Page 2 of 2   <      

Cyber Crime Hits the Big Time in 2006

Criminals are also getting more sophisticated in evading anti-fraud efforts. This year saw the advent and wide deployment of Web-browser based "toolbars" and other technologies designed to detect when users have visited a known or suspected phishing Web site. In response, many online scam artists place phishing Web sites targeting multiple banks and e-commerce companies on the same Web servers, then route traffic to those servers through home computers that they have commandeered with bot programs.

In such operations, each individual scam page is assigned to a Web site that, for a short time, is tied to an Internet address of a compromised computer that the criminals control. When a would-be victim clicks on a link in a phishing e-mail, he or she is routed through the drone PC to the correct scam page.

The result is that even if law enforcement or security experts manage to take down the infected PC responsible for relaying traffic to one of the scam sites, the effect of that takedown is only temporary, as the attackers can simply substitute another computer they have gained control over. Such scams make it far more difficult for security experts to find the true location of phishing servers.

"We seen a pretty big evolutionary jump in tactics used by phishers over the past year, and I believe it's because some of the toolbar makers and the good guys who work to get these scam sites shut down have really done a good job at preventing them from being successful," said Dan Hubbard, vice president of research for Websense, an online security firm based in San Diego, Calif.

Software Insecurity

These past 12 months brought a steep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals. The world's largest software maker, Microsoft Corp., this year issued software updates to fix 97 security holes that the company assigned its most dire "critical" label, meaning hackers could use them to break into vulnerable machines without any action on the part of the user.

In contrast, Microsoft shipped just 37 critical updates in 2005. Fourteen of this year's critical flaws were known as "zero day" threats, meaning Microsoft first learned about the security holes only after criminals had already begun using them for financial gain.

This year began with a zero-day hole in Microsoft's Internet Explorer, the browser of choice for roughly 80 percent of the world's online population. Criminals were able to exploit the flaw to install keystroke-recording and password-stealing software on millions of computers running Windows software.

At least 11 of those zero-day vulnerabilities were in the Microsoft's Office productivity software suites, flaws that bad guys mainly used in targeted attacks against corporations, according to the SANS Internet Storm Center, a security research and training group in Bethesda, Md. This year, Microsoft issued patches to correct a total of 37 critical Office security flaws (that number excludes three unpatched vulnerabilities in Microsoft Word, two of which Microsoft has acknowledged that criminals are actively exploiting.)

But 2006 also was notable for attacks on flaws in software applications designed to run on top of operating systems, such as media players, Web browsers, and word processing and spreadsheet programs. In early February, attackers used a security hole in AOL's popular Winamp media player to install spyware when users downloaded a seemingly harmless playlist file. In December, a computer worm took advantage of a design flaw in Apple's QuickTime media player to steal passwords from roughly 100,000 bloggers, accounts that were then hijacked and used for sending spam. Also this month, security experts spotted a computer worm spreading online that was powered by a six-month old security hole in a corporate anti-virus product from Symantec Corp.

Tom Liston, a senior security consultant at Washington, D.C.-based IntelGuardians, said the increasing focus on attacking flaws in other software is a reaction to growing security awareness among small business owners and home computer users.

Dim Prospects for 2007

Websense's Hubbard predicts that 2007 will see the evolution of malware designed to take advantage of presently unknown security holes in browser-based anti-phishing toolbar programs, such as the ones embedded in Mozilla's Firefox 2.0 browser and Microsoft's Internet Explorer Version 7.

Criminal gangs also are beginning to wise up about hiding the data they've stolen, he said. Online criminals often store stolen bank account information in plain text files on random Web sites that they've gained access to. Security experts frequently index and alert financial institutions to any compromised customer accounts, but Hubbard said he expects more cyber crooks to begin scrambling their data stashes with encryption programs, potentially crippling fraud detection efforts.

Many security professionals speak highly of Microsoft's Vista, the newest version of Windows scheduled for release next month. The program includes a number of improvements that should help users stay more secure online, such as a hardened Web browser that includes new anti-fraud tools, as well as operating system level changes that should make it more difficult for the user or rogue spyware or viruses to make unwanted or unwise changes to key system settings and files.

But experts worry that businesses will be slow to switch to the new operating system. And even if consumers rush to upgrade existing machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next 5-10 years.

Online fraud will get even more sophisticated in 2007, researchers fear. "Criminals have gone from trying to hit as many machines as possible to focusing on techniques that allow them to remain undetected on infected machines longer," Symantec's Weafer said.

Some software security vendors suspect that a new Trojan horse program that surfaced last month, dubbed "Rustock.B" by some anti-virus companies, may serve as the template for malware attacks going forward. The program morphs itself slightly each time it installs on a new machine in an effort to evade anti-virus software. In addition, it hides in the deepest recesses of the Windows operating system, creates invisible copies of itself, and refuses to work under common malware analysis tools in an attempt to defy identification and analysis by security researchers.

"This is about the nastiest piece of malware we've ever seen, and we're going to be seeing more of it," said Alex Eckelberry, president of Clearwater, Fla. based security vendor Sunbelt Software. "The new threats that we saw in 2006 have shown us that the malware authors are ingenious and creative in their methods. Unfortunately, those attributes aren't ones we would normally consider laudable in the context of criminals."

<       2

© 2006 The Washington Post Company