My Weblog

Panda Security, a Spain-based antivirus maker, has been monitoring an onslaught of links with malicious software, or “malware,” on Twitter that tag hot topics such as the Air France crash, the NBA finals, “American Idol” runner-up Adam Lambert and the new iPhone.

“Cyber criminals have been targeting Twitter users by creating thousands of messages (tweets) embedded with words involving trending topics and malicious URLs,” Sean-Paul Correll, a threat researcher for Panda Labs, wrote recently on a blog for the company.

The growing sophistication of malware attacks mirrors the growing threat — and cash — generated by online crime. Already, cyber crime is estimated to cost companies and consumers more than $100 billion worldwide. Some officials claim it has now eclipsed illegal drugs as a criminal moneymaker.

“It’s very seldom reported … if discovered by companies, they generally don’t want the public to know they’ve been had,” said Eugene Spafford, a computer security specialist at Purdue University who has advised two U.S. presidents and numerous companies and government agencies.

Cyber crime is one of the few industries benefiting from the financial crisis. Last year, antivirus maker McAfee saw a 500 percent increase in malware types — more than the company had seen in the previous five years combined. In the United States, the FBI reported a 33 percent increase in Internet crime last year.

Companies lost an average of $4.6 million in intellectual property last year, according to a survey of 1000 firms worldwide by Purdue University and McAfee.

“As the economy has declined, we’ve seen the threat landscape increase,” David DeWalt, president and CEO of McAfee, recently told Richard Quest for CNN International’s “Quest Means Business.”

That increase has helped antivirus makers such as McAfee snare record returns — the company’s first quarter profits were 21 percent higher than same period last year.

But companies and governments find themselves in a losing war with Web-savvy criminals, experts say.

“The fundamental fact is cyber criminals are highly organized with sophisticated corporate structures and business chains,” said Michael Fraser, director of the Communications Law Centre at the University of Technology Sydney in Australia.

“They have R&D departments, strong distribution networks and Web sites for the discerning cyber criminal,” Fraser said.

On these Web sites, would-be criminals can purchase toolkits to learn how to side step security measures or create their own “botnet” — referring to software that can, unbeknownst to victims, turn their computers into spamming foot-soldiers for criminal networks. One Web site advertises software that can capture information for a popular Internet secured-payment provider for $500 — discounted to $400 for the first 100 buyers.

Skimmed credit card numbers and other personal-identity information stolen from computers also can be found for sale on Web sites, Fraser said. “When police shut these Web sites down, they just mushroom up some other place,” he said.

Although the techniques of cyber crime have evolved, online criminals pray on human vulnerabilities like criminals throughout the ages. In the digital age, that means tempting with free downloads, money schemes and pornography.

The range of tools used by cyber criminals reveals the quick evolution of the industry. Viruses — the first generation of the computer culprits — are used for the computer equivalent of vandalism, as the malicious programs replicate, spread and damage computers.

“When the company was set up, we were seeing two or three new viruses a week,” said Mahendra Negi, chief financial officer of Tokyo-based antivirus maker Trend Micro. “Now there’s a new one every two-and-a-half seconds.

“With the arrival of spam in 2001 and 2002, the big difference was it was commercial malware,” Negi said. “Once money became involved, the level of sophistication raised a hundred-fold.”

Now the biggest threats include “phishing” schemes and “botnet” attacks.

Phishing is where criminals masquerade as a legitimate business or Web site and trick victims into revealing passwords, credit card information and other personal data.

Botnet attackers commandeer personal computers as part of a large network of “zombie” computers that, on command, target companies for spam attacks to cripple IT capabilities. Botnets — some of which are large enough to deploy tens of billions of spam e-mails a day — are often used in extortion schemes.

“They ring up the IT manager of a company and say, ‘Pay us a million or we’ll take you down’,” said Fraser, who has worked with companies victimized by botnet attacks.

Companies often pay up and shut up, computer experts say, rather than report the crime and garner publicity that may hurt their corporate reputation.

And unlike prankster virus-makers, these malware makers are determined to stay hidden.

“Once it became a business, then (cyber criminals) began to look at what companies like us were doing, and figure out weaknesses,” he said. “They are very customer friendly … they sell updates, they will highlight what the product does and what antivirus software can’t detect them.

Adding to the difficulty is the legal situation that in many jurisdictions, it is not illegal to create or sell malware.

“It’s like the arms industry … it’s not a crime to build and sell them,” Negi said.

