WASHINGTON (TheStreet) -- Hackers have loaded email, social networking and Web surfing with potential danger, but equal measures of doom aren't lurking behind every click.
Hackers who gain access to data on
Bank of America
and Central Intelligence Agency sites get the headlines, but the ones bothering Internet users engaging in more benign tasks are the ones wreaking more widespread havoc and driving the online security industry. A survey conducted earlier this month by security firm Symantec suggests at least part of the problem stems from the users themselves.
Hacking threats bothering Internet users engaging in benign tasks are the ones wreaking the most widespread havoc and driving the online security industry.
A solid 97% of respondents told Symantec they were either somewhat or extremely knowledgeable about online security. Of that, 80% even said they knew to look for the padlock icon indicating Secure Sockets Layer encryption while visiting e-commerce sites. That's only helpful if online shoppers heed the precaution, though, which only 55% of those padlock seekers say they do by aborting unsafe transactions. Another 81% know to look for secure HTTPS Internet connections, but only 56% are scared off when they don't see one or don't at least see an address matching the domain.
Part of the problem is that users face attacks on so many fronts that some security measures either get lost in the shuffle or are forgotten out of convenience. We spoke with experts from security software companies
and Houston-based online security firm
and came up with a ranking system for some of the most common hacker-related issues. Some of these threats aren't so bad, but there's plenty of reason for users to beware:
Hackers still think you need Viagra and, no, they don't care if you're a girl.
The amount of spam in circulation still dwarfs the number of legitimate email messages. Martin Lee, senior software engineer for Symantec's cloud-based service, says 77.8% of all email is spam and two-thirds of that promotes pharmaceutical products. A report in
The New York Times
in May on how to fight spam said
results in only $100 worth of Viagra sales for spammers.
Adam Wosotosky, anti-spam technology lead for McAfee Labs, says drug spam alone used to be 75% to 80% of all email sent before governments began cracking down on it. Emails pitching Viagra, Cialis and other drugs were basically seen as an inbox nuisance and spam folder filler that was easily disposed. To Lee, that disguised a greater danger.
The problem with spam-advertised pharmaceuticals, Lee says, is that the buyer cannot be sure about what he is buying. At best, they are counterfeit medication of varying dosage or colored tablets that are just placebos. At worst, they're contaminated with something potentially dangerous.
"In terms of the numbers of malicious emails sent, pharmaceutical spam is far ahead of other threats. Additionally, no other email threat can cause physical harm to human health," Symantec's Lee says. "Therefore I'd class this as the biggest email threat."
Even if the user never purchases a single pill, drug spam can still do some serious damage. Crackdowns on actual drug sales have led to drug spam with links laden with malware or leading to unintended drive-by downloads of executable files and other nasty little surprises. (Others disagree. The F-Secure Security Labs site and several researchers for a
said recently that products bought through spam actually arrived; credit card accounts used to buy weren't applied fraudulently; and in "the most surprising outcome from this test,"
, "we didn't see more spam to the email addresses we used to order the goods.")
"Most of this spam is designed to trick the user into clicking on a link or going to a website that will infect their computer," says Michael Gregg, chief operating officer of Superior Solutions. "It's as important as ever to remind users not to click on unknown or suspicious links, even if they appear to be from someone they trust at a social networking site."
Also known as a 419 scam or the Nigerian scam, the advance-fee online flimflam promising untold riches for a little upfront cash is one of the most prevalent in the Western world. In the United States alone, McAfee's Wosotosky says, 39% of spam consists of this kind of scam.
"The United States has a much higher level of 419 scams than other countries, with the exception of France and the United Kingdom," Wosotosky says. "Most of the servers that are associated with Hotmail or Gmail are going to be in the more industrialized countries and more likely to send one of those scams."
The London Metropolitan police say scam victims' individual monetary losses can range from the low thousands into multimillions. Hard figures are tough to come by as many victims, feeling humiliated, do not report the crime. Others, having lost so much themselves, become "part of the gang" recruiting more victims from their own country. Some victims, unable to cope with the losses, commit suicide. If victims are somehow lured overseas by scammers, they're often held for ransom and killed in cases in which ransom money doesn't come through.
"Unfortunately the financial reward doesn't exist," Symantec's Lee says. "The only question is how much the victim will pay in fees to the scammer before the victim realizes they've been scammed or can pay no more."
One of the biggest reasons hackers have become so prolific recently is because it's just not that difficult to do simple hacking anymore.
"Identity theft and financial crime has become big business; this becomes all the more apparent when you look at the rise of crimeware over that last several years," Superior Solutions' Gregg says. "These DIY kits contain everything you need to start hacking."
Kits sell for thousands of dollars depending on their function. Once bought, the kit comes with a installation key similar to that of an operating system and can be transmitted through spam emails, weaknesses in Web applications or through file-sharing networks. Common components include key loggers that capture password data and account numbers, form grabbers that can steal a whole slate of information in one stroke and remote access to applications and networks.
Moderate but growing
Why phish for users' personal information with the equivalent of a curtain rod and string when you can get a sonar-equipped trawler and drag the waters?
Of all malicious email sent in the U.S. last year, 10% were phishing scams, McAfee's Wosotosky says. Once basic ploys to trick users out of their passwords, credit card information and other personal items by sending an email presumably from
or PayPal, phishing has developed into a tactic so sophisticated that Symantec says nearly 16% of all users have been phished.
