Data scams have kicked into high gear as markets tumble

By Byron Acohido and Jon Swartz, USA TODAY

Find original copy of this article here.

cybercrime-spike-illo_crop2Cybercriminals have launched a massive new wave of Internet-based schemes to steal personal data and carry out financial scams in an effort to take advantage of the fear and confusion created by tumbling financial markets, security specialists say.

The schemes – often involving online promotions touting fake computer virus protection, get-rich scams and funny or lurid videos – already were rising last fall when financial markets took a dive. With consumers around the world panicking, the number of scams on the Web soared.

The number of malicious programs circulating on the Internet tripled to more than 31,000 a day in mid-September, coinciding with the sudden collapse of the U.S. financial sector, according to Panda Security, an Internet security firm.

It wasn’t a coincidence, says Ryan Sherstobitoff, chief corporate evangelist at Panda.

“The criminal economy is closely interrelated with our own economy,” he says. “Criminal organizations closely watch market performance and adapt as needed to ensure maximum profit.”

Among those caught in the most recent barrage of scams was Justin Terrazas, 27, a beverage merchandiser from Seattle. He clicked on a Web link that infected his MacBook Pro laptop with a data-stealing program. Not realizing the laptop was compromised, Terrazas later typed his Bank of America debit card number and PIN to pay his Verizon cellphone bill online. The data-stealer swiftly siphoned his information.

A few days later, someone used Terrazas’ debit card account to make a $501.41 online purchase from, a designer clothing store. The merchandise was shipped to London, leaving Terrazas to unravel a big mess.

“This is definitely something you don’t need in your life,” he says.

The boom in cyberthreats that occurred during the last three months of 2008 could accelerate, especially if the economy continues to falter, security specialists say. Organized cybercrime groups have become increasingly efficient at assembling massive networks of infected computers, called botnets, and deploying them to amass large caches of stolen data, according to several surveys and dozens of interviews with security and privacy analysts. Meanwhile, scammers have honed the trickery used to turn stolen data into cash.

“There is a well-funded, well-educated horde continually probing for cracks and finding their way in” to consumers’ financial information, says Roger Thornton, chief technology officer of security firm Fortify Software.

“They are breaching … the highest levels of the global finance infrastructure and a majority of our home computers.”

Last fall, virulent programs called Trojans began to circulate more widely in e-mail and instant-message spam, got embedded in tens of thousands popular Web pages and spread in a widening barrage of online ads. Click on the wrong thing, and you would download an invisible Trojan crafted to steal sensitive data and allow the attacker to control your computer.

All types of con games – from e-mail phishing scams, which try to trick you into typing sensitive data at fake websites, to cyberhijacking, in which crooks use stolen user names and passwords to pilfer online accounts – increased, according to security firms, government regulators and law enforcement officials.

Targeting data storehouses

Hackers also are intensifying attacks on data storehouses.

Last week, Heartland Payment Systems disclosed that intruders cracked into the system it uses to process 100 million payment card transactions a month.

And Tuesday, announced it would impose a mandatory password change for all North American and Western European users of its popular employment website. Thieves recently broke into Monster’s databases to steal user IDs, passwords and other data that could be useful in a variety of scams.

“There are limitless opportunities in data of this quality,” says Robert Sandilands, anti-virus director at the security firm Authentium.

To cybergangs, the implosion of the financial markets and widespread job cuts have translated into more opportunities.

Not long after banking giant Wachovia failed, phishing e-mail began circulating asking current and former customers to type in personal information to a website to complete mandatory installation of a new Internet security certificate. The website was a counterfeit, and some users who fell for the scam had their computers infected with the Gozi Trojan, which funnels stolen data to a computer server equipped to instantly sell the data to other criminals, according to the security firm SecureWorks.

Some thieves have stuck to the path of least resistance, snaring account user names, passwords and Social Security numbers. Cybercrime groups have gone further, sending tainted links in e-mail and instant messages, and spreading viruses via the direct messaging systems used on the social-networking websites Facebook, MySpace and Twitter.

Facebook encourages users to report any suspicious messages, but there’s only so much it – and the other networking sites – can do to stop cybercriminals.

“We’ll investigate and take appropriate action, which may include disabling the sender’s account and blocking certain links from being posted,” says Facebook spokesman Barry Schnitt.

But cybergangs now routinely activate hundreds of accounts by the minute, dedicating them to criminal pursuits.

