Jennifer Clarke’s mother isn’t as computer savvy as she would hope, so she calls her daughter before doing anything online.
“I get calls like, ‘I’m on YouTube and there’s a window flashing and saying I need to update my computer, should I click it?’” says Jennifer*. “I have to say, ‘no, Mom, that’s a scam.’”
While Ms. Clarke is trying to protect herself, she still illustrates a disturbing trend: more and more internet users are buying into online scams. The FBI reported that the Internet Crime Complaint Center (IC3) received it’s 2 millionth complaint in November. The IC3 has been the go-to site for online fraud victims since 2003, but, according to Jennifer, “most people probably haven’t heard of that.” In fact, themselves a victim of identity theft in 2006, the Clarke family admitted they’d never heard of the IC3 or thought to report the incident. “We just moved across town,” says Jennifer.
The year 2010 has been one of the worst years for online scams, with a 111.4 percent increase of malicious website creation since 2009. Websense, the leading information security company, made their online scam statistic findings public. Websense reports that this year, 79 per cent of malicious codes were found on legitimate, trusted websites such as search engine Google or blogging center WordPress. While e-mail scams decreased by 0.7 percent, nearly 90 percent of fraudulent e-mails referred the reader to a malicious site, and 9 percent of scams still happen through e-mail alone.
Scammers are getting smarter. The invention of Search Engine Optimization (SEO) strategy means viruses can be directed towards a target audience, not just sent in all directions via e-mail. SEO strategizing means a scammer can write a malicious code into a website and then add keywords, or tags, to the page. These tags are what major search engines like Google or Yahoo see during a search. They’re also what’s often displayed when the results of a search load. Using SEO strategy, the scammer can make sure their malicious page will appear near the top of the search results. Victims are actually downloading viruses during innocent web browsing and searching. 52 percent of data stealing attacks this year happened over the internet.
Once a virus has been downloaded from a malicious website or e-mail, it wreaks havoc on computer systems. While most virus symptoms look the same— the computer runs more slowly, numerous pop-ups appear, some programs just won’t run— there are actually many different types of virus programs. One of the most common virus program is called a Trojan horse, named after the Greek myth. This is a virus that looks like a legitimate program, so users are tricked into downloading it and using the software. Trojan viruses gain unauthorized access to computer systems and are what cause those pop-ups to appear, even when users are not surfing the internet.
Other common viruses include program viruses, which (much like Trojans) come in the form of a fake computer program— often accompanied by a .EXE file extension. These viruses affect other programs in the computer. Stealth viruses ‘hide’ from antivirus software, concealing themselves inside other files, altering their file size, and other tricks to look like legitimate files. Boot sector viruses infect disks, and spread when a person lets their friend borrow a computer CD. All of these are ‘classic’ viruses which can usually be caught with a good antivirus software or spam filter.
Unfortunately, though, antivirus software can’t do everything. Virus writers wanting to steal information, or computer ‘hackers,’ are evolving as fast as the software trying to shield them out. New viruses include names like article X viruses and Java control viruses, which can attack a computer through web browsers alone, just by having an unsuspecting user visit a website. These are especially devastating to users who don’t disable pop-ups or block unknown Java programs from running. A new version of stealth viruses is also emerging, called ‘polymorphic’ viruses— which alter their coding, or virus signature, every time they infect a new file. This makes it very difficult for an antivirus program to even detect the problem, let alone delete it. Some protection programs don’t even have the capacity to delete certain viruses, such as macro viruses, which infect any program or file which supports a macro programming language. Such programs as Microsoft Word or Excel support macro languages, and if infected, each document produced is also infected. These viruses can even travel if the unsuspecting user e-mails the document to friends or family.
The goal, for a majority of these viruses, is to steal data. Keystrokes can be recorded, passwords extracted, or identification compromised. In one of the worst cases of data loss, Massachusetts’ South Shore Hospital reported the data loss of over 800,000 patient files from their systems this year— 14 years’ worth of records. These records included patients’ full names, birthdays, addresses, phone numbers, driver’s license numbers, SIN numbers, medical record numbers, bank account and credit card information, as well as diagnoses and treatments. South Shore Hospital referred to this loss as only “a small subset,” prompting negative reactions from many victims involved, but the dark reality is that there just isn’t a lot that can be done.
Another notable online heist this year came when hackers managed to expose the e-mails of online iPad users; some of these victims included government officials, military members, and the Department of Defense’s advanced research team.
Wireless internet created an entirely new problem: Wi-Fi attacks. Open-access Wi-Fi points are becoming a huge problem. These free Wi-Fi points appear in airports, along train track routes, and even inside local Starbucks cafés. Because they’re open to everyone, experienced hackers can pose as coffee drinkers reading newspapers online while easily downloading banking information from the computer across from them. The new iPads, which are like portable Wi-Fi stations, are prime targets.
One new e-mail scam this year involves false e-mails that appear to be from a friend or family member, claiming the sender is stranded at an airport and needs financial assistance to get tickets home. Another new strategy is to embed malicious code into the e-mail itself, so a user needs only to open the e-mail to get scammed; no reading of material, external links, or attachments needed. Spam filters and antivirus programs have their metaphorical hands full trying to keep up with the new technology.
