Cyber Crime Hits the Big Time in 2006 Experts Say 2007 Will Be Even More Treacherous
By Brian Krebs washingtonpost.com Staff Writer Friday, December 22, 2006; 9:51 AM Call it the "year of computing dangerously." Computer security experts say 2006 saw an unprecedented spike in junk e-mail and sophisticated online attacks from increasingly organized cyber crooks. These attacks were made possible, in part, by a huge increase in the number of security holes identified in widely used software products. Few Internet security watchers believe 2007 will be any brighter for the millions of fraud-weary consumers already struggling to stay abreast of new computer security threats and avoiding clever scams when banking, shopping or just surfing online. One of the best measures of the rise in cyber crime this year is spam. More than 90 percent of all e-mail sent online in October was unsolicited junk mail messages, according to Postini, a San Carlos, Calif.-based e-mail security firm. The volume of spam shot up 60 percent in the past two months alone as spammers began embedding their messages in images to evade junk e-mail filters that search for particular words and phrases. As a result, network administrators are not only having to deal with considerably more junk mail, but the image-laden messages also require roughly three times more storage space and Internet bandwidth for companies to process than text-based e-mail, said Daniel Druker, Postini's vice president of marketing. "We're getting an unprecedented amount of calls from people whose e-mail systems are melting down under this onslaught," Druker said. Spam volumes are often viewed as a barometer for the relative security of the Internet community at large, in part because most spam is relayed via "bots," a term used to describe home computers that online criminals have compromised surreptitiously with a computer virus or worm. The more compromised computers that the bad guys control and link together in networks, or "botnets," the greater volume of spam they can blast onto the Intenet. At any given time, there are between three and four million bots active on the Internet, according to Gadi Evron, a botnet expert who managed Internet security for the Israeli government before joining Beyond Security, an Israeli firm that consults with companies on security. And that estimate only counts spam bots. Evron said there are millions of other bots that are typically used to launch "distributed denial-of-service" attacks -- online shakedowns wherein attackers overwhelm Web sites with useless data if the targets refuse to pay protection money. "Botnets have become the moving force behind organized crime online, with a low-risk, high-profit calculation," Evron said. He estimated that organized criminals would earn about $2 billion this year through phishing scams, which involve the use of spam and fake Web sites to trick computer users into disclosing financial and other personal data. Criminals also seed bots with programs that can record and steal usernames and passwords from compromised computers. "With botnets we have reached a level where it is unclear today what parts of the Internet are not compromised to an extent," he said. Crime-Dot-9-to-5 Another interesting measure of the growth of online crime is data showing that criminal groups have shifted their activities from nights and weekends to weekday attacks, suggesting that online crime is evolving into a full-time profession for many. Cuptertino, Calif.-based Internet security provider Symantec Corp. found that the incidence of phishing scams dropped significantly on Sundays and Mondays in the United States. Symantec found similar trends when it examined the pattern of new virus variants being compiled and released by attackers. "The bulk of the fraud attacks we're seeing now are coming in Monday through Friday, in the 9-5 U.S.-workday timeframe," said Vincent Weafer, director of security response at Symantec. "We now have groups of attackers who are motivated by profit and willing to spend the time and effort to learn how to conduct these attacks on a regular basis. For a great many online criminals these days, this is their day job: They're working full time now." Criminals are also getting more sophisticated in evading anti-fraud efforts. This year saw the advent and wide deployment of Web-browser based "toolbars" and other technologies designed to detect when users have visited a known or suspected phishing Web site. In response, many online scam artists place phishing Web sites targeting multiple banks and e-commerce companies on the same Web servers, then route traffic to those servers through home computers that they have commandeered with bot programs. In such operations, each individual scam page is assigned to a Web site that, for a short time, is tied to an Internet address of a compromised computer that the criminals control. When a would-be victim clicks on a link in a phishing e-mail, he or she is routed through the drone PC to the correct scam page. The result is that even if law enforcement or security experts manage to take down the infected PC responsible for relaying traffic to one of the scam sites, the effect of that takedown is only temporary, as the attackers can simply substitute another computer they have gained control over. Such scams make it far more difficult for security experts to find the true location of phishing servers. "We seen a pretty big evolutionary jump in tactics used by phishers over the past year, and I believe it's because some of the toolbar makers and the good guys who work to get these scam sites shut down have really done a good job at preventing them from being successful," said Dan Hubbard, vice president of research for Websense, an online security firm based in San Diego, Calif. The number of phishing scams spotted online exploded during the month