Wednesday, May 7, 2008
All it takes for a computer to become infected is to visit a hacked Web site.
San Francisco Chronicle
Criminal attacks against major Web sites have grown so common that Internet users have no reliable way to know which sites are safe to visit, no matter how well known those destinations are, security experts say.
News of the latest attack comes from Finjan, an Israeli security firm, which is reporting that last month it found a large cache of information — including confidential medical records, financial records and business e-mails — sitting unprotected on a computer network server in Malaysia.
The data came from more than 40 major financial companies around the world, including the United States, and was stolen from computers belonging to doctors and home users conducting online banking and, in some cases, from machines inside corporate networks that the hackers managed to penetrate and infect. Finjan has notified the companies, which it declined to identify, as well as law enforcement agencies in several countries.
Included in the stolen information were medical diagnoses and insurance details, Social Security numbers, the recorded keyboard strokes of online shopping sessions and e-mails from businesses discussing an impending court case.
The largest banks “were not surprised we found this data,” said Yuval Ben-Itzhak, Finjan’s chief technology officer. “The second-tier banks were surprised and thanked us very much. Other businesses were also very appreciative — overall, we had a very positive response.”
At any moment, thousands of sites are sitting on the Web hosting malicious software code designed to try to steal information, said Mary Landesman, a researcher at ScanSafe, a Web security provider in San Mateo, Calif.
The numbers are staggering — in April, Yahoo Inc. detected 7.8 billion links served up by search engines that led to compromised sites. In statistics collected by hackers, who were tracking an attack of their own that was discovered last year by Finjan, 500,000 computers had been infected.
Many of these attacks are invisible to computer users — there are no clues in the appearance of a Web site that you are being redirected to a compromised site.
If your computer is vulnerable, all it takes to get infected is to visit a hacked site. Most likely, you will unwittingly download a Trojan, a piece of software disguised as a valid program but that really performs another action, such as shipping out your personal information to a server that could be halfway around the world.
“We have our hands full on a daily basis tracking this stuff,” said Paul Ferguson, a researcher for Trend Micro, a Web security vendor in Cupertino, Calif. “Professional criminals and organized crime have ongoing, sustained campaigns to rob consumers blind.”
The attacks come in waves, Landesman said. In September, media and entertainment sites were attacked; in November, it was sports sites; and in January, she said, it was the “general purpose mainstream sites, the brick and mortar of the Internet.”
Some of the sites are well known — during the past few months they’ve included MySpace, USA Today, MSNBC and several more of the Web’s top sites.
The goal is to steal and sell personal information to conduct identity theft and sometimes extortion.