By Alma Anonas-Carpio

It’s all business, yet it is purely personal. We are talking about hacking and identity theft, of course. Where hackers of a decade or so ago conducted their nefarious deeds because they can, hackers now send out viruses, spyware, Trojan downloaders, key-loggers and other internet-transmitted "diseases" for cold, hard cash.

According to the latest "Internet Security Threat Report Volume XIV (ISTR XIV)" released recently by security software maker Symantec, "malicious code activity continued to grow at a record pace all throughout 2008, primarily targeting (the) confidential information of computer users." The ISTR XIV report was made available to reporters at a briefing in Makati City recently.

This report noted that Symantec alone created over 1.6 million new signatures identifying these malicious codes and their "mutations" in 2008—a number that represents over 60% of the total number of signatures Symantec has ever created. Symantec reported at a recent press briefing that it had been able to block an average of 245 million malicious code attacks across the globe each month of 2008.

These infections are the seeds of an ongoing—and extremely profitable—data theft "pandemic".

What are you worth on the black market?

So how much is your identity and personal and financial data worth on the internet? According to Symantec enterprise sales manager Edler Panlilio, 32% of the "most advertised items" on the internet’s back alley black market are credit card information, which fetches between six US cents (P2.84) and $30 (P1,417.2). Last year, the hawking of stolen credit card data made up only 21% of black market advertisements on the streets of the internet’s Gomorrah. Stolen credit card data is used to rack up purchases through credit card fraud, leaving the unsuspecting victim holding the bag when his or her credit card bill arrives.

The second runner up on the internet black market advert list is bank account credentials, which accounts for 19% of black market advertisements. These scrumptious pieces of data sell for between $10 (P472.4) and $100 (P4,724) and the bank transactions may be "hijacked, diverted to unauthorized users or used for other potentially illegal acts, such as fraud. It is not a far stretch to imagine that such data may also be used for money laundering, as well.

Email addresses are advertised online among black hat hackers as costing between 33 US cents (P15.59) per megabyte and $100 (P4,724) per megabyte. These types of data rank third on the list of most-advertised fenceable goods online.

Email accounts come in fourth on the list, at 5% of all advertised stolen cybergoods and they cost between 10 US cents (P4.72) and $100 (P4,724). Panlilio warned that "compromised email accounts can provide access to other confidential information and additional resources" that the unsuspecting user of a hijacked email account may write in correspondence with other people or may keep in the drafts section of the email account for future use. Many netizens also like using their email accounts as virtual warehouses for data that may be sensitive and personal, and that is what drives up the value of such email accounts.

A person’s full identity is disappointingly cheap, at between 70 US cents (P33.07) and $60 (P2,834.4)—this is the sum total of who a human being is in digital format and it goes for a song. Such data includes social security numbers, taxpayer identification numbers and passport numbers, among other thief-magnet-type digital identity data.

Other digital valuables that are being advertised and sold illicitly online are web proxies (used by websites) for between 16 US cents (P7.56) and $20 (P944.8); mailers or bulk e-mail programs go for between $2 (P94.48) and $40 (P1,889.6); online cash-out transactions can be hijacked and cost between 8% and 50% of the transaction or go for a flat rate of $200 (P9,448) to $2000 (P94,480) per item; Shell scripts that can be used by hackers are offered via online advertisements for between $2 (P94.48) and $20 (P944.8). Finally, full scams involving spurious e-mail to gather a victim’s valuable personal data and other digital goods that can be stolen thus go for $2 (P94.48) to $20 (P944.8) just for the design of such a scam and will cost an additional $3 (P141.72) to $40 (P1,889.6) a week for buyers to obtain the advertiser’s hosting services.

The ISTR is derived from data collected by millions of internet sensors, first-hand research and active monitoring of hacker communications. Its aim is to provide a global view of the state of internet security. The study period for the ISTR XIV covered the period from January to December 2008.

"As malicious code continues to grow at a record pace we’re also seeing that attackers have shifted away from mass distribution of a few threats to micro-distribution of millions of distinct threats," Symantec vice president for security technology and response Stephen Trilling said in a statement issued at the briefing. "Cybercriminals are profiting from creating and distributing customized threats that steal confidential information, particularly bank account credentials and credit card data. While the above ground economy suffers, the underground economy has remained consistently steady."