"Phishing has evolved. Online criminals are much better at crafting fake emails and enticements to lure in victims," says Gregg, of Superior Solutions. "There is also the fact that many large databases have been exposed over the last year or so which help identify what services the victims use."
Breaches at Sony's PlayStation Network and other interactive services contributed to the personal information pot, but big breaches such as an April security slip-up at
Alliance Data Systems'
marketing firm Epsilon have left millions of consumers exposed. Epsilon holds onto customer email information for 2,500 corporate partners, including such financial institutions as
, retailers and services including
and hotel chains Hilton and
Those addresses are phishing gold and give scammers the legitimate front they need to be effective. The worst part of their loss, however, is that users may forget about the breach by the time ensuing scams go into effect. Wosotosky says it often takes weeks or months for hackers to go through the information they've pilfered and either figure out how to use it themselves or what it's worth to a potential buyer.
It doesn't even take a high-profile breach to come away with a full box of phishing tackle. Wosotosky says universities and low-level government institutions such as teachers' organizations have become prime targets for hackers seeking a domain that's easy to access, navigate and use on unsuspecting targets who may pass on eBay- or PayPal-clone emails.
"You see a lot of targeted phishing associated with academic institutions," Wosotosky says. "You get kids who go off to college and all of a sudden start to get emails that are specifically crafted to their college and trying to get them to click things or answer questions specific to their college."
Moderate but growing
Your computer has not contracted a virus that only a popup ad and $39.99 can fix. That antivirus software the ad's trying to sell you? Yes, that's probably a nasty bit of spyware.
"Scareware" has been bullying users into ill-advised downloads and security software stripping for years and has caused major headaches for
by either plaguing their products or stowing away on their servers. Once just the bane of a PC user's existence, scareware is taking a more populist approach to pestering users.
Scareware is designed to frighten you into buying fake or malicious software," Gregg says. "It's been growing for a few years and now you see that it has spread to the Mac."
Anyone who's ever clicked on a "Funny Video You Just Won't Believe" post on their friend's Facebook page and ended up "recommending" that same go-nowhere link has been clickjacked. Sometimes it tricks a user into doing something as innocent as following a Twitter feed, but Gregg says there's always the possibility of a more sinister use of this simple trick."This online threat is increasing and works by hiding the true purpose of a link or button," Gregg says. "If the hacker can trick you into clicking on an innocent-looking link, the victim actually executes something completely different and malicious."
Social networking malware
"Social networks are where the people are," Gregg says. "Thatnaturally draws attackers."
That was evidenced by the
, which led Facebook and Twitter users to click on links for a totally sweet movie of them or the famous face of the day and gave their hardware a nice little worm that took their login information. McAfee's Wosotosky says much of the risk is related to trust and the scale of a user's network, as a large number of friends means more potential phishing victims-turned-attackers. Even users who keep a small inner circle can be had, however, as social network functionality and its its accompanying vulnerability increases.
"More than one study has shown that people are much more likely to click ona link at a social networking site than in email," Gregg says. "Cyber criminals have a range of techniques to use, including fake surveys, bogus applications and poisoned links."
Banking sites in themselves are absolute fortresses. The screen displaying them are somewhat less so.
"Most online banking sites have implemented strong controls," Gregg says "That's why the hackers target the banking user with key loggers, TAN grabbers, HTML injection or form grabbers."
Basically, if a user reserves his or her highest levels of caution for avoiding phishing scams and malicious email that leave their bank password and form information exposed, online banking won't be a problem. If hackers are somehow able to get a Trojan horse onto a user's computer, that malware can steal passwords and other Web sites when the user logs in.
Symantec's Lee says that same malware can wait until the users log in to their banking websites and then issue money transfer commands on behalf an organized crime syndicate. One such crew in the Ukraine was rounded up in October after successfully taking $70 million from victims' accounts.
Internet porn has come a long way from its anything-goes infancy. Porn site owners, meanwhile, found out long ago that trust and discretion are key to keeping a happy, contented clientele.
"There are certain porn sites which are more trustworthy than other porn sites," McAfee's Wosotosky says. "For the most part, it is not going to be in a porn site's best interest to push malware onto your machine, but lots of drive-by downloads come from Web pages that hackers set up for themselves."
It's largely up to a porn consumer to be discriminating about their sources. If users want 100% security, it's best to go with the biggest, best-known names in the industry while viewing the content on the most-obscure operating systems possible.
"There are porn sites with good reputations that would be less prone to problems like that," Wosotosky says. "People should have a Linux machine to do all their porn browsing from so it takes that risk off the table. And maybe your wife doesn't use Linux, so you can browse in safety."
-- Written by Jason Notte in Boston.
>To contact the writer of this article, click here:
>To follow the writer on Twitter, go to
>To submit a news tip, send an email to:
Follow TheStreet.com on
and become a fan on
Jason Notte is a reporter for TheStreet. His writing has appeared in The New York Times, The Huffington Post, Esquire.com, Time Out New York, the Boston Herald, the Boston Phoenix, the Metro newspaper and the Colorado Springs Independent. He previously served as the political and global affairs editor for Metro U.S., layout editor for Boston Now, assistant news editor for the Herald News of West Paterson, N.J., editor of Go Out! Magazine in Hoboken, N.J., and copy editor and lifestyle editor at the Jersey Journal in Jersey City, N.J.