In Depth
Technology
Cyber Security
Hackers turn from mischief to money-making
November 28, 2006
By Ted Kritsonis, CBC News
Having your computer hacked can be a harrowing experience, but even more so if your machine has been used to get at somebody else.
In the past, hackers or cyber attackers typically turned their skills on their targets primarily for bragging rights, both in terms of what they could break into and how many machines they could compromise. But the onus now is on making money at the expense of those very same targets, security experts say.
With the change in intentions comes a change in tactics. Where viruses used to spread via anonymous e-mail attachments, cyber attackers now use schemes like phishing and hidden Trojan viruses to steal the crucial information they need to either lure you into a trap or use your personal computer to gain entry into more lucrative targets.
"They're looking at exploiting home users in order to get access to bigger and richer financial targets like banks, because home users aren't necessarily as security savvy," says Dean Turner, senior manager for Symantec Security Response.
Those home machines tend to lack good anti-virus software and firewall protection. That makes them the weak link in the security chain, because so many personal computers are now used by people who log into corporate and financial networks remotely. Rather than hacking into a corporate server directly, thieves are taking the easier route by breaking into poorly secured personal computers and using them to get into secure networks.
Phished in
A good rule of thumb, Turner says, is that: "Exercising a certain level of caution when surfing the internet helps, because if something doesn't seem right, it probably isn't."
According to Symantec's latest threat report, 86 per cent of cyber attacks are aimed at home users, though only 21 per cent of attempts in recent months were made through e-mail attachments.
The most popular method now is phishing, which is a technique where attackers mimic the visual presentation of a website such as an online bank, even down to its domain name, hoping that you log in with your username and password.
Once home users have done that, Turner says, attackers can then use that information to steal sensitive data like an identity, or steal directly from a business or enterprise where the user may be a customer. Two examples of common phishing e-mails are the bogus requests purported to be from companies such as Royal Bank or eBay that ask people to log in and verify their passwords, or send personal information to update their account profiles. Clicking the links in those messages takes users to what looks like a Royal Bank or eBay site, but is really a fake website set up to harvest information from unsuspecting and overly trusting users.
"A lot of the spam and phishing sites really take advantage of the fact that people aren't going to necessarily read everything," says Dave Marcus, security research and communications manager with McAfee Avert Labs.
"The bad grammar in these e-mails and websites is a dead giveaway, but people just tend to click blindly and the attackers are very good at understanding that kind of psychology."
Marcus said that an example of this could be a site that looks like Google but has the IP address, which is sort of like a license plate number for a computer, of a site that isn't connected with google.com. Another clue that something is amiss is that banks and services like eBay refer to their customers by name in their e-mails, as opposed to the generic "Dear Member" salutations prominent in phishing e-mails.
Trojans
Trojan viruses are also a means to dupe users into giving up crucial information. Hidden Trojan programs are typically pieces of malicious software or "malware" that are installed through a seemingly harmless action, like clicking "yes" to a license agreement for a piece of software a user has just downloaded.
The hidden piece of malware can then hide on a computer and collect things such as passwords, sending them back to a hacker over the machine's internet connection. It could even infect a computer so that it becomes part of a "bot network," which is the hacker equivalent of an army of mindless zombies. The hacker has remote control over each infected computer, and can use their combined power to do things ranging from serving out spam e-mails, to launching denial-of-service attacks on websites.
In the latter case, the network of zombie computers can wreak havoc on a business website by creating a high volume of traffic that brings the site to its knees, thereby creating an effectual electronic extortion racket. Companies often pay the ransom demands of the hackers, because it's cheaper than having their e-commerce or gambling site put out of business for hours or days on end.
Messaging
Another way in which attackers can try to take over a computer through popular instant messenger portals like Windows Live Messenger or MSN Messenger, because the conversation windows offer a "back door" into your system. Even so, attackers still need unsuspecting help from a user to breach his or her system successfully.
"They can't control your desktop just by you accepting a file," says Sumeet Khanna, director of communications services for messaging service MSN Canada. "MSN Messenger is compatible with AV (anti-virus) software, so that files can be scanned when accepted."
Improving security
All these threats have meant increasing pressure on companies to make their on-line products and services more secure. Microsoft, for example, had security firmly in mind when developing its new Windows Vista operating system, which is set to launch to consumers in early 2007. Its new web browser, Internet Explorer 7, will have phishing filters built in to warn users of fraudulent websites, for example.
"We've also added protocols that enable users to report those phishing sites as well," says Elliot Katz, senior product manager of Windows Clients for Microsoft Canada. "Our Windows Defender product will also scan your PC for any spyware or hidden Trojans that may have been downloaded onto your desktop."
