As the global economy struggles to regain its footing, one moneymaking sector remains buoyant: online crime. Criminal enterprises are innovating new business models in consultation with the creators of botnets. These are networks of compromised computers that can carry out the bidding of online scammers. Further innovation includes ‘botnets as a service’, a sobering spin on the software-as-a-service trend that has spread across the technology sector. We see many signs that criminals are mimicking the practices embraced by successful, legitimate businesses to reap revenue and grow their fraudulent enterprises.
The technical innovation and capabilities of online criminals are truly remarkable. Criminals are closely watching security researchers and learning from their methods for thwarting attacks, putting the ‘good guy’ knowledge to use so their next attack can evade existing protections. ‘Bad guys’ are aggressively collaborating, selling one another their wares, and developing expertise in specific tactics and technologies. Specialization makes it tougher to shut down illegal activity, because there are many players in this ecosystem.
Online security risks
The piece of malicious software that may have caused the most chaos in the first half of 2009 used an older method of attack that should have been easy to detect and avoid. The rapid propagation of a malware like Conficker emphasizes the need for risk and threat management that intelligently determines that attacks can be sourced from anywhere in a network. User education in the form of security awareness training helps mitigate the threats posed by spamdexing, but enterprises can’t assume employees will always make the correct choice about which websites to trust. For more thorough protection, businesses need security solutions that combine traditional URL filtering, reputation filtering, malware filtering and data security.
Mobile device threats: text message scams
Text message scams targeting users of handheld mobile devices, such as cellphones and smart phones, are becoming a common fraud tactic. At least two or three new campaigns have surfaced every week since the start of 2009. The spike in frequency can be attributed partly to the economic downturn, but it’s also the massive - and still growing - size of the mobile device audience that is making this new frontier for fraud irresistible to cyber-criminals. Many text message scams rely on social engineering tactics to dupe victims into handing over personal identification information or credit card numbers by purchasing worthless (or nonexistent) products or services or cashing in on a prize. More criminals are also taking advantage of the popularity of online banking, and are heading straight for victims’ money by specifically targeting their ATM accounts and personal identification numbers (PINs) with well-designed and localized text message scams, and they’re leaving virtually no trail behind them.
Data loss
The current recession has created new moneymaking opportunities for at least one group of ‘entrepreneurs’: identity thieves. As predicted in the Cisco 2008 Annual Security Report, spam, phishing and text message scams are on the rise and growing in sophistication. Many of these campaigns are designed and deployed for the purpose of stealing identities to open new financial accounts or misuse existing ones.
Researchers say that individuals aged from 18 to 25 are at the highest risk for experiencing identity fraud today. This is primarily due to Generation Y’s fondness for social networking. Identity thieves and hackers troll these sites regularly, searching for the keys to a user’s identity and finances. Users’ profiles can provide a wealth of personal information - names, date of birth, home town, and even phone numbers - that provide just enough detail for clever criminals to successfully commit fraud. Some have even gone so far as to contact a victim’s friends and family members directly to request money.
Inside the organization
Fraud, hacking, and identity theft by insiders are very real security threats, and they can be especially damaging for an organization because insiders know its security weaknesses and how best to exploit them. Given the current economic downturn, in which many individuals have lost their jobs or become disgruntled - or set traps in advance to retaliate against an employer - insider threats can be expected to increase in the months ahead. The Identity Theft Resource Center estimates that insiders were responsible for nearly a quarter of all known incidents involving financial institutions in 2008. That trend appears to be continuing in 2009. Organizations are strongly advised to implement additional security policies regarding these resources and (to) be particularly vigilant about the level and term of their access to sensitive data.
Compliance
Around the world, there is an increase in legislation and industry initiatives on making data on networks more secure and informing those affected by data breaches. This is creating additional burdens - in terms of money, time and human resources - for businesses already working to be compliant with other existing laws, standards or best practices, such as the industry-led Payment Card Industry Data Security Standard (PCI DSS), HIPAA, Gramm-Leach-Bliley Act (GLB) and Sarbanes-Oxley Act (SOX).
Companies also should strive to educate their employees and continually monitor email and web traffic to ensure sensitive information is not being shared inappropriately. Many organizations have implemented formal data loss prevention (DLP) programs to help secure their data, whether it is stored, in use or moving around the network. DLP policies are a must-have for compliance audits. Increasingly, companies are also realizing that these policies are important in the event that something does go wrong - such as a data breach that compromises customers’ credit card numbers - so they can show victims, attorneys and legal departments, shareholders and law enforcement agencies that they took clear steps to prevent such an event from happening.
Most Comments