HOME > SNAPSHOTS
> Exploitation
Exploitation
2004-05 UPDATE - Market Snapshots
of the WEB
April 2004. A survey of user computers
on its network found an average of almost 28 spyware programs running on each
computer, with trojan horse or system monitoring programs found on more than 30
percent of all systems scanned, all of this unbeknownst to the user. This raise
greater fears of identity theft.
-source: EarthLink and Webroot Software
April 2004. The Federal Trade Commission
has held a workshop on spyware and adware, requesting the online industry to bring
the FTC best-practice proposals for eliminating the problem.
-source: Federal Trade Commission
[COMMENT 2004-05. Spyware generally means programs
that collect data about computer users and send that information back to the software
maker over the Internet without a user's knowledge. Adware generally tracks a
user's behavior across the Web, not keystrokes or personal data.The user's consent
for this to happen is most commonly obtained within bundled free software, in
the fine-print "OK" clicks - thus without the user's true knowledge.
Adware is currently technically legal, but it's definitely snake-oil. Further,
most adware apps tenaciously resist uninstalling upon discovery.
The practical effects of these apps include pop-up windows serving competitor
ads to a user searching certain keywords, or even replacing the website's published
ads with its own. The majority of Web surfers don't notice how their experience
has been subverted, nor realize how their computers have been compromised, and
their privacy and financial identities threatened. Users generally are ignorant
of the ways in which commerce on the Web manipulates them, and especially of the
adware/spyware situation.
A critical mass is reached with exploitation when users' computers perform so
slowly because of parasite activity that they are forced to seek technical help,
and sometimes then begin to learn their peril. The overall situation compounds
dramatically with always-on broadband connectivity.]
2004-01 UPDATE - Market Snapshots
of the WEB
January 2004. The January security bulletin
from Microsoft fails even to mention - let alone fix - the flaw in the Internet
Explorer browser that allows scammers to fake both the URL of a website appearing
in the address field of the toolbar and the padlock icon that denotes a secure
connection. This flaw has given a further trickster's polish to the rising wave
of "phishing" scams. Microsoft describes the phishing exploit as "moderately
critical", and a patch is scheduled for February 10th.
-source: broadbandreports.com
December 2003. The Hong Kong Monetary
Authority and police spent several days trying to shut down a website hosted in
another country that purported to be the genuine website for Singapore's DBS Bank,
south-east Asia's largest lender. The phony site at dbshk.net (the real one is
dbs.com) incorporated forms for customers to enter account names and passwords
to access a list of banking services. The spoof site featured the bank's distinctive
logo and even a picture of the smiling female teller in DBS uniform, taken from
the homepage of the real site. The Hong Kong branches of Bank of China, international
HSBC Holdings, and UK-based Schroders also encountered similar incidents.
-source: CNETAsia
December 2003. Two weeks prior to Christmas,
60 unique email fraud attacks using the technique known as "phishing"
were instigated against consumers. Phishing attacks involve the mass distribution
of spoofed email messages with return addresses, links, and branding that all
appear to come from banks, insurance agencies, retailers, or credit card companies.
The fraudulent messages are designed to fool the recipients into divulging personal
data such as credit card numbers, bank account numbers, passwords, and social
security numbers. Because these emails look authentic an estimated 5 percent of
recipients respond to them, resulting in financial losses, identity theft, and
other fraudulent activity. To most Internet users the emails and Web sites are
indistinguishable from legitimate business communications. The spam epidemic has
evolved from a nuisance to a real security threat with the shift from dubious
advertising to financial crime and identity theft. PayPal and eBay were the more
notorious, original spoof targets, this holiday season included Visa, Bank of
America, and Citibank.
-source: Anti-Phishing Working Group
2003-11 UPDATE - Market Snapshots
of the WEB
November 2003. In the past, hackers created
malware for its own sake, as an exercise of skill. This year, the clear motive
is profit. People are stealing credit card information, or turning compromised
machines into spam-mail forwarders, and then selling the location of those machines
to third parties. An example of the new motive is the SoBig worm, which contained
an expiration date. This was unheard of formerly, when the motive was to see how
far and how long a virus would spread before containment. But the SoBig worm was
intended to infiltrate silently, and go dormant before discovery, because compromising
machines was not the end but simply the means to other, commercial ends. SoBig
enabled spammers to send massive junk email at no cost, and also harvested more
email addresses, which later found their way to the black market. Similarly, now
that merchants have developed proofs against randomly generated credit card numbers,
the incidence of theft of real numbers has surged.
-source: F-Secure
November 2003. There is increasing evidence
that security attacks and Internet fraud are intertwined, with as much as forty-seven
percent of the identified sources of attacks correlating with the sources of fraud.
Security events increased by nearly 99 percent between May and August of 2003.
Eighty percent of such events occur in the US. Attackers who gain control of Internet
host machines are increasingly using these compromised hosts for fraudulent ecommerce
transactions as well as the traditional security attacks.
-source: Verisign
October 2003. With more than a dozen snooping
programs now available that allow employers and parents to monitor workers' and
children's every keystroke, criminals have begun using their software of choice
on public computer terminals at copy shops and libraries to harvest credit card
numbers, computer passwords and personal financial information.
-source: New York Times
October 2003. Earthlink, an ISP and a
high-profile target for spammers and exploiters, is offering a free spyware blocking
service to its subscribers, with software that uses a continuously updated threat-definition
database. Spyware comprises invasive software programs that embed themselves in
computer systems, and monitor user activity, track Internet site visits, and transmit
information to third parties, often including sensitive personal data. Spyware
is often installed unwittingly through file sharing, from downloading freeware
and software programs, and by accessing certain Web sites. Industry professionals
believe that about 90 percent of all PCs that connect to the Internet are currently
infected with some type of spyware. And this threat is not going away, by 2005
such programs will be growing faster than computer viruses.
-source: PRNewswire
2003-07 UPDATE - Market Snapshots
of the WEB
July 2003. A federal court dismissed U-Haul's
lawsuit against interception-ware advertiser WhenU, the full reasoning was not
yet available. WhenU and its competitor Gator specialize in blocking ads presented
by a website and substituting their own network ads instead. This is made possible
by software installed on the user's computer, usually without the user's specific
knowledge, bundled in with other free software, notably Kazaa. Gator has lost
or settled lawsuits brought against it thus far, and several more are pending.
The legal situation remains unclear.
-source: AdLaw (Hall Dickler)
[NOTE. The above item is replicated in the Intellectual
Property snapshots.]
June 2003. 57% of US users believe - incorrectly
- that the presence of a privacy policy means a website will not share information
with third parties.
-source: Annenberg Public Policy Center
June 2003. Most broadband users (86%)
feel they are very safe or somewhat safe from online intrusion, and keep confidential
material on their computer; 79% use their home computer to conduct sensitive financial
or medical transactions; 77% feel their computer is safe from hackers. In reality,
only 11% have securely configured computers. 91% have some form of "spyware"
software installed, and of those 96% don't know how it got there. There is a great
perception gap between presumed security and actual security.
-source: National Cyber Security Alliance
HOME > SNAPSHOTS > Exploitation