of October -- a record 37,444, according to the Anti-Phishing Working Group, an industry coalition aimed at stamping out online fraud. That's 12,000 more phishing sites than were spotted in August, and nine times as many phishing sites as were discovered in October 2005. Software Insecurity These past 12 months brought a steep increase in the number of software security vulnerabilities discovered by researchers and actively exploited by criminals. The world's largest software maker, Microsoft Corp., this year issued software updates to fix 97 security holes that the company assigned its most dire "critical" label, meaning hackers could use them to break into vulnerable machines without any action on the part of the user. In contrast, Microsoft shipped just 37 critical updates in 2005. Fourteen of this year's critical flaws were known as "zero day" threats, meaning Microsoft first learned about the security holes only after criminals had already begun using them for financial gain. This year began with a zero-day hole in Microsoft's Internet Explorer, the browser of choice for roughly 80 percent of the world's online population. Criminals were able to exploit the flaw to install keystroke-recording and password-stealing software on millions of computers running Windows software. At least 11 of those zero-day vulnerabilities were in the Microsoft's Office productivity software suites, flaws that bad guys mainly used in targeted attacks against corporations, according to the SANS Internet Storm Center, a security research and training group in Bethesda, Md. This year, Microsoft issued patches to correct a total of 37 critical Office security flaws (that number excludes three unpatched vulnerabilities in Microsoft Word, two of which Microsoft has acknowledged that criminals are actively exploiting.) But 2006 also was notable for attacks on flaws in software applications designed to run on top of operating systems, such as media players, Web browsers, and word processing and spreadsheet programs. In early February, attackers used a security hole in AOL's popular Winamp media player to install spyware when users downloaded a seemingly harmless playlist file. In December, a computer worm took advantage of a design flaw in Apple's QuickTime media player to steal passwords from roughly 100,000 MySpace.com bloggers, accounts that were then hijacked and used for sending spam. Also this month, security experts spotted a computer worm spreading online that was powered by a six-month old security hole in a corporate anti-virus product from Symantec Corp. Tom Liston, a senior security consultant at Washington, D.C.-based IntelGuardians, said the increasing focus on attacking flaws in other software is a reaction to growing security awareness among small business owners and home computer users. "More people are starting to lock down their systems with firewalls and other security applications, so the bad guys attack holes in these and other applications instead of trying to get in through holes in the underlying operating system," Liston said. "And these are the types of attacks we can expect to intensify in the next few years. Dim Prospects for 2007 Websense's Hubbard predicts that 2007 will see the evolution of malware designed to take advantage of presently unknown security holes in browser-based anti-phishing toolbar programs, such as the ones embedded in Mozilla's Firefox 2.0 browser and Microsoft's Internet Explorer Version 7. Criminal gangs also are beginning to wise up about hiding the data they've stolen, he said. Online criminals often store stolen bank account information in plain text files on random Web sites that they've gained access to. Security experts frequently index and alert financial institutions to any compromised customer accounts, but Hubbard said he expects more cyber crooks to begin scrambling their data stashes with encryption programs, potentially crippling fraud detection efforts. Many security professionals speak highly of Microsoft's Vista, the newest version of Windows scheduled for release next month. The program includes a number of improvements that should help users stay more secure online, such as a hardened Web browser that includes new anti-fraud tools, as well as operating system level changes that should make it more difficult for the user or rogue spyware or viruses to make unwanted or unwise changes to key system settings and files. But experts worry that businesses will be slow to switch to the new operating system. And even if consumers rush to upgrade exiting machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next 5-10 years. Online fraud will get even more sophisticated in 2007, researchers fear. "Criminals have gone from trying to hit as many machines as possible to focusing on techniques that allow them to remain undetected on infected machines longer," Symantec's Weafer said. Some software security vendors suspect that a new Trojan horse program that surfaced last month, dubbed "Rustock.B" by some anti-virus companies, may serve as the template for malware attacks going forward. The program morphs itself slightly each time it installs on a new machine in an effort to evade anti-virus software. In addition, it hides in the deepest recesses of the Windows operating system, creates invisible copies of itself, and refuses to work under common malware analysis tools in an attempt to defy identification and analysis by security researchers. "This is about the nastiest piece of malware we've ever seen, and we're going to be seeing more of it," said Alex Eckelberry, president of Clearwater, Fla. based security vendor Sunbelt Software. "The new threats that we saw in 2006 have shown us that the malware authors are ingenious and creative in their methods. Unfortunately, those attributes aren't ones we would normally consider laudable in the context of criminals."
