Web Services Increasingly Under Attack

SAN FRANCISCO -- As more people turn to Web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said.

Users of Yahoo Inc.'s e-mail service, Google Inc.'s Orkut social networking site and eBay Inc.'s PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.

Chris Boyd is seen at his home in Liverpool England on Wednesday March 8, 2006. Boyd, a security research manager at FaceTime discovered a worm attacking Orkut, Google Inc.'s social networking site. It spreads by tricking visitors into clicking on a link that promises photos. In fact, the link leads to a program masquerading as a picture that infects the person's PC. Once a computer is infected, it automatically e-mails banking details, user names and passwords to the worm's anonymous creator, according to FaceTime. (AP Photo/Dave Thompson) (Dave Thompson - AP) Technology and Media Blog From TiVo to YouTube, iPods to ID theft, The Post's tech staff reports from the crossroads of technology and culture. • FCC chair a frequent White House visitor • Post Tech links: Senators tell E.U. to OK Oracle, Sun; Book World on Internet trust • McLaughlin's net neutrality comments irk AT&T • Tech Blog: More Posts Sign Up for RSS Feed QUIZ What percent of U.S. tweens own a mobile phone? A. 15 percent B. 25 percent C. 35 percent D. 55 percent • Test Your Knowledge -- More Questions Save & Share Tag This Article  Saving options 1. Save to description:  Headline (required)  Byline 2. Save to notes (255 character max):  Blurb 3. Tag This Article

The attacks come as Microsoft Corp., whose Windows operating system runs about 90 percent of the world's computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.

They also come amid the growing popularity of online communities such as MySpace.com and of Web-based calendar, messaging and other services offered by Google, Yahoo and others.

As larger audiences flock to Web sites that run on ever more powerful programming scripts, malware writers are finding them fertile ground.

"People are just now realizing that there are a ton of scripts that are vulnerable to hacking," said Eric Sites, vice president of research and development at Sunbelt Software, which sells security products to businesses. "It's much easier to go after these applications that haven't been as exploited."

One of the latest discoveries, announced earlier this month by FaceTime Security Labs, is a worm attacking Orkut.

It tricks visitors into clicking a link that promises photos but instead loads a malicious program, which automatically logs and sends to the worm's anonymous creator data such as names and passwords along with Windows files that often store banking details.

"The bad guys are just stepping up a level and becoming a lot more malicious in what they're trying to do," said Chris Boyd, a FaceTime security research manager who discovered the worm. "Sadly, it's quite a brilliant idea, and we'll probably see a lot more of it in the months to come."

Statistics detailing the rise of Web sites as security targets are hard to come by because companies such as Secunia and Symantec Corp., which track computer attacks, generally don't break them out that way.

But anecdotal evidence isn't hard to find.

In October, MySpace.com, which now has 88 million registered users, was hit by a malicious program that allowed a single user to automatically add millions of others as friends. The attack caused performance problems for MySpace _ and underscored for security researchers the potential risks Web applications and services face.