But despite these measures, Katz insists that users still need to protect themselves by having antivirus software installed and deploying a firewall, a virtual fence that attackers would need to get around in order to launch a successful attack.
And pundits agree that user education is the best defense against would-be attackers, simply because greater awareness would lead to fewer successful attacks. Surfers simply have to be wary of where they go on the internet, and what they click on, whether it's a hyperlink in a fishy e-mail or the "OK" button on a suspicious software licensing agreement. By keeping track of software updates and employing good web-browsing habits, security experts like Turner and Marcus believe that people could significantly reduce their risk of being victimized.
"You wouldn't go to a strange city and walk down a dark alley in the middle of night, so you should exercise the same caution on the internet," says Turner.
Menu
Technology
- Green machines
- Disk drive: Companies struggle with surge in demand for storage
- Open season: Will court decision spur Linux adoption?
- Analogue TV
- Video games: Holiday season
- Video games: Going pro
- Guitar Hero
- Parents' guide to cheap software
- Working online
- Laptop computers for students
- Technology offers charities new ways to attract donations
- The invisible middleman of the game industry
- Data mining
- Two against one
- The days of the single-core desktop chip are numbered
- Home offices
- Cyber crime: Identity crisis in cyberspace
- Yellow Pages - paper or web?
- Robotics features
- iPhone FAQ
- Business follows youth to new online world
- A question of authority
- Our increasing reliance on Wikipedia changes the pursuit of knowledge
- Photo printers
- Rare earths
- Widgets and gadgets
- Surround Sound
- Microsoft's Shadowrun game
- Dell's move to embrace retail
- The Facebook generation: Changing the meaning of privacy
- Digital cameras
- Are cellphones and the internet rewiring our brains?
- Intel's new chips
- Apple faces security threat with iPhone
- Industrial revolution
- Web developers set to stake claim on computer desktop with new tools
- Digital photography
- Traditional film is still in the picture
- HD Video
- Affordable new cameras take high-definition mainstream
- GPS: Where are we?
- Quantum computing
- What it is, how it works and the promise it holds
- Playing the digital-video game
- Microsoft's forthcoming Xbox 360 Elite console points to entertainment push
- Online crime
- Botnets: The end of the web as we know it?
- Is Canada losing fight against online thieves?
- Malware evolution
- Money now the driving force behind internet threats: experts
- Adopting Ubuntu
- Linux switch can be painless, free
- Sci-fi projections
- Systems create images on glass, in thin air
- Power play
- Young people shaping cellphone landscape
- Digital cameras
- Cellphone number portability
- Barriers to change
- Desktop to internet
- Future of online software unclear: experts
- Complaining about complaints systems
- Canadian schools
- Multimedia meets multi-literacy age
- Console showdown
- Comparing Wii, PS3 and Xbox 360 networks
- Social connections
- Online networking: What's your niche?
- Virtual family dinners
- Crackdown
- Xbox 360 console game
- Vista and digital rights
- Child safety
- Perils and progress in fight against online child abuse
- Biometric ID
- Moving to a Mac
- Supply & demand
- Why Canada misses out on big gadget launches
- Windows Vista
- Computers designed for digital lifestyle
- Windows Vista
- What's in the new consumer versions
- Cutting the cord
- Powering up without wires
- GPS and privacy
- Digital deluge
- RFID
- Consumer Electronics Show
- Working online
- Web Boom 2.0 (Part II)
- GPS surveillance
- Hits and misses: Best and worst consumer technologies of 2006
- Mars Rovers
- Voice over IP
- Web Boom 2.0
- Technology gift pitfalls to avoid
- Classroom Ethics
- Rise of the cybercheat
- Private Eyes
- Are videophones turning us into Big Brother?
- Windows Vista
- Cyber Security
- Video games: Canadian connections to the console war
- Satellite radio
- Portable media
- Video games
- Plasma and LCD
- Video screens get bigger, better, cheaper
- Video games:
- New hardware heats up console battle
- High-tech kitchens
- Microsoft-Novell deal
- Lumalive textiles
- Music to go
- Alternate reality
- Women and gadgets
- High-tech realtors
- The itv promise
- Student laptops
- Family ties
- End of Windows 98
- Bumptop
- Browser wars
- Exploding laptop
- The pirate bay
- Stupid mac tricks
- Keeping the net neutral
- PS3 and WII at E3
- Sex on the net
- Calendars, online and on paper
- Google, ipod and more
- Viral video
- Unlocking the USB key
- Free your ipod
- In search of
- Xbox
- Sony and the rootkit
- Internet summit
- Electronic surveillance