And because of the transnational nature of the crime, it’s extremely difficult to prosecute. A scan of 500 headlines on Internet-related arrests from newspapers around the world the past two years found about 90 percent were related to child-pornography cases.

“Child pornography is easier to prosecute because it is possible to find the evidence on the perpetrator’s computer systems,” said Spafford of Purdue University.

With applications such as instant messaging and threaded SMS popping up on handsets, are we getting lazy, or is this the dawn of a new email-free mobile communications era?
By Clare Hopping. Feb, 2009.

Communicating on the move is becoming more and more important in the world of business, as mobile working becomes more of a reality and mobile devices allow for such trends.

Applications such as Google’s suite of communication tools and Microsoft’s Windows Live Messenger are now coming preloaded on smartphones, so it’s no surprise that these apps are getting more and more popular.

Growing popularity

Google estimates there are 50 million+ Google Talk users on the open standard XMPP network, sending billions of messages every week. As the application is based on open standards, consumers on all different phone platforms have a variety of IM applications to choose from that all work with Google Talk.

Seth Demsey, lead product manager at Google, said that people want to communicate with each other regardless of what platform or device they are using. Mobile integration allows for presence when users are away from their PCs – and thus becomes increasingly useful as mobile devices are becoming more pervasive.

“The value of an IM network is not in the number of total users so much as in the number of users who are available to communicate, across platforms, operating systems and devices,” he told IT PRO.

James McCarthy, head of business marketing at Microsoft, agreed that all ways of communicating are advantageous.

“The various communication methods all have their place in interacting with others. For example, IM is good for a real-time conversation, often used when you can identify that someone is online and you want a relatively informal dialogue,” he told IT PRO.

“SMS has a store-and-forward capability, so you can text someone and be sure that they will get it soon, even if not instantly. Finally, email is perfect to send attachments, or to a large distribution of people, maybe in a more formal way.”

Working together

The boundaries of collaboration are certainly changing and how people choose to communicate in social situations can creep positively into the workplace as well.

McCarthy explained that he can certainly see a world where many types of communication avenues sit alongside each other, with individuals choosing the most suitable based on the situation.

“If your colleague is online and you need a quick question answered, use IM. If not, send a text. If you need to pass on information or have multiple people involved, an email is more appropriate,” he explained.

“If you want a more personal interaction, call them on the phone. The more innovative ways we find to communicate with each other, the more we’ll find that we can collaborate quickly and easily and drive better more productive relationships,” he added.

“Blogging also has a place in the modern business world – the exchange of ideas between people is very powerful and, with the appropriate thought, works for business as well as personal contexts.”

Threading it together

Another feature appearing on handsets more and more is threaded text and email conversations. Palm has announced it on its new Palm Pre, and it is already installed on many Windows Mobile, BlackBerry and Symbian handsets in addition to the Android-based T-Mobile G1.

McCarthy thinks that threaded SMS/IM certainly can – and does – replace email in specific situations, but not where a lot of information needs to be conveyed, or perhaps where there’s an email chain developing between people, or with information or attachments being forwarded to others.

“We believe that the role of technology like SMS messaging is to facilitate communication, regardless of whether this communication happens in office buildings across time zones or between friends within the same city,” Demsey explained.

McCarthy agreed. “There’s certainly a use for threaded SMS for certain interactions – a quick dialogue requiring only short communication between two people, where the recipient may or may not be immediately available.”

Always room for email

Although both agree that new technologies including blogging, IM and threaded SMS conversations will grow, there is always the place for email.

“I think email will always have a useful place in the working world, but simple one-to-one email conversations clogging inboxes may decline over time,” explained McCarthy.

Other trends will be the convergence of fixed and mobile communications, whereby the barriers between the two melt away and cost is and will continue to be an inhibitor/driver for different communications methods too.

The PC and internet revolution has driven demand from users to be able to interact with people and information in many different ways, using technology. To do this on a mobile, you need a smarter, more powerful device in your hand, able to run more advanced applications and securely handle information that passes between servers based in offices, out to workers wherever they need to be.

Yet mobile email will never cease to exist. All major manufacturers and platforms are working together to improve the email services we use.

BlackBerry’s Exchange server (BES) is probably the most popular in business communication. Email is instant, and always has been, meaning businessmen can pick up emails wherever they are. BlackBerry’s email also features an advanced search option so you can instantly find the email you’re looking for, as you would while using a computer-based email program such as Outlook.

