Hacking is a multibillion-dollar business. Gone are the days of teenagers sitting in their parents' basements trying to hack into a company's computer system just to prove a point. Today, hacking is an organized crime enterprise -- and it is bigger than ever.
The number of online hack attacks against banking organizations soared 81 percent in the first half of this year, according to U.S. security services provider SecureWorks. At the World Economic Forum in Davos earlier this year, Vint Cerf, one of the codevelopers of the TCP/IP standard that underlies all Internet traffic, said up to a quarter of computers on the Internet might currently be used by cyber criminals in so-called botnets. Botnets are made up of large numbers of computers that malicious hackers have brought under their control after infecting them with Trojan virus programs. While most owners are oblivious to the infection, the networks of tens of thousands of computers are used to launch spam E-mail campaigns, denial-of-service attacks or online fraud schemes.
Cerf, who now works for Google, likened the spread of botnets to a pandemic. Of the 600 million computers currently connected to the Internet, between 100 million and 150 million are already part of these botnets, he said.
The dramatic rise in the number of hack attacks is being driven by the increase in transactions now taking place online. "People are depending on the Internet for all sorts of services, and as usage increases so does negative fraud," explains Joe Stensland, SVP at Scivantage, a provider of Web-based front- and middle-office solutions for financial services.
And as the stakes rise, so does the sophistication level of attacks. Today's IT attacks are regional, targeted after specific people and companies, and entirely driven by profit, experts warn.
"Hackers are professional, motivated, have lots of cash and are doing it for the cash," says David Rand, CTO of security firm Trend Micro. "It's all about the money, and the money is huge." In today's underground economy, consumers' stolen account information is currently priced at $1,000 to $5,000, a credit card number with PIN is valued at $300, birth certificate information goes for $150, and a credit card number with security code and expiration date is currently valued at $7 to $25, according to Rand.
A large number of hackers are based in Eastern Europe. "It's a big source of blackhat hackers who are finding vulnerabilities," says Gartner analyst Peter Firstbrook. "But attacks are coming from all over. Malicious Web servers are evenly distributed across the world," he adds, noting that attacks also originate in Brazil, India, Thailand, Argentina and the United States.
An Elaborate Underworld
Criminals operate in an elaborate networked underworld of Web sites and chat rooms, where they tout their wares and avidly recruit new members. They sell each other stolen account numbers, tools for making credit cards, scanners to pick up card numbers and PINs from ATMs, and viruses and other malicious software, relates Karim Zerhouni, an analyst with BearingPoint. Recently, he says, criminals were offering on the Internet a Trojan virus for $600.
"They were even offering you one year of technical support for free with the Trojan," Zerhouni adds. "With that you can target specific financial institutions to get all the information you want."
Bulletin boards used by fraudsters are often "set up like eBay, with a reputation system," points out Louie Gasparini, chief technology officer for the consumer solutions business unit with security vendor RSA. "They'll say, 'Hi, I'm a good fraudster -- you can trust me.' Or, 'Buyer beware -- fraudster unverified,'" he explains. "Then you have sections talking about informants, where they'll say, 'Don't do business with John. He ripped me off.' There's also a whole training section -- Fraudster 101 -- which shows how to change billing addresses of credit cards, how to change PINs. They talk about new scams and new vulnerabilities."
Online criminals are also quick to tailor their scams to any newsworthy event. When Wells Fargo's computer system crashed in August, knocking out its Internet, telephone and ATM banking services for several hours, criminals immediately started discussing plans on bulletin boards to send out E-mails to the bank's clients acknowledging the computer problems and asking victims to log on to phony Wells Fargo sites to validate their user information, which could then be used to steal their account information.Melanie Rodier has worked as a print and broadcast journalist for over 10 years, covering business and finance, general news, and film trade news. Prior to joining Wall Street & Technology in April 2007, Melanie lived in Paris, where she worked for the International Herald ... View Full Bio