Storm Warning

What was once the stuff of an action-packed techno-thriller now appears constantly in the newspapers and on the nightly news, not to mention the worried postings of nervous IT bloggers.

While IT and security professionals dispute exactly what constitutes the most serious security threat, almost all sources agree that over the past two to three years, cybercriminals have become amazingly professional. Large-scale Internet fraud and infiltration are evolving into complex, global networks with multimillion-dollar payoffs.

"It's become a business now," said Kevin Simzer, senior vice president of Entrust Inc., Addison, Texas, which specializes in digital identities and information security. "It's about money now. That's just the reality."

Across the board, attacks are becoming more targeted, acutely honing in on individuals with specific and personal demographic information. Instead of just credit cards and bank account information, they're going for everything—any and all information that can be used to create an identity, experts say. From there, attackers will either use the data or sell it on the black market to someone who will.

"You're starting to see a broader base of attacks. We're really seeing broad-based fraud activities," said Vincent Weaser, senior director of development at Symantec Corp., Cupertino, Calif. "Their ability to turn [information] into cold, hard cash—they're after a lot more than simply your bank account."

Something's Phishy
It's no secret that the phishers' nets are getting bigger and more advanced. Continuing a trend of increasingly sophisticated phishing attacks, cybercriminals will continue to target their victims more precisely with personal and more authentic-looking information. "It's just continued to run totally unabated," Simzer said. "The consumer's data is totally exposed, and lo and behold, someone is accessing their account."

Masked as legitimate Web sites from Ebay, Amazon and others, phishing sites will typically ask individuals to submit financial or identifying information such as credit card, bank and Social Security numbers. Security professionals expect that phishers will increasingly target smaller, less-popular sites as the big companies beef up their security and users become savvy about avoiding large-scale scams.

These kinds of scams will be much easier for cyberpredators as phishing toolkits become more ubiquitous. Forty-two percent of phishing Web sites observed in the first half of the year originated from just three phishing toolkits, according to Symantec's Top 10 Internet Security Trends for 2007. And those resources will likely become much more accessible as the need grows, experts say.

As individuals become savvy to widespread attacks, phishers will target their victims more precisely with highly researched personal information in schemes known as spear phishing, luring victims into attacks by using precisely targeted and individual-specific information. There's also whaling—targeting high-level, and often new, executives for sensitive company information.

"All the attacks we've seen in the past aren't going to go away—they never do," said Richard Stiennon, chief marketing officer for Fortinet Inc., Sunnyvale, Calif. "We'll see an increase in the level of targeting. It's a pretty scary concept to think someone picks you out of the fold."

Plus, with the upcoming presidential election, security personnel expect to see more political phishes. Scams will likely come in the form of political organizations or campaigns asking for "donations."

"There's some social reconnaissance being done," said Peter Bybee, president and CEO of San Diego-based Network Vigilance. "We're definitely seeing more sophisticated, socially engineered attacks. At least they have a more authentic message for coaxing you into doing something."

Next: Mining For Data Mining For Data
The wealth of information stored on the Web often translates to wealth for attackers. Recent security breaches at Salesforce.com and Monster.com represent a continually growing trend in attacks of online applications, which can be a veritable gold mine of credit card information, Social Security numbers and other valuable identifying information. With hundreds of thousands of database servers accessible on the Internet, experts say that they expect to see attackers continue to use sites like these to distribute malware and acquire sensitive data.

On Web 2.0-style social networking sites, you might get more than just 64,000 new "friends." Attackers are increasingly using sites such as Facebook and MySpace to distribute malware. They're also mining data, looking for information that people share in order to "authenticate" their attacks, which could be installed with a simple click-on "comparison tool," or a favorites list. And Google's recently announced social networking capabilities will give attackers even more "new friends" to target.

"Applications security is really in its infancy," Bybee said. "There are way too many problems with applications that are too easily exploited."

External threats with keystroke-logging malware made up 88 percent of confidential information threats during the first half of the year, according to a 2007 Symantec semi-annual security threats report.

But more often, accidental or unintentional data loss comprises the most serious threat to security. In fact, theft or loss of a computer or other data-storage media comprised 46 percent of all data breaches that could lead to identity theft, the report said.

"When laptops get lost or stolen, suddenly desktop encryption becomes a big deal," said Bill Calderwood, president of The Root Group, Boulder, Colo.

Storm Warning Ahead
There is no rest in the wake of the Storm Worm.

Also known as Nuwar, the Storm Worm is the most versatile malware in history. Storm's authors released thousands of variants and code-changing techniques, creating the largest peer-to-peer botnet on record.

"It constantly moves," said Craig Schmugar, threat research manager at McAfee Avert Labs, Santa Clara, Calif. "The thing with Storm is that it radically changes its methods over time. In some regards, it's a trendsetter."

In its path, security researchers expect to see a number of PCs-turned-bots in the upcoming year. Bots, or computer programs that give cybercriminals complete control over computers, are installed surreptitiously on the machines, giving hackers almost unlimited control over the machines of their unsuspecting users.

Not Just A Game
Where there is money involved, there are those who try to scam it away from others.

Increased gold farming and in-game spam that con people into giving away financial information indicate a trend that more security threats will likely come in the virtual world for 2008. Security personnel say that threats to virtual economies are catching up to threats to real economies, in part because they are not as regulated as established businesses or financial institutions and subsequently don't provide the same kind of protections or failsafes.

"They have the ability to convert cyberactivities into cash," Weaser said. "That's what attracts them into those worlds."

According to the McAfee report, the number of password-stealing Trojans that targeted online games grew faster than the number of Trojans that targeted banks.

"Virtual economies are growing. There's money to be made here," Schmugar said. "And it's lower risk than targeting a bank."

"We're starting to see longer term, more patient and more damaging types of hacks," Calderwood added. "Will the commercial world keep pace with the hacker world? It's a tug-of-war."