Hackers score big by thinking small, experts say
By Andy Sullivan
A recent computer security breach that left 40 million credit cards
vulnerable to fraud shows how online criminals are scoring big by
thinking small, experts said on Monday.
Cybercriminals are increasingly crafting more focused attacks with a
potential for profit as they target one or two companies at a time,
rather than blasting out Internet virus attacks across the globe,
according to security experts.
The payoffs can be enormous. MasterCard International said on Friday
that an outsider gained access to as many as 40 million credit and
debit cards from CardSystems Solutions Inc., a payment processor. A
MasterCard spokeswoman said on Monday that the attacker had placed a
malicious computer script on CardSystems computers.
In Israel, police are investigating a massive case of industrial
espionage that used a "Trojan horse" computer program to copy
confidential information from some of the country's top businesses.
Security vendors say such attacks are increasingly common.
"We have seen several examples of targeted, manually crafted Trojans
that people write and implement for a very small number of companies,"
said Aladdin Security Vice President Shimon Gruper.
MessageLabs chief technical officer Mark Sunner said that since
January the company has seen a 150 percent increase in attacks that
only target one or two companies.
Experts said there are a number of reasons behind the shift. Playful
hackers looking for kicks could write viruses that plagued companies
and computers around the world but brought them no financial
return. They have been elbowed aside by organized criminals, often
based in Eastern Europe, who are motivated by profit and willing to
launch a sustained, sophisticated assault.
Targeted attacks have another key advantage: they are usually small
enough to stay off the radar of Internet security firms that are
looking for broader attacks. That gives the high-tech criminals the
time to research a company thoroughly before trying to penetrate it.
"You know there's specific technology, a piece of intellectual
property, how much money is in their accounts," said RSA Security
Inc. CEO Art Coviello. "That's the advantage -- you have a little bit
more knowledge."
Attackers can then send individual, personalized e-mails to the target
company's employees, or pose as an IT administrator who needs to
install a software update. Once in, they can use simple spyware
programs to pick up passwords, account numbers and other valuable
information.
"When you see a focused attack like this, this is kind of your
worst-case scenario. These are people who are going to actually do
something with those credit cards once they get them," said Mike
Gibbons, a Unisys Corp. vice president and former FBI cybercrime
chief.
E-mail viruses have lost their teeth now that more people are using
antivirus software properly, said Alfred Huger, senior director of
engineering at the antivirus provider Symantec Corp.
While old viruses continue to circulate, "they're background noise,"
he said.
At the same time, Microsoft Corp. has patched the most gaping holes in
its Windows operating system and companies have learned to install
those patches quickly, said John Pescatore, a vice president at the
consulting firm Gartner Inc.
Identity thieves who used to go through trash bins to find credit-card
receipts have learned that it's more worthwhile to extract such
information from companies that collect it.
"Two years ago I would say one of the things you should do is shred
your trash. Now that is completely obsolete advice," said Bruce
Schneier, chief technical officer for Counterpane Internet Security Inc.
Copyright 2005 Reuters Limited.
[TELECOM Digest Editor's Note: I have said on a few occassions that
the phisher people would begin to grow impatient at the limited
success to be had by sending a piece of fraud email to someone asking
for bank account information, etc. Smart phisher people now get the
same files wholesale, from the source at the bank, wherever. I mean,
which makes more sense to you; typing in a jillion letters purporting
to be from one bank or another, hoping that an occassional fool will
respond with the details you need, or putting on a delivery man's
uniform and dealing with some disinterested fool of a clerk in a
bank somewhere? Which method will get the phisher person more and
better results? Oh sure, they still send out those letters also, I
got six or eight requests today alone from 'Bank of America' and
'Pay Pal' which I promptly pitched out, but why not just go for the
full load all at once, as happened last week? PAT]