Tainted links also are increasingly turning up in routine search queries on Google, Yahoo search and Windows Live search. The search companies also say they can do little to stem the rising tide of cybercrime. Google spokesman Jay Nancarrow says only that the search giant has “strict policies” against fraudulent practices, which it takes pains to enforce.

The FBI and Secret Service have created partnerships with police agencies around the world to combat cybercrimes. U.S. agents have been able to infiltrate several organized crime groups to make dozens of arrests, says Shawn Henry, assistant director of the FBI Cyber Division. Even so, “The offense tends to outpace the defense,” Henry says. “The cyberthieves are extremely creative.”

The threat from insiders

Some cybercriminals have begun to spread malicious programs by corrupting online banner ads. Security firm Finjan reports that new tools being sold on criminal forums can be used to infect online ads that use Adobe’s popular Flash player.

The wide availability of such tools – and the fact that thousands of tech-savvy workers are being laid off in today’s economy – is raising concerns that some of the jobless might see cybercrime as a way to survive.

“Unemployed IT personnel potentially can find easy income by purchasing and using crimeware,” says Finjan CTO Yuval Ben-Itzhak. “We expect a rising number of people will try.”

Some novice cybercrooks won’t need anything fancier than a Web browser to get rolling. M. Eric Johnson, director of the Center for Digital Strategies at the Tuck School of Business at Dartmouth College, recently tried typing simple search queries, such as “insurance record,” in Google and on file-sharing networks Gnutella and LimeWire.

He collected 3,328 files with potentially sensitive medical information; about 5% held data that could be used to fraudulently buy drugs or bill treatments. Data thieves are using such simple steps, too, he says.

Data-stealing gangs could begin reaching out to laid-off or disgruntled employees who know their employers’ tech systems, security experts warn. Database security firm Application Security’s recent audits of 179 organizations found 56% had suffered at least one data breach in the past 12 months. The survey does not reveal how any particular breach happened.

“It’s a three-legged beast,” says Pat Clawson, CEO of Lumension Security. “There is an absolute crunch in IT spending, there are more profit-minded hackers, and employees with access to valuable data” are willing to sell access to criminals.

About 75% of the 1,400 tech operations and information management professionals recently surveyed by Lumension and Ponemon Institute said cybercrime remains a major concern, despite efforts to thwart hackers.

“In the next year or two, these challenges will increase in both breadth and depth of threats,” says Larry Ponemon, chairman of Ponemon Institute.

‘It’s so easy’

In a recent episode that reflected the complexity of leading-edge attacks, three different thieves collaborated to steal $99,000 from a credit union, says Tom Miltonberger, CEO of security firm Guardian Analytics.

The first thief pilfered a credit union member’s online account user ID and password, and gave it to a second thief. That person then logged on several times to see images of cleared checks and to monitor the balance available on a pre-approved home equity line of credit, says Miltonberger, who investigated the case.

That information went to a third thief, who drew up a forged fax request with instructions to transfer funds from the home equity line of credit into the checking account, and then to wire those funds to another account. Because the forged signature was so good, the credit union carried out the transfer.

No one has been arrested in the case.

In another recent attack, someone acquired the user name and password for a system administrator at, the nation’s largest e-bill payment system. Using those log-in credentials, an intruder gained access to CheckFree’s domain name service account – an account that permits the administrator to redirect traffic trying to access CheckFree’s home page to other legitimate company pages.

For several hours, the intruder redirected anyone typing to a Web server in the Ukraine that tried to install a password-stealing Trojan. Although as many as 160,000 customers may have been affected, none had any of his or her data stolen, says Lori Stafford-Thomas, a spokeswoman for Fiserv, the parent company of CheckFree. “CheckFree sites are all up and running properly and securely,” she says.

But the attempt was a sign of things to come, says Amit Klein, CTO of security firm Trusteer.

“The moral of this attack is that it’s so easy to take over your (website),” Klein says. “I just need to get ahold of your user name and password once. And we all know how easy it is to get your credentials.”

Beverage merchandiser Terrazas knows all too well the downside of having one’s sensitive data stolen. He says Bank of America covered the illicit charge to his debit card and gave him a new card account number. But he had to alter several other financial accounts to reflect the change, and he no longer trusts using his debit card to pay bills or make purchases online.

“It’s a bummer that somebody took my information,” he says. “But if I don’t want this to happen again, this is what I have to do.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone