussel, digital editor of Telegraph Media Group, calls a ‘particularly strong and pernicious DoS attack’ that wasn’t accompanied by a request for money. Why would anyone attack a newspaper’s website? ‘We’re still investigating,’ says Roussel. ‘We’re a news company with strong opinions and that has put us at odds with a number of people and governments.’
What are online conmen getting for their efforts? A cyber-extortionist can demand a very big pay-off to stop a DoS attack. Data-harvesting can be lucrative too. Jason Greenwood of VeriSign oversees a team that monitors web chatter about phishing attacks. ‘The price goes up the more information is supplied: 100 standard unverified Amex accounts might be worth $10. Ten verified Amex gold cards with no credit limit could earn you $50. But if you’re offering the name, social security number, spouse name, address, date of birth and mother’s maiden name, you could earn $100 or more per stolen identity.’
Of course there are defences against hackers, and you’d be mad not to install anti-virus, anti-spyware and anti-spam software on your personal computer. Likewise, at a corporate level, companies have a fiduciary duty to ensure the security of their data and systems. But the fraudsters’ techniques are evolving faster than the public’s knowledge of the risks, says Rogers. And the future looks even more terrifying. Simon Church of VeriSign says the online auction sites that criminals use to sell user details are just the beginning. He foresees one of the web’s current favourites — ‘mashup’ sites that puts together different databases — being turned to illicit use. ‘Imagine if a hacker put together information he’d harvested from a travel company’s database with Google Maps. He could provide a tech-savvy burglar with the driving directions of how to get to your empty house the minute you go on holiday.’ I don’t know about you, but that’s enough to make me resort to carrier pigeons and cash.
Also in Society
Latest
Comments
Join the debate for just $5 for 3 months
Be part of the conversation with other Spectator readers by getting your first three months for $5.
UNLOCK ACCESS Just $5 for 3 monthsAlready a subscriber? Log in