Call it the "year of computing dangerously."
Computer security experts say 2006 saw an unprecedented spike in junk e-mail and sophisticated online attacks from increasingly organized cyber crooks. These attacks were made possible, in part, by a huge increase in the number of security holes identified in widely used software products.
Few Internet security watchers believe 2007 will be any brighter for the millions of fraud-weary consumers already struggling to stay abreast of new computer security threats and avoiding clever scams when banking, shopping or just surfing online.
One of the best measures of the rise in cyber crime this year is spam. More than 90 percent of all e-mail sent online in October was unsolicited junk mail messages, according to Postini, a San Carlos, Calif.-based e-mail security firm. The volume of spam shot up 60 percent in the past two months alone as spammers began embedding their messages in images to evade junk e-mail filters that search for particular words and phrases.
As a result, network administrators are not only having to deal with considerably more junk mail, but the image-laden messages also require roughly three times more storage space and Internet bandwidth for companies to process than text-based e-mail, said Daniel Druker, Postini's vice president of marketing. "We're getting an unprecedented amount of calls from people whose e-mail systems are melting down under this onslaught," Druker said.
Spam volumes are often viewed as a barometer for the relative security of the Internet community at large, in part because most spam is relayed via "bots," a term used to describe home computers that online criminals have compromised surreptitiously with a computer virus or worm. The more compromised computers that the bad guys control and link together in networks, or "botnets," the greater volume of spam they can blast onto the Internet.
At any given time, — million to 4 million bots are active on the Internet, according to Gadi Evron, a botnet expert who managed Internet security for the Israeli government before joining Beyond Security, an Israeli firm that consults with companies on security. And that estimate only counts spam bots. Evron said there are millions of other bots that are typically used to launch "distributed denial-of-service" attacks &
online shakedowns wherein attackers overwhelm Web sites with useless data if the targets refuse to pay protection money.
"Botnets have become the moving force behind organized crime online, with a low-risk, high-profit calculation," Evron said. He estimated that organized criminals would earn about $2 billion this year through phishing scams, which involve the use of spam and fake Web sites to trick computer users into disclosing financial and other personal data. Criminals also seed bots with programs that can record and steal usernames and passwords from compromised computers. "With botnets we have reached a level where it is unclear today what parts of the Internet are not compromised to an extent," he said.
Another interesting measure of the growth of online crime are data showing that criminal groups have shifted their activities from nights and weekends to weekdays, suggesting that online crime is evolving into a full-time profession for many.
Vincent Weafer, director of security response at Symantec. says, "We now have groups of attackers who are motivated by profit and willing to spend the time and effort to learn how to conduct these attacks on a regular basis. For a great many online criminals these days, this is their day job: They're working full time now."
Criminals also are getting more sophisticated in evading anti-fraud efforts. This year saw the advent and wide deployment of Web-browser based "toolbars" and other technologies designed to detect when users have visited a known or suspected phishing Web site. In response, many online scam artists place phishing Web sites targeting multiple banks and e-commerce companies on the same Web servers, then route traffic to those servers through home computers that they have commandeered with bot programs.
In such operations, each individual scam page is assigned to a Web site that, for a short time, is tied to an Internet address of a compromised computer that the criminals control. When a would-be victim clicks on a link in a phishing e-mail, he or she is routed through the drone PC to the correct scam page. The result is that even if law enforcement or security experts take down the infected PC responsible for relaying traffic to one of the scam sites, the effect of that takedown is only temporary, as the attackers can simply substitute another computer they have gained control over. Such scams make it far more difficult for security experts to find the true location of phishing servers.
"We seen a pretty big evolutionary jump in tactics used by phishers over the past year, and I believe it's because some of the toolbar makers and the good guys who work to get these scam sites shut down have really done a good job at preventing them from being successful," said Dan Hubbard, vice president of research for Websense, an online security firm based in San Diego.
The number of phishing scams spotted online exploded during the month of October &
a record 37,444, according to the Anti-Phishing Working Group, an industry coalition aimed at stamping out online fraud. That's 12,000 more phishing sites than were spotted in August, and nine times as many phishing sites as were discovered in October 2005.
Hubbard predicts that 2007 will see the evolution of malware designed to take advantage of presently unknown security holes in browser-based anti-phishing toolbar programs, such as the ones embedded in Mozilla's Firefox 2.0 browser and Microsoft's Internet Explorer Version 7.
Criminal gangs also are beginning to wise up about hiding the data they've stolen, he said. Online criminals often store stolen bank account information in plain text files on random Web sites that they've gained access to. Security experts frequently index and alert financial institutions to any compromised customer accounts, but Hubbard said he expects more cyber crooks to begin scrambling their data stashes with encryption programs, potentially crippling fraud detection efforts.
Many security professionals speak highly of Microsoft's Vista, the newest version of Windows scheduled for release next month. The program includes a number of improvements that should help users stay more secure online, such as a hardened Web browser that includes new anti-fraud tools, as well as operating system level changes that should make it more difficult for the user or rogue spyware or viruses to make unwanted or unwise changes to key system settings and files.
But experts worry that businesses will be slow to switch to the new operating system. And even if consumers rush to upgrade exiting machines or purchase new ones that include Vista, Microsoft will continue to battle security holes in legacy versions of Microsoft Office, which are expected to remain in widespread use for the next five to 10 years.
Online fraud will get even more sophisticated in 2007, researchers fear. "Criminals have gone from trying to hit as many machines as possible to focusing on techniques that allow them to remain undetected on infected machines longer," Symantec's Weafer said.
Some software security vendors suspect that a new Trojan horse program that surfaced last month, dubbed "Rustock.B" by some anti-virus companies, may serve as the template for malware attacks going forward. The program morphs itself slightly each time it installs on a new machine in an effort to evade anti-virus software. In addition, it hides in the deepest recesses of the Windows operating system, creates invisible copies of itself, and refuses to work under common malware analysis tools in an attempt to defy identification and analysis by security researchers.
"This is about the nastiest piece of malware we've ever seen, and we're going to be seeing more of it," said Alex Eckelberry, president of Clearwater, Fla. based security vendor Sunbelt Software. "The new threats that we saw in 2006 have shown us that the malware authors are ingenious and creative in their methods. Unfortunately, those attributes aren't ones we would normally consider laudable in the context of criminals."
2006 was the year of computing dangerously