Microsoft’s Windows Mobile OS only introduced full push email in 2007, which means it was quite a latecomer considering Microsoft is the king of PC-based email services. However, not all service providers are compatible with Windows Mobile, meaning you may not be able to get your particular email account installed easily.

Nokia has recently introduced Nokia Email to support its fully operational Mail for Exchange service. Mail for Exchange is fully compliant with Microsoft’s Exchange Server and Active Sync, meaning it’s seamless to set up and operate/manage from either your PC or handset, just like Microsoft’s option is. The interface of Nokia’s Mail for Exchange is not as easy to use, although is designed more for consumers than businessmen.

The iPhone’s push email service is the most disappointing. Considering the iPhone’s user interface is so simple, it’s disappointing that you can’t search for a particular email, and the service wasn’t even fully exchange-based until the 3G iPhone was introduced with a substantial software update.

Looking forward

So where does the future lie for business communications?

Demsey believes that as high-speed wireless networks become more ubiquitous and hand-held computing devices become more powerful and affordable, new methods of communication and interesting twists on existing methods of communications are inevitable and welcome.

“We’ll continue to see communications expand along three major axes: who can communicate, where they can communicate from, and the form of the communication – be it IM, SMS, email, voice, VoIP, Video or whatver’s next,” he added.

For mobile news and reviews, check out Know Your Mobile.

A step-by-step guide to how a criminal could pick up your email address and password – all they would need to get into an email or social networking account.
By Asavin Wattanajantra. Nov, 2008.

Scammers are moving away from email to social networks, taking advantage of insecure accounts to send real-looking scam messages.

But how are criminals doing this? Trend Micro shared an example of how an account is hacked – from the original message a user will receive, to the point where the domain owner makes business by harvesting emails.

The Scam

First of all, a message is sent to a user on Facebook, MySpace, Bebo, or a similar social network. It says: “Did you know your profile pic is over gabblebase.com?”

If you click on www.gabblebase.com – it’s not a malicious link, but you may get seriously annoyed by the fact it’s difficult to get away from the page – you can follow the steps through with a fake identity to see how it works. One of the options you will get is to put a password for your pictures.

The tendency for some users is to use a common password for every site that they use. If a user opts for a password they use for the social network they were originally sent the message for, they’ve done three things: they’ve showed what social network they’re on, given an email address, and given a password – all you need to hack a Facebook or email account.

The fake site has a disclaimer claiming it will never send spam to your email address and is not a MySpace or Facebook login page, a clever way of making the user feel more comfortable.

Researching Gabblebase, Trend Micro revealed that it was linked to a server in Las Vegas run by someone called Adam Arzoomanian. He owns 423 domains in total, to avoid being blocked by filters.

The Business Model

Trend Micro revealed that the domain of the site was Chinese and called ‘dreamstarmail’. The owners of the site now have all the details that they would need to enter a social networking or email account – and therefore send messages in an attempt to part users from their money.

Members who referred users to this criminal site also had the potential to earn money by taking a percentage of the profits the email harvesters made.

Trend Micro security advisor Rik Ferguson said: “This neat little social engineering trick is relying on users’ habit of using common passwords, so now the criminal would have your email and your password. It’s pay day.”

What will next year hold in the ever-changing world of IT security?
By Asavin Wattanajantra. Dec, 2008.

New tech means new ways for criminals to attack systems. Next year will see hackers get smart about cloud computing, social networking and more. Here’s our top ten threats to keep an eye on…

Malware 2.0

Malware will increasingly target Web 2.0 as well as cloud services. New cloud-based services – such as Amazon Web Services and Microsoft Azure – are vulnerable new targets for cybercriminals or spammers.

The cloud could be used simply to send spam, but it also could launch sophisticated attacks such as hosting malicious code for downloads.

Web 2.0 has also created an environment where malware can change depending on an event or a situation. Separate harmless bits of malware can be constructed to combine and maliciously attack.

A good example of this is with mash-ups, where data from many websites can be reconstructed to create something malicious.

Malware-as-a-service becomes more common, which will allow automated malware to be bought and sold to order. This will be a big problem, as it lowers the technical level needed for criminals to become online fraudsters.

An explosion in new malware variants and web threats

Anti-virus vendor Symantec claims that new strains of malware consisting of millions of distinct threats can propagate as a single, core piece of malware. This will create a number of unique malware instances.

Indeed, research has shown we have now reached an inflection point where we are now more malicious programs than legitimate ones. Businesses and vendors need to move away from signatures and concentrate on detection methods, such as the reputation-based approach.

