enforcement partners that fights online fraud and identity theft. "All this
Cassidy's group found that
the number of Web sites known to be hiding this kind of malicious code nearly doubled between November
and December, rising
to more than 1,900. The antivirus company Symantec has reported that
half of the malicious software it tracks is designed not to damage computers but to gather personal data. Over the course of 2005, iDefense, a unit of
Verisignthat provides information on computer security to government
and industry
clients, counted over 6,000 different keylogger variants -- a 65 percent
increase over 2004.
About one-third of all malicious code tracked by the company now contains some keylogging component, according to Ken Dunham, the
company's rapid response director.
And the SANS Institute, a group that trains and certifies computer security
professionals, estimated that at a single moment last fall, as many as
9.9million
machines in the United
States were infected with keyloggers of one kind or another,
putting as much as $24 billion in bank account assets -- and probably much more -- literally at the fingertips of fraudsters. John Bambenek, the SANS researcher who made
the estimate, suggested that
the infection rate was probably much higher. In most cases, a keylogger or similar program, once installed, will simply
wait for certain Web sites to be visited -- a banking site, for instance, or
a credit card account online -- or for certain keywords to be entered --
"SSN," for example -- and then spring to life.
Keystrokes are saved to a file, Web forms are copied -- even snapshots of a
user's screen can be silently recorded. The information is then sent back in
bundles to a Web site or some waiting server where a thief, or a different
piece of software, sifts through the data for useful nuggets that will lead
to account access and profits.
The Federal Deposit Insurance Corp., responding to the growing threat of
cybercrime to the financial industry, stiffened its guidelines for Internet
banking in October, effectively ordering banks to do more than ask for a
simple user name and password. But it stopped short of requiring, for
instance, the use of electronic devices that generate numeric passcodes
every 60 seconds, which many experts say would help foil much online fraud,
including the use of keyloggers.
Technology for grabbing text and screen images is not new -- or particularly sophisticated. Keyloggers are even sold commercially, as tools for keeping
an eye on what children are doing online, or what a spouse might be doing in
online chat rooms late at night. And
not everyone agrees that data-swiping software is proliferating at the pace that some studies suggest. "I get concerned
that we're scaring people off the Internet," said Alex
Eckelberry, the president of Sun-Belt Software, a maker of anti-spyware
software based in Clearwater, Fla. Eckelberry believes that the infection
rate is probably far lower than most estimates indicate, in part because
the trend is hard to measure and so many computers are already protected. "There's a lot of hyperbole out there," he said, adding that his company has
identified only about 30 keyloggers over the last six months, most being
variations on a piece of code known as Winldra.exe.
That code proudly bears the copyright signature of its creators, "Smash and
Sars," who also happen to be the proprietors of a Russian site,
RATSystems.org, which is well-known among traders at online swap-meets like
theftservices.com and carders.ws/forum that traffic in confidential personal
data -- or the means to steal it.
"Smash is one of the revolutionaries," said
one member of a trading site,
who insisted on anonymity because the sites are often watched by law
enforcement. "If you're entry-level and want a keylogger, that's who you're
going to go to," he said, adding, "It's a simple, cheap way to make money."
In fact,
keylogging's simplicity may be why it is suddenly so popular among
thieves. "Phishing takes a lot of time and effort," said David Thomas, the
chief of the computer intrusion division at the FBI. "This type of software
is a much more efficient way to get what they're after." The programming, too, is often trivial. "These can be developed by a 12-year-old hacker," said Eugene Kaspersky, a co-founder of Kaspersky Labs,
an international computer security and antivirus company based in Moscow.
Being wary of unfamiliar Web links sent via e-mail is a first-line of defense, according to most experts,
as is avoiding questionable
downloads and keeping up to date with Windows patches and antivirus updates. It is worth noting, however, that in a test of major antivirus programs
conducted by Hoepers's group in Brazil last fall, the very best detected
only 88 percent of the known keyloggers flourishing there. More recently,
she noted, a few products are detecting about 90 percent of Trojan viruses,
which
still leaves 10 percent undetected. Individual victims of fraudulent transfers are typically limited to $50 in liability under the Federal Reserve's Regulation E, so long as they report the crime quickly enough -- within two days. If they report it within 60 days, their liability is capped at $500. One Florida man has had trouble getting that kind of protection. In a
closely watched case, Joe Lopez, the owner of a small computer supply
company in Miami, sued Bank of America after cybercrooks were able to use a
keylogging Trojan planted on his business computers to swipe bank account
information and transfer $90,000 to Latvia.
Bank of America says it does not need to cover the loss because Lopez was a business customer -- and because it is not the bank's fault that he did not
practice good computer hygiene. Lopez claims he did, and that in any case, Bank
of America should have done more to warn him of the risks of computer crime.
Kaspersky believes that computer crime is in danger of getting out of hand.
"I'm afraid that if the number of criminals grows with this same speed, the
antivirus companies will not be able to create adequate protection," said
Kaspersky, who added that the time has come for increased investment in --
and far better crosss-border
cooperation between -- law enforcement
agencies, which are overwhelmed by the global nature of cybercrime.
"There are more criminals on the Internet street than policemen," he said.
The network security firm Sophos estimates that an
unprotected computer has a 40 percent chance of being infected by a malicious worm within 10 minutes of being connected to the Internet. After an hour, the odds rise to 94 percent. That's reason enough to keep up to date with operating system patches,
invest in a solid antivirus program and use a basic firewall. But even with
those measures in place, malicious code -- including a keylogger -- can
sometimes find its way onto your computer.
"There are plenty of ways to get around all of those things," said Ken
Dunham, director of the
rapid response team at iDefense, a unit of
VeriSignthat focuses on computer security information.
Most major commercial antivirus software will seek out keylogging Trojans,
as will most of the leading antispyware packages -- although they may not
catch them all. Some products, like Spyware Doctor from PC Tools and
SpySweeper from WebRoot Software, pay particular attention to keylogging
Trojans and cost about $30.
StrikeForce Technologies, based in Edison, N.J., is developing an
anti-keylogging toolbar for the Internet Explorer Web browser, called
WebSecure, that promises to encrypt text from the moment it leaves the
computer keyboard and send it directly to the browser. It is scheduled for
release in June.
"With keyloggers, you've literally got someone sitting over your shoulder
watching everything that you do," said George Waller, the executive vice
president of StrikeForce. "It's no wonder why they're so popular."
The CERT Coordination Center at Carnegie Mellon University in
Pittsburghalso recently posted some simple -- and free -- ways to
tweak various Web
browsers to help prevent hidden code on Web pages from invading a computer
-- a common tactic used by purveyors of keyloggers. The information is at
cert.org/tech(USCORE)tips/securing(USCORE)browser/.
