In the annals of cybersecurity, 2003 should go down as one of the worst years ever, as hackers and spammers repeatedly demonstrated just how easy it is to use the latest software security holes, worms and viruses to attack businesses and trick unwitting Internet users into divulging their personal and financial information.
And 2004 could be worse.
A hint of just how bad came this week when yet another flaw in Microsoft's ubiquitous Internet Explorer surfaced. The flaw gives criminals the ability to control what is displayed in the address bar in a victim's browser window.
The implications are significant. A savvy criminal could use a cleverly designed e-mail to trick a victim into visiting what looks like a trusted Web site -- like a bank site or Amazon.com -- but which in fact is nothing more than a page designed to fool a victim into entering credit card numbers, passwords and other sensitive information.
"The main thing I'm really concerned about with these bogus e-mails is that they're quickly becoming more and more complex and sophisticated," said Johannes Ullrich, chief technical officer for the SANS Internet Storm Center, which collects data on Internet attack trends. "Even for experts like us, it's becoming harder to distinguish between what's real and what's fake."
Microsoft said last week it is investigating a software patch to fix the flaw. "Obviously this a concern of ours as people shop online for the holidays, and we wanted to make sure consumers who are entering credit card information are doing so at the appropriate site," spokesman Sean Sundwall said. "We're at stage where we're evaluating whether patch is at all necessary, and making sure that if we do issue a patch that it is well tested and doesn't cause any additional harm."
If Microsoft issues a patch to fix the flaw, it would likely be the 20th "critical" software patch to be released by the Redmond, Wash., firm this year. The company labels vulnerabilities "critical" if they can be remotely exploited via an Internet worm, and Microsoft's constant efforts to patrol its software demonstrate the increasingly sophisticated nature of online crime.
"We're seeing a huge shift away from 'recreational' hacking to hacking for profit. Mostly this involves hijacking end-user Windows systems for use in spam, fraud or just direct marketing," said Joe Stewart, senior security researcher for LURHQ, a security firm based in Myrtle Beach, S.C.
The evolution of the "Mimail" virus in 2003 shows how criminals are increasingly focusing their work on financial scams. Mimail first surfaced in August as a relatively harmless but fast-spreading bug. The next four variants were apparently designed by spammers to attack a variety of spam "blacklists" -- online databases of suspected spammers that many Internet service providers and big corporations use to shield recipients from junk mail.
But Mimail soon morphed into an e-mail virus that urged users of the online payment service PayPal to update their credit card information via a Web page that closely mimicked the design of the eBay subsidiary's member services page.