eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Remember scoffing at people who didnt know any better than to click on e-mail attachments from unknown senders, thus exposing their systems to computer viruses? Boy, has Internet crime and security gotten more complicated in the past year.
In November alone, there were 8,459 new, unique phishing e-mail messages reported to the Anti-Phishing Working Group. Thats nearly four times the number received in August and represents an average monthly growth rate of 34 percent since July.
Whats uniquely alarming about this epidemic is that phishing is such an alluringly lucrative cyber-crime: It involves duping victims into revealing personal financial data, including credit card numbers, account user names and passwords, and/or Social Security numbers.
The sophistication of these attacks has grown by leaps and bounds. For example, as eWEEK.coms Matthew Broersma reported in December, researchers have found that most Web browsers handle pop-up windows in a manner that makes them vulnerable to a simple phishing technique that allows fake content to look genuine.
Even fully patched, standard versions of globally used browsers including Internet Explorer, Firefox, Opera, Konqueror and Safari—used by trusted sites such as banks—allow malicious sites to insert their own content into any pop-up window, as long as the target name of the window is known.
Over the past year, experts also warned of new attacks that not only circumvent DomainKeys but, adding insult to injury, even exploit the fledgling e-mail signing technology for their nefarious ends.
As eWEEKs Dennis Fisher reported, the technology once regarded by many in the security community as one of the best hopes for preventing e-mail address forgery is now being used to make bogus messages appear legitimate, thus undercutting confidence in the system.
“It proves that people will get to the point where they cant trust e-mail from anywhere,” one security expert, who requested anonymity, told Fisher.
During a quarter in which analysts declared a 500 percent increase in global phishing activity over the previous quarter, Veterans Day was the nadir.
Beginning in the early morning and continuing into the weekend, the Internet exploded with attacks against companies including eBay, Citibank and other financial institutions.
Indeed, financial institutions are traditionally the likeliest targets of Internet crime, yet chief security officers in the industry said they got scant help from the Feds over the past year, eWEEKs Fisher reported.
Dave Cullinane, president of the Information Systems Security Association, gave a speech at the CSO Interchange gathering, during which he said that the FBI and other federal agencies are generally unresponsive to requests for help from banks on phishing attacks unless the bank can show substantial financial losses. “If youre running on the assumption that calling the FBI will get you assistance, it wont,” he said.
Next Page: The growing threat of spyware.
Spyware Threat
Beyond the phishing epidemic, spyware was on track to replace mass-mailing worms as the biggest security threat in the coming year. This technology, which uses covert techniques to install itself on computers and track user activity, is dangerous because malicious code can be executed on infected systems.
As eWEEK.coms Ryan Naraine reported, spyware, also known as adware, has become the preferred way to deliver malicious Trojans, which can relay information to other computers or Web locations, thus putting user passwords, log-in details, credit card numbers and other personal information at risk.
Notwithstanding financial chief security officers complaints, the Feds spent a good deal of the past year studying cyber-crime, pondering and passing legislation to thwart it, and even handing down the first-ever felony conviction of a spammer. The spammer, Jeremy Jaynes, received a sentence of nine years in prison when a jury in AOLs home county convicted him and his sister.
Meanwhile, a federal sweep, named Operation Web Snare, nabbed 150 individuals and 117 criminal complaints between June and August. As eWEEKs Dennis Callaghan reported, the effort, largely directed against phishers, was thought to be the largest one yet taken against cyber-criminals.
Reactions to the cyber-criminal sweep were mixed, however, as some legal and online fraud experts opined that it was too little, too late.
Finally, if theres any silver lining to the dark cloud of cyber-crime thats blossomed in the past year, it is this: Congress is finally taking these issues seriously.
As eWEEKs Caron Carlson reported, the Senate in June approved legislation aimed at stopping identity theft by increasing criminal penalties and creating a new crime of aggravated ID theft, which the president has since signed into law.
The House took on the task of probing spyware in April, and legislation targeting spyware was introduced into the Senate and House, with Utah ahead of the curve in enacting an anti-spyware law.
The House in September approved legislation that prohibits “taking control” of a computer, surreptitiously modifying a Web browsers home page, or disabling anti-virus software without proper authorization.
With all of these busts, and with all of this legislative pondering, does it finally mean we have some tools to beat down the alarming rise of cyber-crime? eWEEK.coms Larry Seltzer earlier in the year had read various versions of bills pending at the time, and he wasnt optimistic, given that the legislative language had too much wiggle room.
The upshot: In 2005, youll have to be more vigilant, youll have to demand more from vendors vis-à-vis secure products, and youll have to go through legislative wording with a fine-toothed comb.
Is that different from other years? No.
But take it much, much more seriously this year.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Related articles:
- Pop-up Loophole Opens Browsers to Phishing Attacks
- Finance CSOs: Feds Are No Help with Phishing
- Scammers Exploit DomainKeys Anti-Phishing Weapon
- Veterans Day Sees a Phishing Frenzy
- Spyware: The Next Real Threat
- Virginia Seeks to Send Spammer to Slammer
- Federal Sweep Nets Spammers, Cyber-Criminals
- Reactions Mixed to Federal Fraud Sweep
- U.S. House Passes Anti-Spyware Bill
- Congress Passes ID Theft Bill
- House Panel to Probe Spyware
- Gates: Microsoft to Tackle the Spyware Problem
- Microsofts Anti-Virus Strategy Keeps Users Guessing
- Study: Tools Let Spyware Slip Through Cracks