As web services keep increasing, and as browsers start to move towards a uniform standard for scripting language, expect new web-based threats.

Social networking spam

As the year went on, criminals were gradually moving from email-based spam to different techniques. One of these was social networking spam, where websites such as Facebook and MySpace were targeted.

Personal information is gold to the bad guys, and they will learn better tricks to persuade users to give away their details and find ways to access private accounts.

The rise in popularity of social networking sites that allow user-generated content will be a problem. Web spam will increase as will malicious posting into user-forums and blogs.

Security firm Websense claims that new web attack toolkits have emerged that allows attackers to discover posts and/or have vulnerabilities. Bots may also add more HTTP post functionality among their many capabilities.

More legitimate website hacking

It arose as a big problem in 2008 and is sure to continue next year, as criminals realise that hacking a legitimate website is a great way to persuade users to click and downloads malicious files.

Many users are still unfamiliar with web-based malware and 2009 could a boom year as cybercriminals look to capitalise on this ignorance. It is a very recent evolution to exploit flaws in browsers and web servers, and new toolkits are now constantly being made to take advantage.

The fact that these toolkits often don’t need users to have a great technical knowledge lowers the barrier for entry for cybercriminals and pushes the threat level even higher than before.

Unemployment creates more cybercriminals

The credit crunch will affect the security landscape in a number of ways. One of the scariest prospects is that the economic downturn will make it tempting for unemployed IT workers to use their technical knowledge to commit internet crime.

It’s a very lucrative business – and as mentioned before – the growth of malware-as-a-service will make it very easy for people to make money on the web, even if they lack the right technical knowledge.

It could also be a problem in developing countries, as the lack of IT jobs could force qualified and skilled technical workers into the arms of criminal gangs, who will exploit their skills in aid of making money over the web.

Security budgets unlikely to grow

Although the threats keep multiplying, most would agree that in the current economic climate, budgets are unlikely to grow significantly.

This means that there will be more consolidation in the security field and means that instead of multiple boxes carrying out single functions, it will be consolidated into single boxes.

In 2008 this has already been happening, but with budgetary pressures there is no doubt this will accelerate.

It will also be interesting to see how the new focus on data security will affect the way businesses work, and whether there will be a change of focus in security to securing the data, rather than protecting the network.

Mobile computing hacks

The growth in popularity of smartphones will make them a bigger target to criminals as they will not have the security protection that PCs have had for years.

Applications and associated data will be accessed from anywhere and make them a big target for hackers. IT administrators need to be on their guard as these threats will have multiple points of entry, targeting different devices and applications.

This is made even more important by the fact that the use of mobile internet will have increased significantly by the end of 2009.

The value of the data that new sophisticated phones will carry will mean that subscribers will expect mobile operators to take greater security measures to protect personal data, especially when mobile commerce takes off.

The new generation of botnets

At the end of 2008 many of the biggest botnets were taken down with the closing of the McColo server. MessageLabs predicted that these will find new hosting services in countries such as Russia or China, improving botnet technology.

A particular sophisticated type of botnet that was described takes the form of hypervisor technology, with malware existing as a virtualisation layer running directly on the hardware and incorporating key operating system calls.

The “real” operating system remains unaware of the existence of underlying malware controlling the computer. Particularly technical attacks like SQL injection and cross-site scripting will also continue, and become more commonplace in 2009.

Cyber hacking on virtual worlds

Like social networking, hackers are likely to move away from the traditional forms of email spamming and move towards the potential goldmine of virtual worlds.

This could be gaming universes like World of Warcraft, or more social reality-based worlds like Second Life, where stolen virtual goods could be sold for real hard cash.

Users are often more relaxed about their personal details in online worlds, and this means that there could be a good opportunity for criminals to create technology which steal this data.

The increasing use of virtual worlds by businesses will also be a factor, as the value of data that these worlds will carry may grow significantly. This will make it more profitable, and therefore attract more criminals.

Reputation hijacking flourishes

The vulnerability in the design of the Domain Name System (DNS) found by Dan Kaminsky could in theory poison a server’s cache causing people sending emails or requesting a website to be given the wrong IP address.

This could mean victims are sent to a fake website which is looking for personal details, but looks perfectly real. If organised gangs manage to exploit this DNS vulnerability it could mean a whole different set of problems in 2009.

There was a multi-vendor patch deployed in August to protect servers from attack, but it has been made clear that the vulnerability had only been slowed down – not eliminated.