- In this report
- Overview
- An improving picture
- New threats are insidious
- Talk the talk
- State of the Net 2008
- Don't get caught by phishers
| FORUMS |
ELECTRONICS FORUMS  Get real-world advice from others about choosing a new computer, printer, peripherals, etc. |
September 2008
Insidious new threats
Many consumers are still complacent about online security, our survey shows. Nineteen percent of respondents said they didn't
have antivirus software on their computer, 36 percent didn't have an antispyware program, and 75 percent didn't use an antiphishing
toolbar.
Only 6 percent used free services such as SiteAdvisor.com or StopBadware.org (to which Consumers Union, the publisher of Consumer Reports, is an unpaid adviser), to learn about dangerous sites. Almost 5 percent of households with broadband, a projected 3.5 million nationwide, don't use a firewall.
Phishing still thrives because tools such as sophisticated kits that feature authentic-looking corporate logos can be downloaded cheaply and easily.
Tactics for manipulating consumers are now so refined that it's tough for even the most informed consumer to tell a fake e-mail from a real one, like the one shown in the box on the facing page. So some savvy consumers no longer click on Web links in any e-mail from financial institutions that reference their account.
Malicious software often piggybacks on the same technologies we all rely on for new and innovative Web services, turning cyberspace into a virtual battle zone pitted with technological land mines. Experts we interviewed described some of the newest threats, often found in unexpected places. (You can protect yourself against them by following the dos and don'ts listed in 7 online blunders and other safety tips in our Cyber Insecurity Guide.) Here are some of the most insidious:
Your search engine. As soon as a big news story breaks, underworld experts go to work creating malicious sites designed to land at the top of a search on the topic. Go to one of them and you'll probably be attacked by malware. According to the Anti-Phishing Working Group, more than 3,300 sites hosted password-stealing malware in January.
Your router. Researchers recently discovered criminals using malware to log on to home routers and change their address settings for Web sites, which could send a user to a rogue site even when he types the correct address into a browser. "Criminals can create an entire parallel universe to the real Internet," says Dmitri Alperovitch, director of intelligence analysis at security firm Secure Computing of San Jose, Calif.
Forms on Web pages. Criminals are stealing data right off the forms you fill out on shopping and other Web sites. Called browser-in-the-middle attacks, they're made possible when malware is inserted into your browser, usually Internet Explorer because it's the most widely used. The malware collects the personal information you're entering in a form, then sends it to the criminal, even if you use the browser's auto-fill feature.
Internet red zones. Security software maker McAfee has identified almost 12 percent of sites with the .info suffix as risky. McAfee also found that you're about 16 times as likely to encounter malware by visiting Web sites based in Romania (with a .ro suffix) than sites in general. But you need not visit a foreign site to get into trouble: More phishing sites are hosted in the U.S. than in any other country.
Slick Web sites. Web sites with a snappy user interface might be using design techniques that can make them more vulnerable to cyberthieves. Ed Skoudis, co-founder of Intelguardians and a fellow at the SANS Institute, which trains security experts, cites AJAX technology as one that's especially vulnerable. "Bad guys like the magic of AJAX," he says. Skoudis adds that having vulnerable AJAX applications on a site lets criminals insert their own software to perform tasks such as tracking the sites you visit or attacking another site. Similar tactics are also employed with Flash technology, often used for Web animation, he adds.
Social-networking sites. Hangouts such as Facebook and MySpace are perfect havens for spyware because people who frequent them often drop their guard. "There's been a rise in threats trying to take advantage of people in social networking sites," says Ben Edelman, assistant professor at Harvard Business School. "Ads there tend to be sneaky. They might offer 'free' ringtones that are not free but cost $10 a month."
Social-networking sites are also being hit by spam that uses new variations on old tricks, such as a fake profile that's actually an ad for a dating site. But MySpace is fighting back. It recently won a $234 million judgment against two spammers who sent e-mail to its members.
Software and data files. Whether downloaded or opened as e-mail attachments, programs or files that work with common applications can infect your PC. "It's been a bad year for Adobe Reader, RealPlayer, QuickTime, and Microsoft Office,"Skoudis says. Computers so infected can be gathered into groups called botnets, sometimes comprising hundreds of thousands of PCs, that send out spam, phishing e-mail, and malware.