One thing that can be expected, at least, is a “worm.” Every year, antivirus software producers prepare for the possibility of a dreaded worm. It’s like the computer equivalent to a pandemic. Worms are viruses that don’t need to attach themselves to any programs; rather than stealing information from a computer, they can corrupt entire networks of computers, a sort of mass infestation virus that networks and copies itself to new networks wherever it finds them. This year’s surprise was Stuxnet, which became the first virus to affect industrial control mechanisms. Stuxnet not only impacted computers, it impacted nuclear power plants, dams, water treatment facilities, and factories in 155 countries. Stuxnet did the most damage in Iran, Indonesia, and India.
Another surprise this year was the massive hike in “scareware” programs. Scareware means fake antivirus, or spyware, programs that are actually malicious– a cruel and ironic take on Trojan or program viruses. 40 percent of all false antivirus programs to date were created this year alone. That’s a scary number, but more terrifying is the thought of how they’re downloaded. While some scareware viruses market themselves through traditional pop-ups or advertisements, the growing trend is for cold-callers— sometimes the hackers themselves— to call victims and deliver a presentation by phone, asking ‘customers’ to buy the ‘product.’
This brings us to 2010’s biggest threat: smishing. Online users usually know the term “phishing,” which refers to e-mail-related scams. The term has been around since the original “Nigerian charity donation” warnings. E-mail hosts have long since armed themselves with spam security, such as filters, e-mail address blocking, and virus scans to attachments. It’s becoming harder and harder to scam through e-mails alone. That’s where “smishing” comes in. It stands for SMS text messages. That’s right: viruses can also be downloaded onto cell phones. With many consumers now equipped with Blackberries and smart phones, it’s a whole new world.
Hackers can set up an automated dialing system, which will obtain phone numbers from anywhere in a specific region or area code. The dialing system can also call these numbers with an automated message, another type of scam now labelled “vishing,” or voice message phishing. They often work the same way as regular e-mail scams: the victim receives a call or text message claiming the victim must renew their bank card or make some sort of deposit. The messages then ask that personal information be keyed into the phone, claiming to be from a telephone banking service. Phone numbers can also be obtained from previous victims’ contact lists, so phone scams can grow exponentially. Worse, numbers can be obtained from the banks or credit unions themselves, once victims give the hackers access by handing over the required personal information.
Holiday-related variations on phishing, smishing, and online data losses are appearing now. “Spoofing,” malicious e-mails and websites that look like more popular legitimate sites, are increasing. For example, PayPal.com, a trusted online banking transaction site used a lot for internet shopping, is warning customers to stay away from it’s malicious duplicate PayPa1.com. (The number 1 is nearly identical to the letter ‘l’ in some computer fonts.) Consumers looking for some extra holiday spending money are also falling victim to false work-from-home typing jobs. There are two parts to these scams: in the first, victims must provide personal information to get the job. In the other part, once ‘signed up,’ victims type up what look like numbers, business reports, or bank statements, but are actually facilitating money laundering, even unknowingly withdrawing money from their own bank accounts. Even worse, victims are sometimes charged by police because, however unknowingly, they have participated in a crime!
Luckily, even with all these scams and viruses floating around, there are ways for consumers to protect themselves. McAfree, a popular security software publisher, mentioned some seasonal scams to avoid: charity phishing, false e-mail banking, malicious holiday e-cards, fake invoices, fake requests on social networks, holiday-themed downloads such as screensavers, identity theft from shopping sites, and even the theft of entire laptops come up during the winter season.
Consumers must also remember that a cell phone is a form of computer. Many cell phones now have internet surfing capabilities, where consumers can check e-mails, social networks, online shops, and search engines. Some smart phones even run mobile browsers, such as Safari in the new iPhone 4. However miniature they appear on the screen, these are real browsers, and malicious webpages can still appear, downloading viral contents or uploading personal information. McAfree warns consumers to watch out for any open Wi-Fi networks, even if the browser in question is a mobile phone.
Meanwhile, some nations are taking action. The European Network and Information Security Agency (ENISA) is testing cyber defense teams in 21 participating European Union nations. The EU has already set up a Cyber Crime task force in Europol, along with a Cyber Crime Training and Education Group. ENISA hopes this will be the first of many cyber crime force tests, and is planning to run joint exercises with the US or NATO.
The best way to avoid scams is to be educated. Online shoppers should price check everything carefully; some products have labels such as “the lowest price” on them, which are simply not true. Shoppers should also be wary of fine print, as some online shops have costly return policies. Always check site security before making an online payment; a secure site should have a web address which begins “https”. Once the transaction has been made, consumers should keep all the records of payment, and compare their bank statements to make sure the correct amount was charged.
This year, online scams and viruses swindled people through cell phones, iPads, and even power plants. It’s a problem that can be avoided by simple measures— disabling pop-ups and keeping a good spyware protection program, for starters. But scammers are a fast evolving breed, producing malicious content that can now infect users who use search engines, open e-mails, or answer a phone call. Some victims don’t even know they’ve been scammed.
“Well,” says Jennifer, “it’s a big world. I guess it happens.”
It’s probably happening right now.
