Research in all areas of the security industry suggests
that the supply of data-stealing products and services is
growing.
Economic signals indicate productivity and returns are high for
criminal hackers. For instance, in the UK recorded
online banking fraud increased from £23.2m in 2005 to £33.5m in
2006, according to Apacs, the UK payments association.
Hackers and those after their services have found the internet
to be the perfect trading floor.
Hacking expert
John Safa, CTO at security company
DriveSentry, says that
through forums and other communication services, the internet plays
host to a thriving hacker community.
"Most of these guys [hackers] are about 30 and are talented
programmers who want some more money. They would be paid to develop
code. This could be posted on malware forums. Then they talk via
IRC [Internet Relay Chat] and people will advertise," says
Safa.
"You can tell by the way they talk they have had a busy day at
work. The kids are open about hacking. The older ones are discreet.
There are two ways to get involved - someone can approach you and
ask you to break into something. Or organised crime may ask 'can
you develop me some ransomware?'"
But it is not just criminal organisations that can access
malware. The internet provides an open market for these services,
says Graham Cluley, senior technology consultant at anti-virus
company Sophos. "When it comes
to things like spyware, you can buy these things on the web. These
tools are free for anyone to purchase - it is easy to get
them."
He adds, "The most obvious threat is spam. There is advanced fee
fraud such as
419 scams that
are still working."
Spam accounts for up to 90% of e-mail traffic, estimates e-mail
security firm SoftScan. Although laws, such as Australia's policy
to fine spammers £10,500 a day, are slowly catching up with the
fight against spam, it is just the tip of the iceberg.
One problem is that spamming is becoming more sophisticated.
Like the rest of the technology industry, hackers have embraced
convergence. Spam is now often sent from compromised computers,
known as botnets, which are used for extortion attacks, but are
created by malware made by hackers.
An entire trade exists in making malware, such as backdoor and
password-stealing Trojan horse programs that log keystrokes from
hijacked PCs.
A Trojan infrastructure with support services can be purchased
for £500. Phishing kits cost £100-£150, and for £500 you can buy a
universal kit to target any financial institution, according to
research from security firm RSA.
One hacker, called "0x80", earns almost £3,500 a month from
sending spam through self-made botnets, the Washington Post
reported last year.
And unlike three years ago when malware was designed to simply
make a mess of the internet, hackers are now producing malware that
tends to have two purposes: to steal data and to connect an
infected computer to a botnet.
Many companies are failing to react to the changing threat, says
Roger Thompson, CTO at online security firm Exploit Prevention
Labs. "Companies are not understanding this at all. They think they
are protected by anti-virus software and a firewall. But people
have got to be patched or run anti-exploit software. The trouble
with web browsing is that it pokes a hole through the web browser,"
he says.
Security companies have also started to find that a higher
proportion of intercepted attacks are targeted attacks. E-mail
security firm MessageLabshas seen a sharp rise in messages sent
directly to senior management, addressed with names and job titles.
Family members of these people were also said to be targeted as an
indirect way for hackers to get information on companies.
Botnets are at the heart of a large portion of criminal hacking
cases. For this reason, US police last month began the enormous
task of telling one million people their computers are under hacker
control. The FBI launched the initiative, Operation Botroast, in a
bid to reduce the high number of PCs hijacked and networked
together for criminal use.
Thompson says these attacks tend to originate from two key
bases. "The Russians are still very prominent in this. They have
good waves of attacks at the moment. The other group is
Chinese-based - and it is not just one gang, but a bunch.
"They are trying to get user IDs, passwords and financials. In
the case of China, it is kids because they are mostly interested in
online game passwords for virtual gold. With the Russians, it is
organised crime for cash," he says.
However, the source of botnet attacks is not just limited to
China and Russia. In the US, 21-year-old Jeanson James Ancheta was
jailed for almost five years in May 2006 for hijacking 400,000
computers. Ancheta earned commission from adverts he programmed to
display on the hijacked computers, and rented the botnet to other
hackers.
Simon Heron, managing director at security firm Network Box,
says, "Ancheta claims to have had about 30 transactions for the use
of his botnet for spam and other purposes. He also made money by
installing adware. To do this he became an affiliate of different
advertising service companies and those companies paid him based on
how many installations he could do.
"In Ancheta's case he made a good living for six months, earning
about £30,000 from adware and another £90,000 from hiring out his
botnet. It was hardly a fortune, but then again he was only
20."
When hacking is exposed there can be valuable lessons for
businesses. In 2005, hackers attempted to steal £220m from the
London offices of the Japanese Sumitomo Bank. Rumours spread in the
financial industry that it was a hardware keylogging device
attached to a computer that gave thieves the data they thought
necessary to make a clean getaway.
"Hardware keyloggers are tiny and keep track of the past few
hundred keyboard sessions. Everything is dropped into a file. You
need physical checks to protect this," says Cluley.
"It is much harder to get a grip on an internal threat. It is
things that people can leak by instant messaging services or e-mail
that are hard to police. Employees do know passwords."
The UK's Centre for the Protection of Critical National
Infrastructure advises companies to screen contractors, cleaners
and caterers to help protect against internal threats.
So how should companies approach their overall security?
"Defences have to be multifaceted and diverse. One strategy is
making sure that defences exist within multiple levels of business
and overlap as necessary," says Gunter Ollmann, director of
security strategy for
IBM Internet Security Systems.
"But perhaps the most important component is education. Having
an understanding of how hackers do these things and what motivates
them are key in reducing an organisation's risk profile."
Companies should look at web threats and implement some sort of
real-time protection product, because chasing attacks after the
event is always too late, says security company Finjan. It advises
to keep IT products updated and patched, and to look out for
malicious websites, where many of the new threats are coming
from.
Companies must also be aware of the threats posed by Web 2.0
sites where hackers can approach naïve staff directly, says Safa.
"A lot of the crime works through social engineering and the amount
of people on instant messaging services or MySpace. It is
exploiting the weaknesses of being able to communicate," he
says.
What is critical is that companies recognise the threat from new
technology and realise that as the way they work changes, the way
they approach security must change. "Companies can no longer rely
on traditional anti-virus suppliers to cater for their security
needs. Do this and it is like going out in the sun without sunblock
- you will get burnt," says Safa.
"Second, as workers become more and more mobile, organisations
need to provide software that works in a secure environment. We
have moved on from the one-size fits all approach."
He adds, "Combining people and process and monitoring what is
coming in and going out of an organisation is the best way for
firms to assess threats. You are always going to have the naïve
employee opening every file or application that is sent to them.
Automating the process by having black and white lists eases the
pressure, but however much security technology evolves, hackers
will always try and win."
Senior managers targeted
by hackers >>
High-tech crime is put
on trial >>
California students fear data breach >>