What The Internet Has In Store For You In 2005
by Claudiu Popa, Informatica Corporation

Every year around the winter holidays, I offer – okay, force – my immense wisdom and wit upon an unsuspecting audience. This year is no exception and as usual, I have some good and bad news related to happenings that will impact your Internet experience and perhaps even your wallet. You say you want the bad news first? Okay. In 2005 you’ll hear a lot more about computer fraud, theft and financial losses than ever before. Why? Because there will be more of that taking place than ever before. Is there a chance that someone you know will be a victim? You bet. It’s not all bad however, but you’ll have to read through to the end to get the good news. For now, more pressing issues, starting with everyone’s friend: email.

Boy oh boy! Those of you who hate spam are in for a rough ride. According to MessageLabs, spam now accounts for 73% of all email, but that’s the least of our problems because a new form of identity theft is on the rise. Phishing, based on the not-so-new practice of lying and stealing is coming to an inbox near you. Over the past year, most Internet users have received a message seeking to extract personal financial information from them under urgent threat of closing bank accounts and falling skies. Up to 5% of recipients have actually clicked through these emails and submitted their personal information to a site that looked legitimate. In fact, the look and feel of the sites is identical to those of four dozen big name brands from Ebay to Citibank.
There's something there for everyone.

In fact, that's an understatement. Between phishing, fake e-commerce sites and stolen identities, online scam artists are expected to net $US2.6 billion this year (according to Cybersource). Not bad for just going after the low-hanging fruit. To be fair, with holiday e-commerce sales volumes 50% higher than last year, criminals are very busy sending out emails, cloning fake sites and actually using stolen identities. In the words of President Bush, "it's hard work", but the opportunity is there.
Statistics tell us that nearly all stolen credit card numbers and bank accounts are used within 2 weeks, and with $US1.2 billion in phishing losses over the past year, we can expect these gangs to redefine the meaning of 'organized' crime just to keep up with their own success.

Speaking of which, the Anti-Phishing Working Group reports that organized crime is embracing this technology to the tune of 1140 fake storefronts and 6600 different phishing messages. This may seem like a lot, and it is considering the vast amounts of cash these businesses are producing, but it isn't much compared to what we will see in the coming year. With phishing growth rates as much as two to four hundred percent per month, it is clear that phishers are making full use of sophisticated technologies that probably make Nigerian Scammers green with envy. Not only that, but some of the lazier criminals simply set up hundreds of fake storefronts optimized with catchy search engine keywords and wait for Google to deliver the shoppers. Easy money. Software is the key to the growth of identity theft and that's what gangs are using to automatically create different flavours of fraudulent emails, different e-commerce store interfaces with identical back-ends and multiple varieties of information stealing viruses.

By mixing phishing emails with infected spam messages, thieves are packing a strong punch with every email transmission and traditional spam protection isn't going to cut it. 2005 may well turn into the year of Internet crime convergence. Unaware users are starting to have the option of clicking through the link to the fake site and submit their information or have their computer infected with a malicious ActiveX control. Or they may opt for the compressed attachment with the funky name. Or some code will run automatically when they open the message - particularly effective on users who insist on using the email preview pane feature..

Of course, email protection and some behaviour change in the lucky top tier of Internet users will protect them against such malfeasance and they can carry out their daily work confident that they know better. Many of them will be right, but only if they use even more software to protect themselves. Unfortunately, as efforts against malicious emails escalate, personal and business communications will suffer. Increased roadblocks to all types of email traffic will mean more lost and bounced emails. Be prepared to confirm receipt of your emails and keep a copy of everything, in case you need to re-send them. Adopting the use of personal certificates and email encryption for sensitive content will be critical, especially for business environments. Enablers of simple systems that bring this functionality to home users have a massive opportunity to unlock profits and add much needed value in this space.

INFECTION: IT’S NO LONGER A MATTER OF ‘IF’ BUT OF ‘HOW SOON’

I have written at length in the past about Survival Time and what it really means: essentially, according to one of the most trusted names in the business (SANS), a new computer running Windows XP has about 16 minutes before becoming infected once connected to the Internet. That’s without user intervention, email functionality and typical newbie mistakes. Assuming all you do is buy a new computer and hook it up to the Internet, beginning the hour-long (!) process of updating security patches, within 20 minutes, you'll be patching a system that has already been compromised.

But wait, there's more! A very recent study conducted by USA Today and AvantGarde examined the survival time of systems (also without user intervention). To make a long story short, the Mac and Linux systems were fine – as long as users didn’t touch them anyway. The Windows XP machine using well … no protection … was compromised in the first 4 minutes of the two-week study. A machine with Windows Small Business Server took 8 hours to turn to the dark side. Once that happened, the infected PCs became a part of a bot-net, an army of zombie computers remotely controlled without their users' knowledge. Interestingly, two other XP machines remained clean. One had Windows latest upgrade: Service Pack 2 installed and the other just ran the popular ZoneAlarm firewall.

