Ripped off, hacked and taken to the cleaners

Twenty years ago the typical hacker was a bedroom-based teenager with an IBM clone 386 PC, a dial-up modem, whose goal was to gain geek kudos by infiltrating and disrupting an unsuspecting corporate computer system.

Today's more scary incarnation, says Owen Johnston of security company Blue Coat Systems, is a very smart IT graduate, probably living in Eastern Europe, who is in the hacking business to make money - lots of money.

"They're not there to destroy things, they're there for economic reasons," said Johnston.

"They're there to monitise something. They're not there to break systems but they're there to be invisible. It's not about destroying you but about getting your data - understanding your identity, getting your credit card information. Getting into your system so they can get information and monitise that somehow."

While most of us are savvy enough to brush aside the so-called Nigerian email scams - unsolicited requests for bank account details made with a promise the sender will deposit untold riches in return for helping them to launder some newfound wealth - the horror stories of stolen identities and fraudulent credit card transactions continue to flood in.

Johnston said the average computer user's increased susceptibility to being stung by an online scam was related to the way our use of the internet has evolved in recent years.

We're spending more time online and the rise of social networking, and the ease with which anyone can publish content to the web means we seldom think twice about clicking a link, especially if we think it will lead us to a page authored by a friend.

At the same time the richness of multi-media content and technological sophistication behind web pages has changed significantly, Johnston said.

Increasingly complex and invisible programming code has transformed the internet from a simple bulletin board displaying text and the occasional picture into an exciting, interactive platform.

The downside of the sophisticated applications now embedded in the pages we load into our browsers is that they can provide deep cover for malicious content that can lurk on your PC long after you have moved on from a particular website.

"We've all been trained that if we click 'OK' or 'yes' [when invited to visit a particular web page or download something when we get there] we'll get cool content. Everything's become links ... and those links can deliver some pretty bad stuff," Johnston said.

"The whole aim [for the scammers] is to get people to click on a link and they're becoming very clever about how those links look," said Jeremy Hulse of M86 Security.

M86, a New Zealand-founded security firm previously called Marshal, this month bought Finjan, another security company specialising in spotting and deflecting dodgy websites before their content is loaded on to a user's browser.

The acquisition was an indication that link-based security threats are becoming an increasingly large part of the online security problem. M86 needed to boost its intellectual property in that particular area so it could offer its customers better all-round protection.

An increasingly common example of the type of "bad stuff" Johnston refers to that can appear on a PC infected with a malicious program after visiting a rogue website - or even a legitimate corporate site that has been hacked - is a demand to buy bogus security software.

Unsuspecting users are asked for a credit card payment to activate the fake security program. As well as racking up an unnecessary payment, victims' card details are typically on-sold to other criminals after the transaction has been processed.

Craig Scroggie, Symantec's Pacific region managing director, said small businesses were a fertile target for cybercriminals because their computer systems are typically easier to attack than those of large organisations, but could be the source of valuable data.

"Once they've got the malware inside the [computer system of a] small business, the malware is designed to open a back door and through that back door they can scan the network, they can search files, or log keystrokes or do screen downloads," said Scroggie.

"Once the information is out, generally it's posted on bulletin boards throughout the underground economy to sell - whether it's intellectual property, credit cards, social security numbers, or whatever it may be."

The black market for stolen data has been estimated to generate billions of dollars a year.

Nick Fitzgerald, a Christchurch-based emerging threats researcher for AVG Technologies said recent investigations unearthed documents detailing how one Eastern European crime syndicate was earning tens of millions of dollars a month through its online scam and theft activities.

Fitzgerald, a global authority on hacking, joked that while he could use his IT skills to make more money on the "dark side" of the industry, he had no desire to live in the Ukraine.

Enforcement agencies, including the FBI, have had some success tracking cyber crime syndicates, but often run into resistance from Eastern European authorities who recognise that the scams now account for a significant percentage of the region's GDP so are reluctant to help stamp it out.

According to Scroggie, small businesses are also easy targets because only about a third are "adequately protecting themselves" against cyber threats. It isn't a case of small companies not being prepared to pay for security software, he said, because some solutions are free.

Rather, he said, it was an issue of businesses not understanding the dangers, or not having the staff resources to put security in place. He said 80 per cent of small businesses did not have an IT manager and many relied on a non-expert staff member filling the role, or even outsourced the task to an IT-aware friend of the business owner.

"Cost is not the issue. Education is really important - understanding that data breaches happen, that they result in information about them - and about their clients - being bought and sold in a mature underground economy," he said.

"Until they become a victim of that they don't really understand. Until you have your identity stolen you don't understand how badly it impacts your life. Until these small businesses have their brand and their reputation damaged they really don't understand how devastating the impact of cyber crime is on their future prosperity."

Scroggie said not enough businesses were taking the basic steps of keeping up to date with updates and security patches for computer operating systems and security software.

"The reality is that most of the viruses that are impacting small to medium enterprises today are impacting them because they're not taking that action. There is already a solution available to the problem but they are just not applying the patches."

Of course Scroggie's company, Symantec, and other IT security firms, stand to win if more businesses follow his advice. But those who choose not to spend on protection against cyber crime threats risk something nastier than a vendor's invoice.