Money now the driving force behind internet threats: experts
March 27, 2007
By Saleem Khan, CBC News
When the internet found its way into people's homes and offices en masse in the mid-1990s, it was widely regarded as beneficial, giving people access to information — and each other — in a way that was previously impossible.
The interconnectedness across thousands of kilometres that the global network offered gave its users access to a wider world, allowing them to find whatever they were looking for, and if it didn't exist, to create it.
That rule also held for people with less altruistic intentions, giving rise to computer viruses and other forms of malicious software. The threat they pose has become so pervasive and advanced that online security companies are forced to play an ongoing game of cat-and-mouse, according to experts who spoke with CBC News Online.
Computer security companies need to change if they are to keep up with would-be criminals, according to Ron Nguyen, director of consulting services for the security firm Foundstone Inc. (McAfee/Foundstone)
Profit motive prevails
"The amount of new and dangerous types of software is daunting and will continue to be that way for a while," said Ron Nguyen, director of consulting services for Foundstone Inc. of Mission Viejo, Calif.
Although Nguyen said severe, widespread outbreaks of computer viruses are increasingly rare, he noted that attackers' intent and the methods they use are evolving, as is their motivation.
"In the past, they may have been motivated by idealistic reasons," said Nguyen, who previously hacked into U.S. military computers to test their security in his role as an information warfare officer with the U.S. air force.
- BOTNETS are networks of computers that have been hijacked by malicious groups or individuals to do their bidding. Their owners are usually unwitting victims who have no idea their machines have been infected and turned into so-called zombies. The zombie computers are typically used to distribute spam or phishing e-mails, or viruses and Trojans that let them hijack other computers. Botnet operators often rent time or bandwidth on their networks to spam e-mail marketers and phishing scam artists.
- MALWARE is a catch-all term for malicious software such as computer viruses, spyware and so on that compromise the security or function of people's computers.
- PHISHING is a technique in which criminals try to trick people into disclosing sensitive information such as online banking names and passwords and is often conducted through e-mails.
- PHARMING is an attack in which malicious individuals try to redirect traffic from one website to a false one.
- TROJANS are programs that appear to perform one function in order to hide a malicious one. Like the mythological Trojan horse such programs are named after, the deception tricks people into granting them access to a computer.
- ZOMBIES are computers that have been hijacked by attackers to perform commands and functions issued to them, often without the owners' knowledge. They are typically infected by Trojans that enable attackers to use them in a botnet. An infected computer is sometimes referred to as a bot - short for robot.
The old guard of hackers would discover a vulnerability in a piece of software, tell its creator about the flaw, and wait for a patch to be issued before they would publish details of the problem and "gain notoriety" among their peers, Nguyen said.
"Now they're motivated by money and can use the cash to discover new vulnerabilities, develop new techniques and tools."
Lower-risk flaws targeted
The scam artists are employing every tool in their arsenal, from spam e-mails that tout stocks in the hope of triggering a market move from which they can profit, to more direct attacks. For example, phishing messages and sites trick people into disclosing sensitive information such as banking login names and passwords, and viruses and Trojans can turn victims' computers into part of the attackers' so-called zombie bot networks to distribute spam, a lucrative business.
Today, when it's discovered that a serious security flaw is being exploited by an attacker, fixes or patches are issued more rapidly than they may have been in the past. In fact, few — if any — mid-sized or larger organizations lack their own online security, which means would-be criminals are seeking out lower-hanging fruit, Nguyen said.
"We have been noticing that because enterprise infrastructures tend to get better and better at patch management, they [attackers] are focusing on the consumer space and small business."
Why? Because those are the segments of internet users that are less likely to keep their security software updated or be aware of the latest emerging threats.
But despite faster fixes to the high risk flaws — which are generally automatically sent by software developers to the computers of consumers and small businesses when they go online — less serious flaws, which aren't patched as quickly, leave people and their systems exposed to attack, according to security researcher Dean Turner of Symantec Corp.
"From an attack perspective, the line between high- and medium-severity vulnerabilities has blurred," Turner said. "Medium vulnerabilities remain unpatched for a longer term."
That gap between the time a vulnerability becomes known and is subsequently repaired leaves a window of opportunity for attackers, making the smaller flaws a much more attractive target than the quickly closed high-risk security holes, Turner said.
It's all a numbers game, the experts agreed.
Attacks becoming 9-to-5 job
"It comes down to a cost-benefit analysis," Nguyen said, noting that although they may not be able to get as large a return from an attack on an individual user as they might from trying to exploit a large corporation, there are so many people who can easily be victimized that they begin to add up.
"There's certainly a professional aspect," said Turner. "It's hard to track real dollar amounts for this sort of thing. I've seen estimates of anywhere from hundreds of millions to billions of dollars. The truth is probably somewhere in between."
The trend is not surprising, Nguyen said, noting that as more people from all walks of life gain access to the internet, the likelihood is high that at least some of them will engage in illicit activities.
