Anti-Phishing Working Group: ’Crimeware’ Nearly Doubles in December

The number of sites distributing "crimeware" -- or software engineered for criminal activity like identity theft -- nearly doubled in December, rising from 4,630 in November to 7,197 the following month, according to a report issued today by the Anti-Phishing Working Group (APWG).

APWG Chairman David Jevans said in a statement, "The speed, precision and massive scale by which the phishers were able to identify and exploit this vulnerability for criminal enterprise highlights the fact that the eCrime industry has reached a level of efficiency that has the potential to threaten the larger online economy."

Crimeware refers to a subset of malicious software, or malware, that has been specifically engineered for criminal activity like information theft and identity fraud. It can be thought of as an automated form of phishing, which relies on social engineering to dupe users into revealing sensitive information. Key logging software that secretly records online banking passwords and sends them to a cyber criminal represents an example of crimeware. The goal of phishing attacks is often to plant crimeware so that compromised systems become ongoing sources of valuable data.

According to the APWG, a recently revealed image-rendering vulnerability related to Windows Meta Files made it easier for phishers to spread their crimeware. Microsoft published a security bulletin (MS06-001) on this "critical" vulnerability on January 5th, 2006, and recommended that customers apply an update immediately.

During the month of December, more brand-spoofing subterfuges were recorded than any other month on record. The vast majority of those attacks, 89.3%, targeted the financial industry, most of which involved just seven major brands.

Malware overall continues to rise, despite a number of high-profile cyber crime arrests last year. As Eugene Kaspersky, head of virus research for Kaspersky Lab, Inc., observed in a Monday interview with InformationWeek, the number of samples of malicious code tracked his company doubled in the past year.

"The message is that the environment is getting more and more aggressive, because the hackers, they have a big money by writing malicious code," Kaspersky says. "And there are more and more hackers coming."

However, apocalyptic assessments from those in the security industry should be viewed with some skepticism. A study released in December by identity risk management firm ID Analytics, Inc., found that among consumers whose personal data was compromised in large data breaches, only 0.098 percent--less than one in 1,000 identities--were actually defrauded.

The reason, the firm speculates, is that identity theft takes too much work. It doesn't scale, which is to say it can't be done quickly. Assuming that it takes five minutes to fill out a credit application using stolen information, ID Analytics notes it would take an identity thief working full time -- 6.5 hours a day, five days a week, 50 weeks a year -- over 50 years to rob everyone in a stolen file of one million consumer identities. If the work were outsourced, for $10 an hour, it would cost about $830,000 -- a lot of money for even an accomplished criminal to risk.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio