DUBAI // Organised gangs of criminal computer hackers are targeting wealthy individuals with tailor-made scams, IT security experts in Dubai said. Traditional "phishing" techniques, which send mass e-mails to thousands of people to trick them into revealing bank-account details and other sensitive information, are increasingly being replaced by "whaling" or "spear phishing", specifically aimed at wealthy people and business leaders.
Mike Smart of the software company Secure Computing said at a technology security conference yesterday that a few years ago most computer hackers wrote viruses "to be famous". Now they are well-organised crime syndicates motivated purely by financial gain. "We in the IT industry are chasing the same people that the bank industry is after when it comes to cloning ATM cards and stealing information about accounts," he said.
"The target is not the machine; it is the user. Most of the malware that is out there now is not about destroying data, it is about copying and stealing it as quietly as possible. With most of these programs, the user is often unaware that there is anything wrong." Mr Smart said the high-value individuals targeted by "spear phishing" scams were tricked into downloading malicious software by opening e-mail attachments that purported to be tax returns, legal subpoenas, or other business documents. Once installed, the software enables criminals to steal bank details, passwords, business plans, and trade secrets.
"Everything has a value," Mr Smart said. "For ordinary users, the only way to be safe is to think about what they are doing with their computers. If someone sends you an e-mail with an attachment, write back to them or phone to make sure that they really did send it to you. "Obviously you should have a firewall and antivirus software, but the criminals have access to those too, and when they write a new malicious program, they do not release it in to the wild until they have run it through every commercially available virus checker and are satisfied that none of them can detect it."
Advanced internet technology over the past few years, referred to by the technology industry as Web 2.0, has made it easier for hackers to sneak malicious software onto a computer by disguising it as video files or other data that required the computer to access "plug in" applications like Active-X or Java, Mr Smart said. "If you look at just the operating system, like Microsoft Windows, it is virtually impossible to hack if the user has kept fully up to date with the latest software patches, but with Web 2.0 there are many applications, like flash players, that allow you to watch video that most users never think of updating, and hackers exploit those vulnerabilities."
He said cyber-criminals tended to specialise in one of a number of fields, such as gathering data, writing software, or using the stolen data to clone cards, but some of the larger groups, including one known as the Russian Business Network, had people working in several areas at once. "They are hired and paid salaries, exactly like a legitimate company," Mr Smart said. The use of mobile computers, including so-called "smart phones" like the Apple iPhone, was likely to be a target for hackers in the future, he said.
"Because the technology is new, people have less experience hacking these devices than they do desktop computers, but people are writing legitimate applications for them, so there is no reason why the criminals should not be writing illegitimate programmes as well," he said. "People are using them to do banking and communicate, so there is valuable data there to steal." Costin Raiu, the chief security expert for the software firm Kaspersky Lab, said while smart phone technology was still new, it might be safer to use for online banking than traditional desktop computers.
"Many banks are still using simple authentication procedures, for example a single password, to protect their customers," he said. Criminals using key loggers, a form of malicious software that records what keys are pressed on a keyboard, "can easily gain access to this password, and even if you change it, if you are using the same computer they will be able to see what you change it to", he said.
"At the moment, we are not seeing many threats of that nature against smart phones, so although they are easier to lose or steal because they are so small and mobile, when it comes to online transactions, they may actually be safer at the moment because there are fewer criminals writing software that targets them." Yesterday's conference was organised by the market-research firm IDC. email@example.com