Why You Should Learn More About Computer Security

I recently read an alarming series of articles in CIO Magazine, in which the author, Scott Berinato, described the evolution of Internet crime into a service-oriented economy centered on identity theft and fraud. Hackers are forming well funded organizations similar to drug cartels, and like the drug cartels, the fundamental principles of their success are ?distributed pain with concentrated gain, and distributed risk? (Berinato, Hacker Economics 2: Conspiracy of Apathy).

The immense size of the market allows these criminals to distribute the pain by stealing a small amount of money from a large number of people. For example, if they steal $20 from 5,000 credit cards, they make $100,000, and no one person noticed or chose to investigate the charge. If those charges are distributed amongst ten different card issuers, no one bank lost more than $10,000, which they simply write off as acceptable loss. If a victim goes to law enforcement, the law enforcement agency cannot justify the resources to investigate the fraud unless they hear from multiple victims and can determine that the incidents are related. (Berinato, Hacker Economics 2: Conspiracy of Apathy)

Even if law enforcement decides to open an investigation, the distributed risk principle hinders the investigation. The hackers themselves barely handle the stolen data, and in many cases they contract out the distribution of their malware. Furthermore, the information is sold to individuals who themselves do not commit fraud, but instead, sell the information to others who actually commit the fraud. The risk is shared by several links in a supply chain, but all of the money flows up to the cartel. Some researchers estimate that these cartels earn their members millions of dollars each month. (Berinato, Hacker Economics 2: Conspiracy of Apathy)

One of the first Trojans used to steal personal information is believed to have operated undetected for as long as nine months, during which it collected millions of personal credentials. Each month, Secure Science, a security research firm, discovers 3 million compromised login credentials for banks, online e-mail accounts and anything else that requires a username and password on the Internet. They also intercept 250,000 stolen credit cards every month, and that is just one company. (Berinato, Hacker Economics 1: Malware as a Service)

?Do you have a credit card? They?ve got it,? states a former hacker turned Internet security researcher. ?I?m not exaggerating. Your numbers will be compromised four or five times, even if they?re not used yet.? (Berinato, Hacker Economics 1: Malware as a Service)

How do they do it? The current distribution method of choice is to use an iFrame to download a form-grabbing Trojan onto the victim?s computer. iFrames are a feature of your web browser that allows websites to deliver content from remote websites in a frame on a page. As an example, think of the current weather conditions streamed from weather.com into a small box on a newspaper?s website. Hackers, on the other hand, build invisible iFrames into webpages. The iFrame contains a tiny piece of software called a downloader which downloads malware onto the user?s computer. (Berinato, Death by iFrame)

iFrames are so effective that a new business has emerged around them. These new companies pay for clickthroughs. If you agree to host their iFrame code on your website, you will receive a payment each week, contingent on 1,000 clickthroughs. They will even sell you malware code if you do not have your own. Research by the anti-virus company Sophos shows 8,000 new webpages each day hosting illicit code or activity, most of which are iFrame exploits. In fact, some 70 percent are found on legitimate websites which contained vulnerabilities that allowed the iFramers to inject their criminal code. Now, with a portfolio of infected sites, these companies sell access to their network at one dollar per infection. (Berinato, Death by iFrame)

iFrames are also advantageous because they separate the distribution network from the malware. The iFrame becomes a service in itself because it remains available for any variant or a new piece of malware. (Berinato, Death by iFrame)

Another group of hackers, who developed a form-grabbing Trojan known as Gozi, subscribed to the iFrame service to infect thousands of computers with their malware. Gozi collects information entered into online forms before it is SSL encrypted, and then sends the information collected to a remote server. With a method in place to distribute their malware, the hackers created a website where they sold projects of Gozi-infected computers in 30-day increments. The price: $1,000 per infected computer. In return for their money, customers receive the data collected from the computers in their project. (Berinato, Hacker Economics 1: Malware as a Service)

In yet another example of hacking as a service, security researchers recently found a website which uses a botnet (infected computers under the control of hackers) of several million computers to infect other vulnerable computers. For 20 cents per successful infection (or load), the customer can pay for loads based on country, IP address or other attributes. Consequently, a user of this service could target a specific company or a university. (Berinato, Internet Researchers Discover New Hacking Service Site)

There are four important points to take away from this.

• The potential to earn millions of dollars per month is a strong motivator, especially when there is minimal risk.
• You share the responsibility for securing your online transactions. If your computer is compromised by malware, the little yellow lock in your web browser, the one that banks and online merchants tell you indicates your transaction is secure, is not able to secure your transaction, because malware, such as Gozi, grabs the data before the little yellow lock can do its job.
• It is much simpler and far less risky to steal confidential information from your computer, than to compromise the security measures of a bank or online merchant, and then steal the information from them.
• Anti-virus software, alone, is not sufficient protection. Hackers sell their malware to other hackers who modify the code to create variants or entirely new malware. In effect, the malware evolves, and with each evolution it gets better at avoiding detection and removal. Anti-virus vendors cannot keep pace. On several occasions, WVU has identified virus-infected computers days before anti-virus vendors released definitions capable of detecting and removing the viruses.

How do you protect yourself from these hackers? First, secure your computer. Our top 10 security tips are a good place to start.

Second, protect your identity by reviewing your credit report on an annual basis. The three credit reporting agencies (Equifax, Experian and TransUnion ) must provide, upon request, a copy of your credit report at no charge once a year. You can also place a 90-day security alert on your credit, which also removes you from pre-screened credit solicitation lists for 6 months. You may also wish to consider the use of an identity theft protection service, such as LifeLock.

Unfortunately, properly securing a computer is not a trivial exercise, and hackers take advantage of our naïveté. Each of us should endeavor to learn more about computer security and the methods used by hackers. Make time to browse the security articles posted on the websites of vendors such as McAfee, Microsoft, Symantec and Trend Micro, and be sure to return to those sites periodically for the latest news and information. If you use Microsoft Windows, sign up for Microsoft?s consumer security newsletter. Visit the Federal Trade Commission’s website to learn more about identity theft.

In this new age of Internet crime, our computers and ultimately our very identities are under attack. We must be proactive and vigilant in securing our computers and protecting our identities.

Brice Knotts, Director
Student Affairs Administrative Technology Development

References

Berinato, Scott. (2007). Hacker Economics 2: Conspiracy of Apathy. CIO Magazine, Article 135452, http://www.cio.com/article/135550.

Berinato, Scott. (2007). Hacker Economics 1: Malware as a Service. CIO Magazine, Article 135500, http://www.cio.com/article/135500.

Berinato, Scott. (2007). Death by iFrame. CIO Magazine, Article 135452, http://www.cio.com/article/135452.

Berinato, Scott. (2007). Internet Researchers Discover New Hacking Service Site. CIO Magazine, Article 149600, http://www.cio.com/article/149600.