Dec. 30, 2008 at 8:00 AM ET
At 12:30 a.m. on Dec. 2, hackers pulled off what might have been the perfect computer crime. You can expect a host of imitators during 2009.
Beginning early that morning and continuing for nine hours, customers who visited MyCheckFree.com to pay bills made an unexpected visit to computer servers in the Ukraine. The customers did nothing wrong; many followed a bookmark or even typed in the Web address manually, as security experts advise. And Checkfree didn't do anything wrong either. The company's computers weren't hacked.
Instead, criminals hijacked all traffic headed for the bill-paying service by tricking the Internet's domain name server system, which links common Web site names like msnbc.com to their numeric equivalents.
Checkfree had to send out notices to 5 million customers indicating they might have been victims of identity theft, though the number of visitors actually affected by the scam was probably closer to 160,000, according to the Wisconsin Office of Privacy Protection.
If you're wondering what computer headaches you should expect in 2009, the Checkfree attack should be high on your list, says Amit Klein, a domain name system expert at The Trusteer Security Research Group. He compared the attack to a phishing attack on steroids, and said it will probably keep security professionals up late at night. None of their fancy security tools can ward off complete interception of traffic headed to a Web site.
"(This attack) can bypass sophisticated network, authentication and end point security mechanisms," Klein said. “It is likely to become more common (next year).”
Once again, 2008 failed to bring a virus that brought the computer world to its knees. In fact, it's hard to imagine a worldwide attack on software that would have the impact of the notorious Melissa or LoveBug viruses, which stopped so many PCs that they created the equivalent of a snow day for office workers.
Targeted attacks and cell phones
The Checkfree attack serves as reminder that computer criminals favor small, targeted, profitable attacks over loud, obnoxious ones. You don't hear much anymore about "bot networks," those armies of hijacked home computers that made headlines two years ago. But experts still believe millions of home PCs are enslaved by criminal software. As evidence, they point to the continued nuisance of spam, which represents about 81 percent of all e-mail and mostly originates on hijacked PCs, according to spam-fighting firm MessageLabs.
Even the latest hacker fad -- attacks on social networking sites like Facebook – is designed to quietly gather personal information rather than noisily destroy Web sites.
Don't get me wrong: I'm not saying we'll never have another computer virus epidemic. The next big nemesis, many security experts say, will not be a virus that slays personal computers, but one that wreaks havoc with your cell phone.
For years, technology writers have penned stories predicting that the coming year will be the one in which an ominous mobile worm that destroys handsets, calls all your friends and hacks into e-wallets to purchase thousands of cans of Coke from e-pay enabled vending machines in Japan.
All these things will happen. Smartphones will one day meet their match in the virus writing community. But I'm going to side with security researcher Vincent Weafer of Symantec, who proved to have a clear crystal ball a year ago when predicting the rise of Facebook-style attacks, and say that a mobile virus epidemic this year is unlikely.
Weafer thinks a killer smartphone virus is still a ways off, particularly because smartphones still account for just 11 percent of the cellular phone market, according to research firm Gartner. He reasons that virus writers won't focus their attention on cell phones until they believe they can knock a significant portion of them offline with a single worm.
More to the point, Weafer said, mobile phone attacks won't really take off until mobile banking takes off. Criminals go where the money is. And in countries like Brazil and China, where many viruses now originate, mobile banking is still several years off.
Other mobile phone features are ripe for attack, however. Weafer warned that authentication tools like password reminders are vulnerable. Many firms now send password resets or PIN codes through text messaging to telephones. It's generally considered safe for a Web site to send a password reminder to a cell phone number stored when customers sign up, a technique that's called "out of band" authentication. But criminals have caught on to that vulnerability and are hard at work looking to intercept such messages.
COMING NEXT YEAR
In addition to flying PINs, what should you watch out for next year to stay cybersafe? The Checkfree incident points to a larger problem:
There are new reasons not to trust the Web sites you visit. Getting a virus by clicking on an infected attachment is now passé; if your computer gets sick next year, it will probably be because you visited a booby-trapped Web site.
The Checkfree attack is just one way that criminals can take advantage of well-known brand names to attack your computer. Thanks to the proliferation of Web 2.0 services, which increasingly rely on third-party content that is “sucked” into traditional sites, there are new ways for criminals to place corrupt code on otherwise trustworthy pages. Attackers have spent the better part of this year finding vulnerabilities in Web software so viruses can be injected onto Web servers, so that you'll download them even if you only visit sites you trust.
Right before Christmas, Microsoft had to rush out a patch for a vulnerability in Internet Explorer that allowed just such an attack. The firm said that 1 in 500 Net users were exposed to the flaw during its first week of exploitation.
Mary Landesman, a virus expert at the ScanSafe security firm, said Web-delivered malicious software exploded at the end of 2008 -- in fact, more viruses were delivered this way in October than the entire year of 2007. As in the heyday of e-mail worms, she thinks Web-delivered viruses may get “out of control” during 2009 before companies reign them in. Unfortunately, in some cases the cure may be worse that the disease.
Most Web sites rely on third-party firms to place ads on their sites, and Landesman expects frustrated software designers will begin blocking all third-party connections or scripting to stop viruses.
To stay safe, Internet users must know that Web sites -- even trusted ones -- have the potential to infect their computers under certain circumstances. That means it is more important than ever to run up-to-date security software and to download the necessary patches. It's also important to know which sites the kids are visiting, as Web site attacks are more common on less popular sites like music download haunts and second-tier game sites. Users might consider turning off scripting capabilities in their Web browsers, but that means many popular Web sites won’t work properly.
Criminals are becoming much more precise with identity theft-related scams. By now, it seems absurd that anyone would fall for a traditional Nigerian scam promising riches from a recently-deposed royal family. But Weafer, the Symantec expert, said con artists are compiling databases of information that allow them to personalize attacks in believable ways. New Nigerian scams come bearing the recipient's first name, perhaps their hometown and in some cases, allude to other personal information such as family members?
Where does this information come from? It's easily gleaned from social networking sites like Facebook.
"What we're talking about is much more like data mining," Weafer said. In the underground data trade, criminals now pay much more for data sets that include geographic location or employment information, Weafer said.
Criminals are using social networking sites to trick "Forgot your password?" features on many Web sites. By gleaning information such as victim's pet names, school affiliations and middle names, criminals can sometimes pass the "question" challenges provided by sites to authorize password retrievals. Then, they get their hands on login information for private e-mail, corporate networks and even online banking.
Cybercriminals will continue to hit people where they are most vulnerable, targeting the recently unemployed. Security firm McAfee warned in November that work-at-home scams have skyrocketed. Scams that offer to help victims file for unemployment benefits -- tricking them into paying for something that should be free -- also have risen.
Finally, expect more lost and stolen data next year. The year 2008 brought remarkable data breaches and thefts, including 4 million credit cards exposed to hackers by grocery chain Hannaford Brother, announced in March; 12 million customer identities lost on a backup tape by Bank of New York Mellon in March; 3.4 million motor vehicle records transmitted online by the Colorado motor vehicle department; millions of birthdays inadvertently exposed by Facebook; and 2 million identities stolen by a former Countrywide Financial employee. There’s no reason to believe that depressing trend won’t continue.