A recent one, the Storm botnet, was so large that its owners rented it out to other criminals. Last year, the FBI's Operation Bot Roast program uncovered a million compromised PCs and phishing losses of more than $20 million from botnets.
Only 6 percent used free services such as SiteAdvisor.com or StopBadware.org (to which Consumers Union, the publisher of Consumer Reports, is an unpaid adviser), to learn about dangerous sites. Almost 5 percent of households with broadband, a projected 3.5 million nationwide, don't use a firewall.
Phishing still thrives because tools such as sophisticated kits that feature authentic-looking corporate logos can be downloaded cheaply and easily.
Tactics for manipulating consumers are now so refined that it's tough for even the most informed consumer to tell a fake e-mail from a real one, like the one shown in the box on the facing page. So some savvy consumers no longer click on Web links in any e-mail from financial institutions that reference their account.
Malicious software often piggybacks on the same technologies we all rely on for new and innovative Web services, turning cyberspace into a virtual battle zone pitted with technological land mines. Experts we interviewed described some of the newest threats, often found in unexpected places. (You can protect yourself against them by following the dos and don'ts listed in 7 online blunders and other safety tips in our Cyber Insecurity Guide.) Here are some of the most insidious:
Your search engine. As soon as a big news story breaks, underworld experts go to work creating malicious sites designed to land at the top of a search on the topic. Go to one of them and you'll probably be attacked by malware. According to the Anti-Phishing Working Group, more than 3,300 sites hosted password-stealing malware in January.
Your router. Researchers recently discovered criminals using malware to log on to home routers and change their address settings for Web sites, which could send a user to a rogue site even when he types the correct address into a browser. "Criminals can create an entire parallel universe to the real Internet," says Dmitri Alperovitch, director of intelligence analysis at security firm Secure Computing of San Jose, Calif.
Forms on Web pages. Criminals are stealing data right off the forms you fill out on shopping and other Web sites. Called browser-in-the-middle attacks, they're made possible when malware is inserted into your browser, usually Internet Explorer because it's the most widely used. The malware collects the personal information you're entering in a form, then sends it to the criminal, even if you use the browser's auto-fill feature.
Internet red zones. Security software maker McAfee has identified almost 12 percent of sites with the .info suffix as risky. McAfee also found that you're about 16 times as likely to encounter malware by visiting Web sites based in Romania (with a .ro suffix) than sites in general. But you need not visit a foreign site to get into trouble: More phishing sites are hosted in the U.S. than in any other country.
Slick Web sites. Web sites with a snappy user interface might be using design techniques that can make them more vulnerable to cyberthieves. Ed Skoudis, co-founder of Intelguardians and a fellow at the SANS Institute, which trains security experts, cites AJAX technology as one that's especially vulnerable. "Bad guys like the magic of AJAX," he says. Skoudis adds that having vulnerable AJAX applications on a site lets criminals insert their own software to perform tasks such as tracking the sites you visit or attacking another site. Similar tactics are also employed with Flash technology, often used for Web animation, he adds.
Social-networking sites. Hangouts such as Facebook and MySpace are perfect havens for spyware because people who frequent them often drop their guard. "There's been a rise in threats trying to take advantage of people in social networking sites," says Ben Edelman, assistant professor at Harvard Business School. "Ads there tend to be sneaky. They might offer 'free' ringtones that are not free but cost $10 a month."
Social-networking sites are also being hit by spam that uses new variations on old tricks, such as a fake profile that's actually an ad for a dating site. But MySpace is fighting back. It recently won a $234 million judgment against two spammers who sent e-mail to its members.
Software and data files. Whether downloaded or opened as e-mail attachments, programs or files that work with common applications can infect your PC. "It's been a bad year for Adobe Reader, RealPlayer, QuickTime, and Microsoft Office,"Skoudis says. Computers so infected can be gathered into groups called botnets, sometimes comprising hundreds of thousands of PCs, that send out spam, phishing e-mail, and malware.
A recent one, the Storm botnet, was so large that its owners rented it out to other criminals. Last year, the FBI's Operation Bot Roast program uncovered a million compromised PCs and phishing losses of more than $20 million from botnets.
