By TOM ZELLER Jr. Published in
Two weeks ago, Brazilian federal police descended on the northern city of Campina Grande and several surrounding states, and arrested 55 people at least 9 of them minors for seeding the computers of unwitting Brazilians with keyloggers that recorded their typing whenever they visited their banks online. The tiny programs then sent the stolen user names and passwords back to members of the gang.
The fraud ring
stole about $4.7 million from 200 different accounts at six banks since it
began operations last May, according to the Brazilian police. A similar ring,
broken up by Russian authorities earlier this month, used keylogging
software planted in e-mail messages and hidden in Web sites to draw over $1.1
million from personal bank accounts in
These criminals aim to infect the inner workings of computers in much the same way that mischief-making virus writers do. The twist here is that the keylogging programs exploit security flaws and monitor the path that carries data from the keyboard to other parts of the computer. This is a more invasive approach than phishing, which relies on deception rather than infection, tricking people into giving their information to a fake Web site.
The monitoring programs are often hidden inside ordinary software downloads, e-mail attachments or files shared over peer-to-peer networks. They can even be embedded in Web pages, taking advantage of browser features that allow programs to run automatically.
Trojans are very selective," said Cristine Hoepers, general manager of
According to data compiled by computer security companies in 2005, the use of "crimeware" like keyloggers to steal user names and passwords and ultimately cash has soared. The crimes often cross international borders, and they put Internet users everywhere at risk.
"It's the wave of the future," said Peter Cassidy, the secretary general of the Anti-Phishing Working Group, a consortium of industry and law enforcement partners that fights online fraud and identity theft. "All this stuff is becoming more and more automated and more and more opaque."
Mr. Cassidy's group found that the number of Web sites known to be hiding this kind of malicious code nearly doubled between November and December, rising to more than 1,900. The antivirus company Symantec has reported that half of the malicious software it tracks is designed not to damage computers but to gather personal data. Over the course of 2005, iDefense, a unit of Verisign that provides information on computer security to government and industry clients, counted over 6,000 different keylogger variants a 65 percent increase over 2004. About one-third of all malicious code tracked by the company now contains some keylogging component, according to Ken Dunham, the company's rapid-response director.
And the SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment last fall, as many as 9.9 million machines in the United States were infected with keyloggers of one kind or another, putting as much as $24 billion in bank account assets and probably much more literally at the fingertips of fraudsters. John Bambenek, the SANS researcher who made the estimate, suggested that the infection rate was probably much higher.
In most cases, a keylogger or similar program, once installed, will simply wait for certain Web sites to be visited a banking site, for instance, or a credit card account online or for certain keywords to be entered "SSN," for example and then spring to life.
Keystrokes are saved to a file, Web forms are copied even snapshots of a user's screen can be silently recorded. The information is then sent back to a Web site or some waiting server where a thief, or a different piece of software, sifts through the data for useful nuggets.
The Federal Deposit Insurance Corporation, responding to the growing threat of cybercrime to the financial industry, stiffened its guidelines for Internet banking in October, effectively ordering banks to do more than ask for a simple user name and password. But it stopped short of requiring, for instance, the use of electronic devices that generate numeric passcodes every 60 seconds, which many experts say would help foil much online fraud, including the use of keyloggers.
Technology for grabbing text and screen images is not new or particularly sophisticated. Keyloggers are even sold commercially, as tools for keeping an eye on what children are doing online, or what a spouse might be doing in online chat rooms. And while most experts agree that data-swiping software is spreading rapidly, there are some who say the problem has been exaggerated.
concerned that we're scaring people off the Internet," said Alex Eckelberry, the president of Sun-Belt Software, a maker of antispyware software based in
"There's a lot of hyperbole out there," he said, adding that his company has identified only about 30 keyloggers over the last six months, most being variations on a piece of code known as Winldra.exe.
That code proudly bears the copyright signature of its creators, "Smash and Sars," who also happen to be the proprietors of a Russian site, RATSystems.org, which is well-known among traders at online swap meets like theftservices.com and carders.ws/forum that traffic in confidential personal data or the means to steal it.
"Smash is one of the revolutionaries," said one member of a trading site, who insisted on anonymity because the sites are often watched by law enforcement. "If you're entry-level and want a keylogger, that's who you're going to go to," he said, adding, "It's a simple, cheap way to make money."
In fact, keylogging's simplicity may be why it is suddenly so popular among thieves. "Phishing takes a lot of time and effort," said David Thomas, the chief of the computer intrusion division at the Federal Bureau of Investigation. "This type of software is a much more efficient way to get what they're after."
too, is often trivial. "These can be developed by a 12-year-old
hacker," said Eugene Kaspersky, a co-founder of Kaspersky Labs, an international computer security and
antivirus company based in
Being wary of unfamiliar Web links sent via e-mail is a first-line of defense, according to experts, as is avoiding questionable downloads and keeping up to date with Windows patches and antivirus updates.
It is worth
noting, however, that in a test of major antivirus programs conducted by Ms. Hoepers's group in
Bank of America says it does not need to cover the loss because Mr. Lopez was a business customer and because it is not the bank's fault that he did not practice good computer hygiene. Mr. Lopez claims he did, and that in any case, Bank of America should have done more to warn him of the risks of computer crime. That risk is one that Mr. Kaspersky believes is in danger of getting out of hand.
"I'm afraid that if the number of criminals grows with this same speed, the antivirus companies will not be able to create adequate protection," said Mr. Kaspersky, who added that the time has come for increased investment in law enforcement and far better cross-border cooperation among investigators, who are overwhelmed by the global nature of cybercrime.
"There are more criminals on the Internet street than policemen," he said.
TOM ZELLER Jr. Published in NY Times:
That's reason enough to keep up to date with operating system patches, invest in a solid antivirus program and use a basic firewall. But even with those measures in place, malicious code including a keylogger can sometimes find its way onto your computer.
"There are plenty of ways to get around all of those things," said Ken Dunham, director of the rapid response team at iDefense, a unit of VeriSign that focuses on computer security information.
Most major commercial antivirus software will seek out keylogging Trojan horses, as will most of the leading antispyware packages although they may not catch them all. Some products, like Spyware Doctor from PC Tools and SpySweeper from WebRoot Software, pay particular attention to keylogging Trojans and cost about $30.
Technologies, based in
"With keyloggers, you've literally got someone sitting over your shoulder watching everything that you do," said George Waller, the executive vice president of StrikeForce. "It's no wonder why they're so popular."
And for those who feel safe because they use a non- Microsoft browser? Be on guard.
"Internet Explorer used to be targeted most frequently, and a lot of people have been switching away from it," said Rob Murawski, an Internet security analyst with CERT. "But the attackers follow these trends, of course."