"The people running these campaigns, what were they doing before this? Maybe going into banks and robbing them."
But once they discovered the ease with which they could run scams over the internet and recognized that the scale and scope of their activities could increase without any significant cost, moving to online attacks was a logical choice, Nguyen said.
The trade has become so lucrative, that it has become a regular job in some circles, Turner said. He pointed to the example of the Bancos family of Trojans, which created fake login pages to steal usernames and passwords to give access to certain Brazilian banking sites.
"We felt it was a 9-to-5 job and when we looked at the release times and dates, that's what we found."
New strategy needed
The attackers are aided when they successfully hit trusted institutions such as banks, which tend not to report such problems unless required to by law, said Nguyen, relating his experience with clients.
"Ninety-nine per cent of the time, the customer is going to go down the route of not getting law enforcement involved" because the potential damage to their reputation would be too great, so they see it as a cost of doing business, according to Nguyen.
He said various malware groups may be co-operating with each other and becoming more effective — something that the security industry should emulate or risk losing customers who have lost faith in their ability to defend themselves.
"If the whole industry looks bad or is not able to keep up, it will hurt everybody," Nguyen said. "There's got to be some kind of paradigm shift so vendors can keep up with the game."
- Green machines
- Disk drive: Companies struggle with surge in demand for storage
- Open season: Will court decision spur Linux adoption?
- Analogue TV
- Video games: Holiday season
- Video games: Going pro
- Guitar Hero
- Parents' guide to cheap software
- Working online
- Laptop computers for students
- Technology offers charities new ways to attract donations
- The invisible middleman of the game industry
- Data mining
- Two against one
- The days of the single-core desktop chip are numbered
- Home offices
- Cyber crime: Identity crisis in cyberspace
- Yellow Pages - paper or web?
- Robotics features
- iPhone FAQ
- Business follows youth to new online world
- A question of authority
- Our increasing reliance on Wikipedia changes the pursuit of knowledge
- Photo printers
- Rare earths
- Widgets and gadgets
- Surround Sound
- Microsoft's Shadowrun game
- Dell's move to embrace retail
- The Facebook generation: Changing the meaning of privacy
- Digital cameras
- Are cellphones and the internet rewiring our brains?
- Intel's new chips
- Apple faces security threat with iPhone
- Industrial revolution
- Web developers set to stake claim on computer desktop with new tools
- Digital photography
- Traditional film is still in the picture
- HD Video
- Affordable new cameras take high-definition mainstream
- GPS: Where are we?
- Quantum computing
- What it is, how it works and the promise it holds
- Playing the digital-video game
- Microsoft's forthcoming Xbox 360 Elite console points to entertainment push
- Online crime
- Botnets: The end of the web as we know it?
- Is Canada losing fight against online thieves?
- Malware evolution
- Money now the driving force behind internet threats: experts
- Adopting Ubuntu
- Linux switch can be painless, free
- Sci-fi projections
- Systems create images on glass, in thin air
- Power play
- Young people shaping cellphone landscape
- Digital cameras
- Cellphone number portability
- Barriers to change
- Desktop to internet
- Future of online software unclear: experts
- Complaining about complaints systems
- Canadian schools
- Multimedia meets multi-literacy age
- Console showdown
- Comparing Wii, PS3 and Xbox 360 networks
- Social connections
- Online networking: What's your niche?
- Virtual family dinners
- Xbox 360 console game
- Vista and digital rights
- Child safety
- Perils and progress in fight against online child abuse
- Biometric ID
- Moving to a Mac
- Supply & demand
- Why Canada misses out on big gadget launches
- Windows Vista
- Computers designed for digital lifestyle
- Windows Vista
- What's in the new consumer versions
- Cutting the cord
- Powering up without wires
- GPS and privacy
- Digital deluge
- Consumer Electronics Show
- Working online
- Web Boom 2.0 (Part II)
- GPS surveillance
- Hits and misses: Best and worst consumer technologies of 2006
- Mars Rovers
- Voice over IP
- Web Boom 2.0
- Technology gift pitfalls to avoid
- Classroom Ethics
- Rise of the cybercheat
- Private Eyes
- Are videophones turning us into Big Brother?
- Windows Vista
- Cyber Security
- Video games: Canadian connections to the console war
- Satellite radio
- Portable media
- Video games
- Plasma and LCD
- Video screens get bigger, better, cheaper
- Video games:
- New hardware heats up console battle
- High-tech kitchens
- Microsoft-Novell deal
- Lumalive textiles
- Music to go
- Alternate reality
- Women and gadgets
- High-tech realtors
- The itv promise
- Student laptops
- Family ties
- End of Windows 98
- Browser wars
- Exploding laptop
- The pirate bay
- Stupid mac tricks
- Keeping the net neutral
- PS3 and WII at E3
- Sex on the net
- Calendars, online and on paper
- Google, ipod and more
- Viral video
- Unlocking the USB key
- Free your ipod
- In search of
- Sony and the rootkit
- Internet summit
- Electronic surveillance