Do cyber-criminals ever take a day off?
As 2006 came to a close, scammers took advantage of the public’s relaxed mode, our interest in online holiday shopping, and our expectation of receiving electronic messages from friends and family. A Happy New Year’s Trojan horse made the rounds, containing an attachment that, if opened, downloaded malicious software from the Net and began using the infected machine to send spam to other computers.
During the first week in January, a similar Trojan horse, Wurmark, wished recipients a “Happy Nude Year, ” and, if opened, showed naked bodies spelling out Happy New Year. Wurmark also used the infected computer to send spam. Security company Sophos believes the malware was created to take advantage of employees returning to work after the holidays and facing a huge volume of e-mail.
Also during late December, the FBI warned us of a phishing scam with a difference. Phishing is the practice of tricking us into providing private information, often pretending to be a message from a bank or other trusted source. However, this phishing scam involved an e-mail message claiming to be from a hit man hired to take the recipient’s life, but willing to abandon his mission if the potential victim paid him off. Recipients were asked to provide their phone number immediately or suffer the consequences.
A couple of weeks later, the FBI told us of yet another phishing scam under way–this one purporting to be from the FBI in London. This message claimed the FBI had arrested a murder suspect and found information identifying the recipient as the next intended victim.
Many phishing scams lead us to bogus Web sites that appear identical to a trusted site and encourage us to log in and provide our private information, such as credit card numbers or passwords. Early in January, RSA Security reported the discovery of a new tool that automatically creates dynamic and sophisticated phishing sites. The tool, which sells for around $1,000, has a simple but powerful interface that allows scammers to create a dynamic Web page in the PHP (hypertext preprocessor) scripting language simply by entering the target site’s Web address and information about where the phishing site will be hosted. RSA views this as a sign that the cyber-crooks are becoming increasingly professional.
Help is out there for us, as well. Security companies such as McAfee and Symantec sell anti-phishing software protection, and the latest versions of Firefox and Internet Explorer provide phishing shields. However, these protectors rely on a list of known bad Web sites–meaning that they will not be able to detect a brand-new fraudulent site. Computer users are advised to type the address into the browser’s address window rather than clicking on a link when visiting any site that requires a login.
Also in mid-January, a European storm inspired scammers to new heights. As the violent storm peaked, hundreds of thousands of e-mail messages were traveling through cyberspace, inviting recipients to click on an attachment to view storm news. The headline read simply, “230 Dead as Storm Batters Europe.” The attachment, an executable file, contained a worm that opened a “back door” on a Windows computer, making the machine part of a “botnet”–an army of computers used for nefarious purposes, but without the owner’s knowledge or permission.
The Storm worm relied on a technique known as social engineering to entice people to open the attachment. Social engineering isn’t new, but the speed and timelines of this malware made the Storm worm unusual.
Happily, damage was minimal for a number of reasons. Many ISPs are now scanning for viruses at the server level, most software applications do not open attachments automatically and, dare we hope, computer users are becoming more astute about the menaces.
A bit later, on January 19, a Swedish bank called Nordea reported being stung by what is thought to be the biggest online bank heist to date. Suffering a loss the equivalent of more than $1.1 million, the bank experienced a 15-month targeted attack created specifically for its customers.
Fraudsters sent an e-mail message in the bank’s name, encouraging clients to download a software application that supposedly would fight spam. The software contained a Trojan that installed keyloggers to record keystrokes, and hid itself using a rootkit. (A rootkit is a set of tools used by an intruder after cracking a system.) When users attempted to log into Nordea’s online banking site, they were redirected to a false Web site where they entered their private information and login codes. At that point, an error message appeared saying the site was having technical difficulties. The criminals then used the customer’s login information to visit the Nordea site and take money from accounts.
Identity theft, said to be the fastest-growing crime, is also on the rise, says a McAfee spokesperson. In the United States, annual losses from identify theft reach $50 billion, according to the Federal Trade Commission. Keylogging Trojan malware is the favorite tool in the criminals’ arsenal. In this well-organized industry, one group of criminals specializes in collecting the information and then sells it to a second group, which puts it to use.
Garlik, an anti-ID theft company in the United Kingdom, reports that identity thieves do not usually go after our bank accounts, as many believe. Instead, they use personal identification to open a line of credit as an entirely new person. Therefore, it may be quite some time before the identity theft victim realizes he is being impersonated. Surprisingly, lawyers are the number one target–since much of their information is publicly available and because they are thought to be high-income earners.
Some scams, like the e-mail lottery scam, combine Internet and telephone technology. An e-mail message, or sometimes an automated telephone message, informs the recipient that they have won a lottery, and urges the intended victim to place a phone call to provide bank details or to hand over fees to secure “rewards.”
The phone number is frequently a United Kingdom 070 personal number, which appears to be a mobile number, but is easily redirected to any number anywhere in the world. The victim believes he has reached a U.K. number, and the fraudster poses as a U.K. lottery official.
To a fraudster, these personal numbers are a means of quickly and cheaply acquiring multiple phone numbers, which they then redirect to the same mobile phone or landline. These “free and throwaway” numbers enable fraudsters to con people into providing financial information, which is then used to commit identify theft or empty bank accounts. To protect yourself–well, as a Sophos spokesperson pointed out, you haven’t won a lottery if you didn’t buy a ticket!
* * *
These are just a few examples of what’s out there. If you believe you have been targeted by a cyber-criminal, you might want to file a complaint at the Internet Crime Complaint Center , a joint venture between the FBI and the National White Collar Crime Center.