Cybercriminals have launched a massive new wave of Internet-based schemes to steal personal data and carry out financial scams in an effort to take advantage of the fear and confusion created by tumbling financial markets, security specialists say.
The schemes – often involving online promotions touting fake computer virus protection, get-rich scams and funny or lurid videos – already were rising last fall when financial markets took a dive. With consumers around the world panicking, the number of scams on the Web soared.
The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September, coinciding with the sudden collapse of the U.S. financial sector, according to Panda Security, an Internet security firm.
It wasn’t a coincidence, says Ryan Sherstobitoff, chief corporate evangelist at Panda.
“The criminal economy is closely interrelated with our own economy,” he says. “Criminal organizations closely watch market performance and adapt as needed to ensure maximum profit.”
Among those caught in the most recent barrage of scams was Justin Terrazas, 27, a beverage merchandiser. He clicked on a Web link that infected his MacBook Pro laptop with a data-stealing program. Not realizing the laptop was compromised, Terrazas later typed his Bank of America debit card number and PIN to pay his Verizon cell phone bill online. The data-stealer swiftly siphoned his information.
A few days later, someone used Terrazas’ debit card account to make a $501.41 online purchase from Modabrand.com, a designer clothing store. The merchandise was shipped to London, leaving Terrazas to unravel a big mess.
“This is definitely something you don’t need in your life,” he says.
The boom in cyberthreats that occurred during the last three months of 2008 could accelerate, especially if the economy continues to falter, security specialists say. Organized cybercrime groups have become increasingly efficient at assembling massive networks of infected computers, called botnets, and deploying them to amass large caches of stolen data, according to several surveys and dozens of interviews with security and privacy analysts. Meanwhile, scammers have honed the trickery used to turn stolen data into cash.
“There is a well-funded, well-educated horde continually probing for cracks and finding their way in” to consumers’ financial information, says Roger Thornton, chief technology officer of security firm Fortify Software.
“They are breaching … the highest levels of the global finance infrastructure and a majority of our home computers.”
Last fall, virulent programs called Trojans began to circulate more widely in e-mail and instant-message spam, got embedded in tens of thousands popular Web pages and spread in a widening barrage of online ads. Click on the wrong thing, and you would download an invisible Trojan crafted to steal sensitive data and allow the attacker to control your computer.
All types of con games – from e-mail phishing scams, which try to trick you into typing sensitive data at fake websites, to cyberhijacking, in which crooks use stolen user names and passwords to pilfer online accounts – increased, according to security firms, government regulators and law enforcement officials.
Targeting Data Storehouses
Hackers also are intensifying attacks on data storehouses.
Last month, Heartland Payment Systems disclosed that intruders cracked into the system it uses to process 100 million payment card transactions a month.
And last week, Monster.com announced it would impose a mandatory password change for all North American and Western European users of its popular employment Web site. Thieves recently broke into Monster’s databases to steal user IDs, passwords and other data that could be useful in a variety of scams.
“There are limitless opportunities in data of this quality,” says Robert Sandilands, anti-virus director at the security firm Authentium.
To cybergangs, the implosion of the financial markets and widespread job cuts have translated into more opportunities.
Not long after banking giant Wachovia failed, phishing e-mail began circulating asking current and former customers to type in personal information to a Web site to complete mandatory installation of a new Internet security certificate. The Web site was a counterfeit, and some users who fell for the scam had their computers infected with the Gozi Trojan, which funnels stolen data to a computer server equipped to instantly sell the data to other criminals, according to the security firm SecureWorks.
Some thieves have stuck to the path of least resistance, snaring account user names, passwords and Social Security numbers. Cybercrime groups have gone further, sending tainted links in e-mail and instant messages, and spreading viruses via the direct messaging systems used on the social-networking Web sites Facebook, MySpace and Twitter.
Facebook encourages users to report any suspicious messages, but there’s only so much it – and the other networking sites – can do to stop cybercriminals.â–
“We’ll investigate and take appropriate action, which may include disabling the sender’s account and blocking certain links from being posted,” says Facebook spokesman Barry Schnitt.
But cybergangs now routinely activate hundreds of accounts by the minute, dedicating them to criminal pursuits.
Tainted links also are increasingly turning up in routine search queries on Google, Yahoo search and Windows Live search. The search companies also say they can do little to stem the rising tide of cybercrime. Google spokesman Jay Nancarrow says only that the search giant has “strict policies” against fraudulent practices, which it takes pains to enforce.
The FBI and Secret Service have created partnerships with police agencies around the world to combat cybercrimes. U.S. agents have been able to infiltrate several organized crime groups to make dozens of arrests, says Shawn Henry, assistant director of the FBI Cyber Division. Even so, “The offense tends to outpace the defense,” Henry says. “The cyberthieves are extremely creative.”â–