Scammers are getting more clever. But software companies and policymakers are becoming smarter too.
Cybercriminals versus the good guys
Approximately two hours after the 11 March earthquake hit northeast Japan, Chris Barton, a UK-based research scientist for security software supplier McAfee Labs, spotted a suspicious website seeking donations to help disaster victims. “For a scam site to appear in just two hours – indexed and with content – is pretty damn quick in my experience,” Barton wrote in a blog post that tragic day.
Noting that hundreds of disaster-related domain names had already been registered, Barton warned readers to be wary of tweets and websites purporting to offer eyewitness accounts of the quake. They could be scams, he said, designed to install malware on visitors’ computers.
Cybercriminals are always thinking up invidious new ways to attack. For example, FedEx warns of emails that appear to come from a random fedex.com address and contain a reference to a FedEx tracking, invoice or item number. Since these emails have an attachment – a zip file with FEDEXInvoice as the likely subject – that may contain a virus, FedEx urges recipients not to open it and to delete the email immediately. “Criminals may even try to scare a person into clicking on a link with fake warnings that a computer has a virus,” says Jacqueline Beauchere, Microsoft’s director of privacy and online safety communications in its Trustworthy Computing Group.
Social networks make it easy to spread malicious software. “Sites such as Facebook are designed for people to share links, photos, video and ideas very rapidly,” says Sean Sullivan, security advisor at Helsinki-based software company F-Secure. The same viral process can spread links that could result in identity theft or financial fraud.
A European Commission Eurostat report published in 2010 stated that 22 per cent of Internet users in the European Union had encountered malware infections within the previous 12 months. Richard Clayton, a security researcher in the Computer Laboratory at the University of Cambridge, estimates that at any one time around five per cent of computers in Europe are infected by some kind of malware. And the International Telecommunications Union, in a 2008 report, said that malicious software activities accounted for global economic losses in excess of $10 billion a year.
The crime rate is high because the associated risks are low. “Cybercrime remains highly unpunished,” says Eric Domage, program manager, security products and services at market intelligence firm IDC.
The European Commission has made “trust and security” one of the seven pillars of its Digital Agenda for 2020, launched last year. Initiatives include the modernisation of the European Network and Information Security Agency, pan-European cyber-exercises and a proposed directive to penalise the production, sale, procurement, import and distribution of cybercrime software.
Viviane Reding, vice-president of the European Commission, plans to introduce legislation to tighten the EU’s data protection rules, giving individuals more control over their personal data.
To help combat cybercrime Microsoft and other IT companies are trying to make online services and software more secure. Microsoft is working on tools to enable individuals to control how their digital files, photographs and other personal data can be used by other people.
“Right now access to data is a ‘yes’ or ‘no’ thing,” says Dan Reed, corporate vice president for technology strategy at Microsoft. “But we are looking to enable people to ensure that their information is only used for a predefined purpose and will expire after a certain period of time.” Reed says building such tools is difficult, partly because they need to take into account the fact that online relationships can’t always be neatly categorised.
Given that the industry has successfully eliminated many of the technical flaws that cybercriminals used to spread malware in the past, it is easier for criminals to trick people than to find technical holes in the security. Perhaps the biggest challenge is how to give individuals the information and tools they need to protect themselves without disruptive security alerts, like those that ask people if they trust a website before they can download a file, says Ellen Cram Kowalczyk, head of the Trustworthy Computing Usable Security team at Microsoft.
Although cybercriminals are using increasingly sophisticated spoofing techniques to persuade people to open malware links, Kowalczyk says Microsoft’s security software is also getting smarter. For instance, the SmartScreen filter is a feature in Internet Explorer that helps detect phishing websites. It operates in the background as you browse the web, analysing web pages and determining if they have any characteristics that might be suspicious. Even so, the best scam-prevention software may be in your head: stay vigilant – and be wary of things that seem too good to be true.
This article was originally published in Futures Magazine.