It was reported in "The Australian" on 6 May 2005 that:
"The Australian Federal Police and the banking industry believe online banking fraud is the world's fastest-growing crime." The main culprits behind this exponential growth are spyware and phishing, which increased at a rate of 366% last year.
In the early days of Internet crime it used to be hackers seeking notoriety by showing they could access business and government computer networks, particularly highly secure sites like NASA or the Tax Office. Then annoying viruses appeared and continue to plague us today, with some being so efficient that they are capable of infecting millions of computers in a matter of days. Today, Internet crime is much more complex, being driven mainly by organised crime intent on financial gain.
“More and more of those combing Microsoft software for security loopholes (or vulnerabilities, in the lingo) are motivated by profit rather than notoriety–” - The Bulletin, 'Thieves in the Byte', 20/04/2005
"We've seen an explosion of criminal enterprise moving onto the Net in the last 18 months or so, it's no longer just for kicks. It is for making money." - David Aucsmith, Microsoft CTO - iTnews.com.au, 28/04/2005
Today, criminals are behind many of the scams we hear about. These criminals are sophisticated computer experts who see the Internet as a ready means of extorting money from organisations and individuals, without the risk or violence associated with traditional crime. And more and more they are devising increasingly innovative techniques as a means of committing their crimes. No longer is it just viruses, spyware, trojans and phishing. Today’s’ cyber-criminals are already working on technology to use in the next wave of attacks they launch.
Spyware and PhishingSpyware and phishing are the two major risks for computer users in 2005. These are relatively recent phenomena and most people are totally unaware of their existence or the threat they represent. Many people think that because they have been OK 'til now, they will be OK in the future. Unfortunately, as technology continues to move on, we are exposed, not only to new and wonderful opportunities, but also the consequences.
Spyware is computer software that collects information from your computer which is then sent to the company or person responsible for the spyware. Increasingly, spyware has a sinister motive behind it - to steal your personal details or other sensitive information, such as your credit card or online bank account details in order to defraud you.
Similarly, the aim of phishing is to steal your personal details - most often your online bank account details - and to then transfer funds from your account to the hackers without trace.
What is Spyware?Spyware is computer software that has been loaded on to your computer, without your informed consent. This software then collects information from your computer, for example Internet websites visited or personal information, which is then sent to the company or person responsible for the spyware.
Spyware is very difficult to detect (you often wont know about it until after an incident has occurred) and extremely challenging to remove. Because it is quite different to viruses, having an antivirus program running on your computer is of no use in dealing with spyware. In addition anti-spyware software is quite immature and is nowhere near as effective as antivirus software. The best available anti-spyware software will only detect and eliminate 60% of known spyware.
Some spyware is relatively innocuous - eg. the collection of details of the web sites you have visited to pass back to marketing companies (although even this is an invasion of privacy). However, at the other end of the spectrum organised criminals are driving the fraudulent activities related to identity theft, credit card and online bank scams. Once they have captured your personal financial details, funds can be transferred within seconds, and once this happens, your money is gone!
Aside from the theft of sensitive personal information, spyware can also cause your computer to become over-loaded, slow down or even crash. Dell Computers reports that over 12% of its hardware support calls are as a result of spyware - and nothing to do with their hardware. For Microsoft, the situation is far worse - with over 50% of all their support calls resulting from spyware.
How do I become infected?If you use your computer on the Internet it will become infected with spyware - it is unavoidable. Just by simply visiting certain websites, that appear to be legitimate businesses, you can become infected with spyware. There are thousands of websites, including some associated with reputable companies, that will attempt to infect your computer.
Downloading software from the Internet, can also result in spyware being loaded onto your computer. A lot of the free software available on the Internet comes with a spyware payload that gets installed on your computer along with the software you want .
A sure way of increasing the amount of spyware you pick up is to allow your kids to use your computer to download games, music, videos and other files from the Internet. Without their knowledge, spyware will be loaded on to your computer.
What is Phishing?Phishing is quite different to spyware. It is a form of social engineering used by Internet criminals to defraud you. Phishing is a category of spam email that deceives the receiving person into thinking that it is a genuine email from a financial institution that they have a relationship with, e.g. your bank. The email usually requests the reader to click on a link to visit a website so that personal details can be confirmed. The email and the website are bogus and the moment account details are provided, they are sent to the hacker and funds are transferred out of the account and often lost without trace.
How does it work?Unfortunately, it’s all too easy. And it’s not just stupid people who get caught.
If you receive a phishing email from, a company that you have never heard of, or that you do not deal with, then you probably know it’s bogus. But what if you bank with the ANZ and you receive an email that looks like a genuine email from ANZ. How do you know? Do you take a second look? Do you at least check to see where the link in the email takes you? Many do. Just such a phishing attack on the ANZ was reported in “The Age” on 17 May 2005!.
In May 2005, the BBC reported that:
“One in 20 UK internet users say they have lost money through online scams, research into spam emails suggests. Almost half say they have received so-called phishing emails aimed at tricking them into revealing details like online banking passwords.”A real life example of PhishingA solicitor, who banks with a big 4 Australian bank, received an email of which he was a little suspicious. However, he was curious to see where the link took him and so he clicked on it. Once he saw the website, he was convinced that it was not legitimate and promptly exited from the website - thinking nothing more of it.
Unknown to the solicitor, just by visiting the bogus website, software had been installed onto his computer. This software was designed to monitor his Internet activity and detect when he logged on to his bank website. It then triggered a key-logger that captured his keystrokes as he entered his account number and password/pin. This information was then promptly sent to the hacker who immediately withdrew up to the maximum daily limit - actually $14,990.
In this instance, the bank re-imbursed him for his loss, and he was thankful that he had not logged on to his online trust account where he could have lost up to $50,000.
Are banks responsible for customers being defrauded when using online banking over the Internet? A bank could quite reasonably argue that it is the user’s responsibility to ensure they only respond to genuine emails and do not visit bogus websites. A counter argument is that banks do not provide adequate advice to their customers about what they need to put in place in order to operate securely on the Internet.
How do I protect myself?As an absolute minimum, each computer user needs to use a combination of anti-spyware (at least two programs), anti-virus, a personal software firewall with outgoing program control and spam filtering. And this needs to be run, managed and monitored on a daily basis with definitions updated daily.
Conclusion
There is increasing scope for cyber-criminals to make large sums of money from computer crime and, as we know, there is no better motivation for crime than money. Consequently, computer security problems will increasingly involve ever more sophisticated and innovative techniques. Today, that means spyware and phishing.
Unfortunately, most people continue to use their computers in blissful ignorance of these real and increasing dangers until they are hit, and even those that know about them will struggle to combat them.
Small businesses suffer Internet crime three times more, proportionately, than larger businesses - because they do not have an in-house IT department to routinely look after these issues.
If you use your computer for business and for online banking and payments, or have valuable or sensitive information that must be protected, you MUST implement a comprehensive security regime to protect yourself. Without it, you leave yourself exposed and vulnerable whilst operating on the Internet. To the criminal element, it is like placing a sign outside your house with: “Please enter. Take what you want”.