(3 of 3)
Not that the cops aren't looking. Zeus suffered a major hit when the U.S. charged 70 people with involvement in the cybercrime ring in September 2010. Its response was to merge with SpyEye, another botnet maker. The point, as with any other merger, is to improve efficiency and profits. The combined Zeus-SpyEye, for example, is making an even more damaging bot called "browser in the middle" that allows thieves to manipulate the data that a user sends to a bank. The bank may see six authorizations for payment when the user thinks she's sending one. When the bank acknowledges the six authorizations, the browser intercepts and shows the user only one.
Hackers have discovered that small and medium-size businesses (SMBs) are far more vulnerable than major corporations. SMBs can't afford the kinds of costly defenses the big guys can erect if they choose. The stakes are higher too. If someone hacks your personal bank account, you'll be made whole. But courts in many states have ruled that if someone hacks a business account and the bank followed standard security protocols, the business is on the hook for the money.
Hackers haven't forgotten about you either. While the Web has encouraged sharing via Facebook and LinkedIn, those networks have become portholes to problems. Friend the wrong person and go to that unknown friend's recommended website, and you are asking for trouble, buddy. A Facebook bug called Koobface that takes over your account is infecting a million accounts daily, says IronKey's Jevans. As for LinkedIn, he says, "I can make a very authentic-looking LinkedIn invite."
Hackers are also using the data gamed from social-network sites to build credible individual identities with which they can infiltrate corporations and websites. Even if you don't have a Facebook account, someone could create one for you as happened to the head of Interpol.
The good guys aren't standing still, of course. The focus now is to disconnect a person's e-mail and browser from the rest of the network with a variety of security layers. Companies are also figuring out new ways to protect themselves from employees who work at home beyond the corporate firewall and from the growing threats via mobile devices, including iPads and other tablet computers. Until then, corporations and government agencies are well advised to keep the doors locked, change the default settings and train employees to be on guard for spear phishing and social engineering.
We think in terms of Moore's law that computing speed doubles every 18 months. But "hackers are thinking in days," says Entrust's Conner. There are things you can do to help protect yourself: not just changing your passwords but also making them long enough and complex enough to be a meaningful deterrent. But at a more basic level, it's about not oversharing with people you may or may not know and being a little more cautious even with people you think you know. It takes a little of the social out of social networks, but it's safer.
"The main thing is that it's going social. If you look at Lulz, would you believe a hacking group has a p.r. office, a Twitter account and a request line?" asks Jevans. "It's crazy. It's creating a whole new culture of people who feel they are entitled to do it."
That's sort of how LulzSec feels. It has prodded the public for its watching-the-train-wreck attitude toward hacking. But even LulzSec doesn't know how long it can last. British officials recently arrested a hacker who may be part of the group. "We'll continue creating things that are exciting and new until we're brought to justice, which we might well be," says LulzSec. "But you know, we just don't give a living f--- at this point. You'll forget about us in three months' time when there's a new scandal to gawk at."
At the rate the hackers are moving, it may be even sooner than that. It's the damage that could be lasting.