Hacking poses threats to business

The internet provides an open market for trade in malicious software. Dan Ilett finds out who the hackers are, what they do and what businesses can do to keep them at bay

Research in all areas of the security industry suggests that the supply of data-stealing products and services is growing.

Economic signals indicate productivity and returns are high for criminal hackers. For instance, in the UK recorded online banking fraud increased from £23.2m in 2005 to £33.5m in 2006, according to Apacs, the UK payments association.

Hackers and those after their services have found the internet to be the perfect trading floor. Hacking expert John Safa, CTO at security company DriveSentry, says that through forums and other communication services, the internet plays host to a thriving hacker community.

"Most of these guys [hackers] are about 30 and are talented programmers who want some more money. They would be paid to develop code. This could be posted on malware forums. Then they talk via IRC [Internet Relay Chat] and people will advertise," says Safa.

"You can tell by the way they talk they have had a busy day at work. The kids are open about hacking. The older ones are discreet. There are two ways to get involved - someone can approach you and ask you to break into something. Or organised crime may ask 'can you develop me some ransomware?'"

But it is not just criminal organisations that can access malware. The internet provides an open market for these services, says Graham Cluley, senior technology consultant at anti-virus company Sophos. "When it comes to things like spyware, you can buy these things on the web. These tools are free for anyone to purchase - it is easy to get them."

He adds, "The most obvious threat is spam. There is advanced fee fraud such as 419 scams that are still working."

Spam accounts for up to 90% of e-mail traffic, estimates e-mail security firm SoftScan. Although laws, such as Australia's policy to fine spammers £10,500 a day, are slowly catching up with the fight against spam, it is just the tip of the iceberg.

One problem is that spamming is becoming more sophisticated. Like the rest of the technology industry, hackers have embraced convergence. Spam is now often sent from compromised computers, known as botnets, which are used for extortion attacks, but are created by malware made by hackers.

An entire trade exists in making malware, such as backdoor and password-stealing Trojan horse programs that log keystrokes from hijacked PCs.

A Trojan infrastructure with support services can be purchased for £500. Phishing kits cost £100-£150, and for £500 you can buy a universal kit to target any financial institution, according to research from security firm RSA.

One hacker, called "0x80", earns almost £3,500 a month from sending spam through self-made botnets, the Washington Post reported last year.

And unlike three years ago when malware was designed to simply make a mess of the internet, hackers are now producing malware that tends to have two purposes: to steal data and to connect an infected computer to a botnet.

Many companies are failing to react to the changing threat, says Roger Thompson, CTO at online security firm Exploit Prevention Labs. "Companies are not understanding this at all. They think they are protected by anti-virus software and a firewall. But people have got to be patched or run anti-exploit software. The trouble with web browsing is that it pokes a hole through the web browser," he says.

Security companies have also started to find that a higher proportion of intercepted attacks are targeted attacks. E-mail security firm MessageLabshas seen a sharp rise in messages sent directly to senior management, addressed with names and job titles. Family members of these people were also said to be targeted as an indirect way for hackers to get information on companies.

Botnets are at the heart of a large portion of criminal hacking cases. For this reason, US police last month began the enormous task of telling one million people their computers are under hacker control. The FBI launched the initiative, Operation Botroast, in a bid to reduce the high number of PCs hijacked and networked together for criminal use.

Thompson says these attacks tend to originate from two key bases. "The Russians are still very prominent in this. They have good waves of attacks at the moment. The other group is Chinese-based - and it is not just one gang, but a bunch.

"They are trying to get user IDs, passwords and financials. In the case of China, it is kids because they are mostly interested in online game passwords for virtual gold. With the Russians, it is organised crime for cash," he says.

However, the source of botnet attacks is not just limited to China and Russia. In the US, 21-year-old Jeanson James Ancheta was jailed for almost five years in May 2006 for hijacking 400,000 computers. Ancheta earned commission from adverts he programmed to display on the hijacked computers, and rented the botnet to other hackers.

Simon Heron, managing director at security firm Network Box, says, "Ancheta claims to have had about 30 transactions for the use of his botnet for spam and other purposes. He also made money by installing adware. To do this he became an affiliate of different advertising service companies and those companies paid him based on how many installations he could do.

"In Ancheta's case he made a good living for six months, earning about £30,000 from adware and another £90,000 from hiring out his botnet. It was hardly a fortune, but then again he was only 20."

When hacking is exposed there can be valuable lessons for businesses. In 2005, hackers attempted to steal £220m from the London offices of the Japanese Sumitomo Bank. Rumours spread in the financial industry that it was a hardware keylogging device attached to a computer that gave thieves the data they thought necessary to make a clean getaway.

"Hardware keyloggers are tiny and keep track of the past few hundred keyboard sessions. Everything is dropped into a file. You need physical checks to protect this," says Cluley.

"It is much harder to get a grip on an internal threat. It is things that people can leak by instant messaging services or e-mail that are hard to police. Employees do know passwords."

The UK's Centre for the Protection of Critical National Infrastructure advises companies to screen contractors, cleaners and caterers to help protect against internal threats.

So how should companies approach their overall security? "Defences have to be multifaceted and diverse. One strategy is making sure that defences exist within multiple levels of business and overlap as necessary," says Gunter Ollmann, director of security strategy for IBM Internet Security Systems.

"But perhaps the most important component is education. Having an understanding of how hackers do these things and what motivates them are key in reducing an organisation's risk profile."

Companies should look at web threats and implement some sort of real-time protection product, because chasing attacks after the event is always too late, says security company Finjan. It advises to keep IT products updated and patched, and to look out for malicious websites, where many of the new threats are coming from.

Companies must also be aware of the threats posed by Web 2.0 sites where hackers can approach naïve staff directly, says Safa. "A lot of the crime works through social engineering and the amount of people on instant messaging services or MySpace. It is exploiting the weaknesses of being able to communicate," he says.

What is critical is that companies recognise the threat from new technology and realise that as the way they work changes, the way they approach security must change. "Companies can no longer rely on traditional anti-virus suppliers to cater for their security needs. Do this and it is like going out in the sun without sunblock - you will get burnt," says Safa.

"Second, as workers become more and more mobile, organisations need to provide software that works in a secure environment. We have moved on from the one-size fits all approach."

He adds, "Combining people and process and monitoring what is coming in and going out of an organisation is the best way for firms to assess threats. You are always going to have the naïve employee opening every file or application that is sent to them. Automating the process by having black and white lists eases the pressure, but however much security technology evolves, hackers will always try and win."

Senior managers targeted by hackers >>

High-tech crime is put on trial >>

California students fear data breach >>

Read more on Antivirus, firewall and IDS products