Cyber-thieves are getting better at what they do. That’s the major conclusion of the latest Internet Security Report released Monday by the Symantec Corp., maker of Norton security products.
“The attacks are more aggressive than ever and they’re more criminal than ever,” says Dave Cole, director of Symantec Security Response.
The bad guys are also more organized. The report says they are working together to create “global, cooperative networks” to support their criminal activity.
It’s not quite the Mafia, but there is an entire underground economy in place to deal with all the stolen information up for sale. Cole calls them “fraud communities.”
“It’s surprisingly professional these days,” he says, “with specialization and going market rates that are fairly well respected.”
This information is traded like any other commodity in an underground marketplace. There are even marketing promotions to entice buyers, such as volume discounts.
Symantec says the going rate for an active debit or credit card account number right now is anywhere from $1 to $6. A full stolen identity, including bank account information, date of birth and Social Security number, sells for $14 to $18. So you can see, to make any money, the identity thief has to keep stealing from new victims.
There’s a target on your home computer
According to the new Internet Security Report home computers are now the prime target for cyber-thieves. In fact, during the last half of 2006, 93 percent ofall targeted attacks were aimed at home machines. ID thieves know many of us store sensitive data, such as banking information, on our computers. They also know we often get careless when it comes to security.
Dave Cole tells me it takes too much effort to break into big financial institutions. The online thieves know they have a much greater chance of success stealing that information from you.
They want your account numbers and passwords, but they’re also after your log-ins to online services — banks, eBay, PayPal, or any other place where there’s something of value. If they can snag your e-mail contact lists, they can sell that information to spammers.
How they attack
Online identity thieves have two main ways to steal your personal information: By getting you to download malicious software on to your computer or tricking you into giving them what they want. Phishing scams continue to be highly effective at snagging personal data.
Despite all the warnings about them, phishing scams are on the rise. Symantec’s Internet Security Threat Report shows that for the last half of 2006, the company’s security software blocked 8.5 million phishing messages a day, a 19 percent increase from the first half of the year. During that period, there were more than 166,000 unique phishing messages. That’s 904 new ones every day.
Phishing trends to spike around the holidays or big events because the phisher can craft his bogus e-mail message around thesespecial times. The report says phishing activity rose 29 percent during the holiday shopping season, 33 percent Super Bowl week and 40 percent during the World Cup soccer championship.
Where are the attacks coming from?
There’s something new in this report. For the first time, Symantec identified where the malware originated. It turns out 31 percent of all malicious activity comes from computer networks inside the United States, putting America at the top of the list. China is second with 10 percent and Germany is third with 7 percent.
This doesn’t mean the U.S. has more cyber-crooks. Many of the U.S. computers sending out spam, phishing emails and bot attacks are remotely controlled by people in other countries. The report suggests this is because the United States has more computers connected to the Internet than any other country.
The Symatec survey estimates that, worldwide, there are now more than 6 million bot-infected computers that can be controlled by someone anywhere in the world. This is a significant increase — up 29 percent — from the first half of the year. These robot computers make it easy for the bad guys to circumvent spam filters and hide from law enforcement.
Data breaches still serious
Whether you like it or not, your personal information — from Social Security number to financial records — is stored in vast databases controlled by both private companies and government agencies. These records can be accessed by various people, giving the ID thief numerous ways to snag this information.
The Symantec report found that 25 percent of identity-theft data breaches involved government computers, usually due to the theft or loss of computers or data-storage media. The education sector wasn’t far behind at 20 percent, followed by the health care at 14 percent.
You can’t prevent someone from snagging the information stored in a database. But you can protect your own computer from the ID thief’s inevitable attacks.
You need good security software. You need to have your computer set to get automatic updates from your security service and your software makers.
But no software can protect you from yourself. That’s why you need to be what Symantec’s Dave Cole calls a “street smart” computer user. Don’t download unknown software, don’t share files with strangers, and don’t open attachments you weren’t expecting.
You can avoid most phisher scams by following a simple rule. Never give out your personal information in response to an e-mail, no matter how urgent or ominous the message sounds. Assume it’s a scam.