The year has seen further expansion of social media use, with more and more businesses using them as a platform for better communication with and attraction of customers. Online shopping and financial transactions online are also increasing sharply in spite of the global crisis. Statistical info reveals that the amount of money spent for Christmas shopping online has risen nearly 14% since last year and almost 39% since 2008. All this makes it more worthwhile than ever for cybercriminals to invest time and resources in trying to divert some of the money spent online into their own pockets.
ESET Ireland’s research in 2011 showed that 1 in 4 Irish computer users has already had his or her computer crashed or otherwise damaged by viruses or malware. 1 in 5 has had their computer infected or data stolen. Fourteen percent were hacked or had their social media accounts hijacked. And nearly ten percent of the survey population had been cheated, had their credit cards or private info abused, or their system was used to unknowingly dispatch spam.
While advanced technologies are constantly being developed to combat malware, cybercriminals are busy finding ways to circumvent security software by aiming directly for the computer users themselves. The human factor has always been the weakest link in cyber-security and making people’s curiosity work against them always a favourite tactic of scammers.
2011 saw a great increase of fake links to stories or videos hitting social media such as Facebook or Twitter. Links purporting to offer some “shocking news” or “rare video” on a widely publicised topic (in 2011 some of the more resounding ones were the Japan earthquake, the Royal wedding, the killing of Bin Laden, the Oslo massacre and Amy Winehouse’s death) in reality lead to malicious sites, often infecting users with malware, or to various survey scams that automatically spammed their online friends with more fake links. But due to people’s inquisitive nature, they kept clicking and clicking and spreading this in spite of many warnings from all sides not to.
Search engine poisoning
A widespread variation of the above also came in the form of search engine poisoning. Because people tend to search online for hot topics (or news of hot celebrities), cybercriminals poison the search results by creating webpages that refer to any current hot topic, making them appear prominently in web searches using search index optimization techniques. When the users click on the search results, as described above, they may be taken to malicious websites, where they get infected or are prompted to “purchase” various items or subscriptions on fake shopping, online pharmacy or pornography sites.
Once infected with malware many users’ computers were turned into so called “zombies” in huge botnets. Large networks made up of thousands upon thousands of infected computers, remotely controlled to do their controller’s bidding without the computer user having any clue that his computer is sending out spam emails, trying to hack websites, distributing malware or illegal content (such as pirated software or child pornography) while he’s browsing the web or playing an online game. While several large botnet organisations have been successfully defeated this year, the scope of them surprised even many researchers and as is the case with dangerous things such as icebergs, indicated that many more lie under the surface (including many smaller botnets that are intended to be less conspicuous but still profitable).
When the users were reluctant to get themselves infected or spend money on dodgy sites, the cybercriminals got busy and just phoned them. “Hello, we’re calling you from We-Fix-Computers-Company and will remotely fix your computer of any viruses and other trouble for a modest fee of several hundred euros”, they said. With sometimes a more, sometimes less credible sounding story and company name. And a surprisingly large number of trusting people allowed them access to their computer, to do pretty much whatever they wanted on it remotely, as well as handed over their credit card details to them to pay for the “fee”.
Our American colleagues put together some statistics:
- The median annualized cost of cybercrime incurred by companies with over 700 employees in 2011: $5.9 million per year.
- Increase in median annualized cybercrime cost from 2010 study: 56 percent.
- Number of personal records exposed in largest security breach of 2011: 77 million.
- The going rate per record for credit card details on the black market today: $1 to $20.
- My guess-timate of the total number of records containing confidential personal information exposed worldwide by security breaches/lapses in 2011: 120 million.
- Average per person amount lost to fraud in cases of identity fraud in 2010: $4,567.
- The average take from a bank robbery in the U.S. in 2011: $7,806.
- Number of felons shot and killed by law enforcement officers or private citizens during commission of a felony in 2010: 617.
- Total number of cyber-criminals shot and killed in the history of cybercrime: 0.*
- Number of Americans who learned that they were victims of identity fraud in 2010: 8.1 million (we await the 2011 number).
- Amount lost in U.S. to identity fraud in 2010: $37 billion.
- Cost to an organization per compromised record, as reported in 2011 study: $214.
What to do?
The first step towards being safe is knowing about the dangers. Do not count on software alone to protect you, but stay informed of the threats and scams out there in order to be better able to avoid them. But most of all, as we keep repeating: Think before you click.