It sounds like a Hollywood techno-thriller: A shadowy figure in Germany creates an unstoppable Internet worm that hides for years from the cybercops. The trouble is, this is real life. The worm, called Sober, has struck more than 30 times since its release in October 2003. Most recently, on Nov. 22, 2005--Inauguration Day for Germany's first female chancellor--Sober sent spam posing as e-mails from America's CIA and FBI, Britain's National Hi-Tech Crime Unit and the German Bundeskriminalamt. Next, authorities were girding for ferocious spam assaults to commemorate the founding of the Nazi Party on Jan. 5.
This high-stakes "hacktivism" makes great headlines, but law-enforcement officials worry that it is distracting attention from a far more worrying trend: rising Internet fraud. While hacktivists seek maximum public exposure to advance a political cause, fraud is all the more insidious because perpetrators and victims conspire to keep it hidden. This year promises to be the worst yet. Identity thieves are expected to steal more than $1 trillion. Cybercriminals are making so much money--more than the illegal drug trade last year, according to the U.S. Treasury--that they've been doing their own R&D.
That research is already bearing fruit. Experts worry that direct theft of data (as opposed to phishing, in which customers are tricked into giving away data) is on the rise. Identity thieves are now able to target specific attacks against specific people or companies, and they can select their targets based on factors like net worth. The pre-Christmas attack on credit-card users at Sam's Club stores in the United States is an example of what lies ahead, says George Waller of the cybersecurity firm StrikeForce Technologies. Several hundred customers who bought gas as the stores had their credit-card data stolen (Sam's Club isn't saying how). "The days of mass worms and things like phishing scams are largely over," says Joe Payne, vice president of the Virginia-based Verisign iDefense, which tracks cybercrime.
In addition to merchants, midsize banks are another likely spot for criminal attacks. While last year the biggest banks threw plenty of resources into improving online security in response to a rash of embarrassing identity thefts, small banks are still vulnerable to everything from keyloggers to worms and botnets. Indeed, $24 billion in bank deposits are at risk each day in the United States alone.
Another innovation among fraudsters is to target kids. Waller warns that keyloggers, an advanced form of spyware, are making their way onto the MP3 files that Junior happily downloads to the family PC. These tiny programs track every keystroke the user makes, allowing fraudsters to monitor and record online transactions.
And then there's China, where Internet penetration is expected to top 10 percent in 2006. Because China's PCs don't generally run licensed versions of Microsoft's Windows, they're not eligible for the security patches Microsoft makes available to its legitimate users. Hackers have already taken control of the PCs of thousands of unsuspecting Chinese and used them as a platform from which to launch spam attacks. These so-called botnets are routinely bought, sold and swapped in Internet chat rooms.
The news isn't all bad. Prices for identity authentication systems using biometric data are falling, and public resistance to them is diminishing. Expect to see them rolled out in the second half of the year in big banks, and later in smaller outfits. Until then, keep your firewalls up and your fingers crossed.