So as you're cracking open the box containing that spiffy new computer this holiday season, if it doesn't come with SP2 installed, you'd better have all of Microsoft's security patches on a ready-to-install CD because four minutes are barely going to be enough to type "www.windowsupdate.com" let alone download and install those fixes.

Keep in mind that those systems got infected without the help of any user. Not by email, just by open ports that allow Windows to communicate with the outside world. It’s all very fascinating but so what? Well, once infected, the computer - much like the Borg of Star Trek - takes its place in the ranks of an army of tens of thousands of others, ready to take orders from an anonymous general.

What motivates these guys to keep doing what they’re doing? Two things: the addictive feeling of power that comes from controlling tens of thousands of other people’s computers and well... money. Yup, they get paid for directing their attacks at various targets of extortion such as gambling, casino and e-commerce sites. With a simple command they can open a floodgate and overwhelm a target system until it decides to transfer thousands of dollars into an account of their choice. The cost of non-compliance is simple: loss of sales and the risk of non-returning clients. But hey, this is the new millennium so look at the bright side! They get to keep their kneecaps. When not participating in a denial-of-service attack, zombie computers are simply used to route spam without the knowledge of their owners.

FOCUS OF FRAUD MOVING FROM CONSUMERS TO CORPORATIONS

So what can you expect from 2005 other than poor email service due to spam, viruses and phishing? You can expect these crimes to become more sophisticated. Tools developed to detect phishing attacks today will fail tomorrow because the market for the simple, elephant gun approach of today will be dry by next summer. Replacing them will be more credible, targeted attacks using stolen client and email distribution lists. More corporate identity theft will take place and phishing will move to the enterprise. And why not? We hear that’s where the money is. Confuse any one of hundreds of employees and you may hit pay dirt with a bank account number. Get enough financial information to sound credible when opening a merchant account in the company’s name and you’ll have yourself a legitimate e-commerce operation. Put as many stolen credit cards through that system, take the money and move on to the next company. Automate the process, pipeline it, Henry Ford would be proud!

To do our part in protecting against the growing threat of phishing in businesses, we’re offering a free, ready-to-use Anti-Phishing Security Policy (get it from www.InformationSecurityCanada.com’s Security White Papers Library) Why not some fancy tool like the gazillions of anti-spam services now available? Because phishing is a social engineering attack. That means people’s trust is exploited. New, targeted phishing attacks will soon look just like regular, business-like emails – and most anti-spam tools won’t take the chance that a false positive will deprive you of legitimate mail. Keep in mind that the bad guys are testing their email content before sending it, so their messages will probably have a better chance of penetrating spam defenses than this article does.

OKAY, WE’RE READY FOR THE GOOD NEWS!

The good news is that the marketplace is evolving and more importantly, that it is maturing. Security threats are becoming topics of regular conversation. Things like spyware, online fraud and identity theft will be commonplace in the coming year. The good thing is that most people will be aware of them and will have just enough knowledge to do something about them. Cyber-terror and critical infrastructure protection will continue to be a growing source of concern, but more attention is being paid to securing those resources and the news year will see a lot of progress being made in that direction.

Phishing will turn into an art form, sometimes passing the common sense test, sometimes not. Extortionists will soon succumb to greed and a shrinking marketplace, attacking one another in an effort to ‘protect’ their clients and losing their anonymity in the process. Once that happens, they will be arrested and others will temporarily take their place. More public prosecutions will help to raise awareness and drive criminals deeper underground. They will conduct a few more attacks using a shrinking base of unpatched computers, but they will also take their racketeering to another level, merging the personal touch of a social engineering attack, with the profit potential of a good old telephone threat.

Internet service providers will soon play a large role in policing the Internet by cutting off access to computers that have evidently been compromised or those used for sending spam. They will also (be forced to) develop new ways to curtail emerging security threats to Internet telephony and VoIP. Unfortunately, many service providers will also succumb to the demands of organizations that seek to identify and prosecute users of peer-to-peer systems. This means that the privacy of our online activities will be negatively affected and we can look forward to another positive wave of end-user awareness, this time about anonymity. Existing software for anonymous surfing, encrypted email and instant messaging will explode in popularity as users fight to preserve their online privacy.

The lowly password will finally start to be phased out from important transactions and will make way for new, strong authentication mechanisms that will uniquely identify legitimate users and deny all others. The challenge will be to make all this new, good stuff actually usable by the masses, but that’s something few people have any doubt about. The marketplace has a way of throwing competition at a problem until issues of price, complexity and scarcity eventually go away.

So that’s the good news. The next twelve months will see more sophisticated attacks, but these will be met by educated users, advanced technology and involved Internet gatekeepers. And it’s about time!

Informatica Wishes you
Happy Holidays and a Safe New Year!

Claudiu Popa is the founder and president of Informatica Corporation, a Toronto-based security consultancy dedicated to changing the status quo and promoting best practices for information and business protection. He can be reached at Claudiu@InformaticaSecurity.com. or by visiting www.InformationSecurityCanada.com