From hacking to big business

Computer viruses have been around almost as long as there have been computers. But these days, writing malware is no longer exclusively the domain of a few socially maladjusted computer nerds. What was once primarily an intellectual exercise is now seriously big business.

Just how big a business has writing malware become? One person who is in a position to know is Paul Wood, who has been working for the Internet security firm MessageLabs for the past five years. His company provides e-mail, web, and instant messaging filtering solutions for ISPs and businesses and has developed sophisticated monitoring software that provides a front-lines look at malware in all its forms. MessageLabs recently updated its reporting on the current state of malicious software, and I had a chance to talk to Paul at length about what it all meant.



An Apple ][ running Elk Cloner, one of the first viruses, circa 1982

The short version is this: malware is getting smarter—a lot smarter—and traditional methods of protection are straining to keep up. In addition, as operating systems and software get more and more resilient to direct attacks, the bad guys are increasingly turning to social engineering to bypass all technological forms of protection. Even more worrisome is the rise of directed attacks against specific businesses, as well as social networking sites and online games. The cyberpunk world of hackers backed by giant criminal syndicates has transitioned, almost without anyone noticing, from science fiction to reality.

Phishing briefly overtakes virus attacks

In January of this year, for the first time in history, phishing attacks—e-mail messages pretending to be from a legitimate business, but linking to fake web sites that grab sensitive personal data—became the dominant form of malware on the ‘Net. Since then, phishing attacks have dropped slightly, and virus e-mails are once again more common, but the two continue to run neck and neck.



Data source: MessageLabs

Phishing attacks have the advantage of passing cleanly through firewalls, bypassing anti-virus software, and they don't rely on users to be running operating systems that don't have all the latest security patches. In fact, phishing doesn't require the user to be running any particular operating system at all.

Phishing has an additional negative impact on the Internet besides simply scamming people out of their money and personal data. The sheer preponderance of phishing messages has made it more difficult for legitimate communication to get through. An personal example: I receive dozens of fake messages pretending to be from PayPal each day. So when a message from the real PayPal arrived in my inbox the other day (it needed me to update my credit card, ironically because I had to cancel the previous one due to fraudulent charges), I almost deleted it out of habit.

There are ways that financial institutions can help ensure that their customers are properly authenticated each time they log on a web site, but some of these methods are overly complicated or expensive to implement. One method involves a "scratch pad" of passwords which are used only once for each time the user logs in. Other ideas involve using additional physical devices before allowing users to sign on. A company in the UK has come up with a card scanner unit that connects to the user's computer. So far, there have been few banks rushing to adopt these sorts of systems. APACS, the organization responsible for banking regulation in Britain, has not mandated that any of these types of additional security measures be used for online banking, nor have any other similar institutions in Europe or North America. For now, the phishers are definitely "making hay while the sun shines," gathering up bank account information as fast as they can before new security measures are put in place.



A stock tip scam

Bank and PayPal scams aren't the only way of making money, however. Recently, there has been a huge rise of e-mails pretending to be hot stock tips. The stock in question is simply a junk company with a low valuation, and the hackers have already bought a large number of shares prior to sending out the spam. Typically, enough people buy shares on the "hot tip," after which the hackers immediately sell and collect a nice profit. An interesting technique is used to get these e-mails through most spam filters: the entire message is sent as a giant bitmap image. This makes it impossible for keyword filters to identify the message as spam. MessageLabs estimates that between 15 and 20 percent of all spam messages use this image trick, and as of last month, some have begun hosting the images on free image hosting sites.

While most people aren't taken in by phishing e-mails, even if a small percentage fall for the trick, it is worth big money. Although it is difficult to measure the total amount of money being made—the number of computers sending out phishing e-mails fluctuates all the time—Wood estimates that a single phishing campaign can make anywhere from $60 to $1,000 per day.