The report noted that internet-surfing remained the primary source of new infections in 2008 and that attackers are relying more and more on customized malicious code toolkits to develop and distribute their threats.

Online threats most prevalent

ISTR XIV executive editor Marc Fossi said in his comments on the report that "the unfortunate reality is that innocent Web surfers can visit a compromised website and unknowingly place their personal and financial information at risk." He also warned that "computer users have to be extra vigilant about their security practices."

Fossi’s report also said "90% of all threats were detected by Symantec during the study period attempt to steal confidential information." Threats with a keystroke-logging (keylogging) capability—which can be used to steal information like online bank account credentials—made up 76% of threats to confidential information, up from 72% in 2007.

According to press material provided by Symantec at its recent Makati City briefing, "leveraging data" from its recent Report on the Underground Economy, the firm "found that there continues to be a well-organized underground economy specializing in the sale of stolen confidential data, particularly credit card and bank account credentials."

"This underground economy is thriving; whereas prices for goods in the legitimate market have fallen, prices for goods in the underground economy have remained consistent from 2007 through 2008," Panlilio warned. "The report also points to the increased resilience of malware authors against attempts to halt their activities. As an example, the shutdown of two US-based botnet hosting outfits contributed to a significant decrease in active botnet activity during September and November 2008; however, botnet operators found alternate hosting Web sites and botnet infections quickly rose to their pre-shutdown levels."

Web applications not built for security

Web application platforms were tagged by Panlilio as "common sources of vulnerabilities during the evaluation period. These pre-built software products are designed to simplify the deployment of new websites and are in widespread use around the internet."

Many of these internet platforms "were not designed with security in mind and consequently harbor numerous flaws leaving them potentially vulnerable to attack," he added. "Of all the vulnerabilities identified in 2008, 63% affected Web applications, up from 59% in 2007."

Of some 12,885 website-specific and cross-website scripting vulnerabilities reported in 2008 "only 3% (or 394 vulnerabilities) had been fixed at the time the report was written," Panlilio said.

More disturbingly, the Symantec report also found that Web-based attacks originated from countries around the globe, with the most number of attacks coming out of the the United States (38%), followed by China (13%) and the Ukraine (12%).

Quoting from the statistics gathered in the ISTR, Panlilio said "6 of the top 10 countries where Web-based attacks were prominent were from the Europe and Middle East Africa (EMEA) region—these countries accounted for 45% of the worldwide total, more than any other region."

The report found that phishing—the theft of data through con-artist-type scams that fool users into voluntarily divulging sensitive data—continued to grow. In 2008, Symantec detected 55,389 phishing website hosts, an increase of 66% since 2007, when Symantec detected 33,428 phishing hosts. It also found that financial services, such as seemingly legitimate requests for updated personal and bank account or credit card security number data, accounted for 76% of phishing lures in 2008 compared to 52% in 2007.

The Symantec report also found that the volume of spam or unwanted email flooding one’s inbox, continued to grow. Over the past year, Symantec observed a 192% increase in spam detected across the internet, as a whole, up from 119.6 billion messages in 2007 to 349.6 billion in 2008. In 2008, bot networks were responsible for the distribution of approximately 90% of all spam email.

Symantec reported that, by the end of 2008, over one million individual computers were infected by the worm Downadup (also known as Conficker); this worm was able to spread rapidly across the internet using a number of advanced propagation mechanisms. The number of Downadup/Conficker infections worldwide grew to more than three million infected systems during the first quarter of 2009.

The data mined and provided by Symantec also indicated that, in 2008, the growth of malicious code activity was greatest in the Europe, Middle East and Africa region, even as the software security firm observed an average of more than 75,000 active, bot-infected computers each day, bringing the number of bot infections up by 31% from 2007.

All told, precautions must be taken at the end-user level as well as at the server level by those who own and host websites. Like any disease, computer-transmitted viruses and malware can be foiled with vaccination and sensible conduct: Never surf the net without reliable anti-virus and anti-malware programs; distrust any email that tells you that you’ve won the lottery; confirm online requests to update your bank and credit card particulars with your bank or credit card service provider and never open emails that come from sources you do not know or trust. Online, as in the physical world, your safety is in your hands first before it is the responsibility of the authorities. G

* Cover story of Philippines Graphic's May 25 issue