Hackers' infections slither onto Web sites

It was the year when cybercriminals targeted everything from MySpace to Wikipedia. Even a Web site maintained by a Kentucky Boy Scout troop wasn't safe for casual browsing.

Computer-security experts said 2006 was also the year that hacking stopped being a hobby and became a lucrative profession practiced by an underground of computer developers and software sellers. Like true business people, bad guys not only broadened their reach by attacking popular social-networking sites, they also diversified their product line by launching attacks through popular software applications like PowerPoint and Adobe Reader and expanded their activities overseas.

Software makers who try to stop online crooks say they are bracing for a new level of nastiness in 2007, including malicious Web sites that are booby-trapped with software that automatically loads itself onto machines of users who simply visit a site.

"Hackers realize they have a limited time before their attacks are blocked, so they are opening up their arsenal and trying everything possible," said Yuval Ben-Itzhak, chief technology officer of Finjan Software, an Internet security company headquartered in San Jose, Calif.

Alex Eckelberry, president of Sunbelt Software, predicts attackers will target Windows Vista, Microsoft's new operating system. "The problem is Microsoft has thrown down the gauntlet and said, 'We have a secure operating system,' " he said.

Eckelberry, whose company is developing software for Vista, said his developers have already found bugs — an indication that the software could be vulnerable.

Focus on security

Computer-security researchers and companies of all stripes will converge at the Moscone Center in San Francisco today through Friday for the 16th annual RSA Conference.

RSA is both a security company, housed within information-management and storage-giant EMC, and an electronic security system.

Several big names are scheduled to give keynote speeches at the event, including Microsoft Chairman Bill Gates, Symantec Chairman and CEO John Thompson, Oracle CEO Larry Ellison and former Secretary of State Colin Powell.

Vista flaws

Microsoft has acknowledged Vista flaws. Meanwhile, the criminal underground has begun peddling information about Vista's vulnerabilities, one of the many ways unscrupulous programmers have found to profit from their expertise.

Other scams include combining a traditional pump-and-dump stock scam with the takeover of online brokerage accounts and renting out vast networks of zombie computers, known as botnets, to other digital desperados.

"The first viruses were nothing but mischief," said David Moll, chief executive of Webroot Software. "Now that there is money to be made, it has changed the game entirely."

"Cybercriminals are now more creative, organized and business-savvy," according to a recent report from Websense, a San Diego computer-security company. "True 'companies' have emerged, producing and selling tool kits and developing business-partner programs that enable less-technical, 'traditional' criminals to steal data and make money — lots of it."

It used to be that the biggest cyberthreats came from e-mails infected with pernicious worms and viruses. No longer.

According to Ben-Itzhak of Finjan Software, the Web itself is spreading infections, thanks to tens of thousands of sites carrying code designed to let an outsider steal information from someone's computer.

Some of the code is designed so that it automatically downloads itself the minute a user accesses a Web page. Other sites prompt a user to accept what seems to be legitimate software but is actually a malicious program.

Last summer, some MySpace users who had forgotten to patch their computers were infected by a banner ad that silently installed spyware on their computers, according to iDefense Labs, a division of VeriSign.

According to Websense, during the first half of 2006 there was a 100 percent increase in sites designed to install forms of "crimeware" that could log keystrokes or record information entered into online forms.

Altogether, Websense counted 16,663 sites that carried code for stealing passwords, including banking passwords, during that period.

Microsoft's security team, which has one of the most comprehensive sets of data on security risks, said it removed 10 million pieces of malicious software from nearly 4 million computers during the first half of 2006.

Safety concerns

"The Web is not as safe as people think," said Roger Thompson, chief technology officer of Exploit Prevention Labs, a security-software maker based in New Kingstown, Pa. "People think as long as they don't go to porno sites, they are safe, and that's a misunderstanding."

Infected sites include ordinary sites that have been compromised by a hacker. That's what happened to a Boy Scout troop in Independence, Ky., as well as to an Austin, Texas, restaurant specializing in home cooking.

"To be honest with you, we are all so low-tech ... we are pretty much helpless at this point," said Mike Adair, a manager at Hoover's Cooking, who said the restaurant knew something was wrong but didn't know how to fix it.

Dangerous Web sites also mimic well-known brands. In November, cybermiscreants created www.wikipediadownloads.org then posted a link on the German site of Wikipedia, the international encyclopedia written by users.

Jimmy Wales, founder of Wikipedia, said the link was discovered within a minute and taken down. But the threat was serious; the impostor site carried software that allowed a hacker to control the computers on which it was installed, said Ron O'Brien, a senior security analyst at Sophos, which manages digital threats for a variety of business and government entities.

The technique of creating deceptive Web sites is known as phishing. According to the AntiPhishing Working Group, the number of phishing sites reported to the coalition increased 70 percent to 26,877 in October, compared with 15,820 in October 2005.

Booby-trapped sites turn up in search results. A recent study by McAfee, a security-software maker in Santa Clara, Calif., found that 1 in about 1,000 Web sites appearing in popular search results carried code designed to attack someone's computer.

Software alert

McAfee provides a free Site Advisor software plug-in that alerts users about potentially dangerous sites. In addition, in early November, Google started warning users who clicked on search results that Google thought could be dangerous.

In an explanatory note posted in its Web-search help center, Google said the sites it flagged could carry software that could "delete data on your computer, steal personal information such as passwords and credit-card numbers, or alter your search results."

Other companies, like Exploit Prevention Labs, sell software designed to prevent malicious code from hurting people's computers as they wander the Web.

Security experts say the most important thing ordinary Internet users can do is to make sure all the software they use is up to date, and that they run anti-virus software, a firewall and a spyware scanner.

"The rules for happy living on the Internet are to patch your machine religiously and don't install or view attachments unless you are sure of what you are getting," said Eckelberry of Sunbelt Software.