Keystroke-loggers next big online security threat

By PAUL BRISLEN

The head of the police e-crimes lab is warning that so-called "phishing"attacks are just the tip of the online fraud iceberg.

Maarten Kleintjes said phishing - unsolicited email pretending to be from a bank or other credible source asking for account details, is on the rise globally, however key-stroke logging is even more of a risk.

Key-stroke loggers are usually small secret software applications that are installed on a user's PC without their authorisation. These applications will record every key stroke made on the computer and will send them to the fraudster with the hopes of capturing important information, such as credit card numbers, user names and passwords or similar information.

Kleintjes said it's easy to be fooled into installing a keystroke logger.

"One of the guys here downloaded part of a movie online and found he'd been infected with three of these things."

Kleintjes said a recent survey in Holland of 2000 PCs found more than half of them were infected with keyloggers and other forms of "spy-ware".

PC owners could use a simple trick to avoid giving away their user names and passwords.

"Keystroke loggers record every stroke but they don't differentiate terribly well," Kleintjes said.

"The trick is to pick a password like 'ANGER' and then to type in 'DANGER' and go back and remove the 'D' or something similar." He suggests typing lots of random characters and then highlighting them before typing a correct name or password.

That way, users are protected without knowing whether their PC is infected or not.

Financial institutions are also fighting back against the fraudsters responsible for online fraud.

Westpac and ANZ have been targeted by fraudulent emails asking users to enter their user names and passwords on a site that looks like the real bank site. Even the Government isn't immune - a phishing message pretending to be from "www.govt.nz" asked users to open a file that would then install malicious software on their PCs.

MelbourneIT, the Australian domain name registrar that owns New Zealand's Domainz, is testing software designed to catch those setting up a phishing attack before it gets off the ground.

MelbourneIT recently bought a UK company called Cogent, which manages international branding.

"Cogent has developed software that scours the domain name registrations around the world looking for names that breach copyright and that sort of thing," said MelbourneIT managing director Theo Hnarakis.

"It's been adapted to hunt for phishing attacks as well as other forms of fraud."

Hnarakis said the software was being shown to Australian banks and other financial institutions, and could also be used in New Zealand.

ASB Bank says it is constantly on the lookout for early signs of phishing expeditions and other online fraud.

The bank's chief information officer, Clayton Wakefield welcomed any moves by international agencies to try to limit this kind of activity as most of it came from overseas.

Credit card agency MasterCard has also started an anti-phishing programme and is working closely with police agencies internationally. MasterCard spokesman Tim Morris said Name Protect was being used in New Zealand after successful overseas trials. "It looks into chat rooms, looks at domain names, generally monitors online discussions about things like credit card numbers and so on."

Morris said that in April, MasterCard found more than 9500 credit card numbers online in one week. "Around half of those were MasterCard numbers."

MasterCard contacts its member banks to warn them of the potentially fraudulent site or the card numbers, and then works with the banks in informing the police.

"We've got strong ties with the Australian high-tech crimes centre and we hope to do the same in New Zealand," Morris said.