Security experts draw bead on how malware targets and dupes Internet users
In the good old days, computer-savvy rogues used malware mainly to wreak havoc with others' computers. But cyber crooks now are stealing users' personal and financial information and defrauding businesses with more sophisticated attacks.
Malware is increasingly targeting consumers. Markus Jakobsson, associate professor at the Indiana University School of Informatics, said that malware relies on social vulnerabilities to spread and infect. This makes it harder to detect and block malware because users bypass detection systems when they agree to use the software.
"Looking at the way in which online crime has flourished, phishing stands out and is perhaps the most visible type of crime," said Jakobsson. "Phishing clearly is a crime that relies on deceit, and an understanding of how it's used may help us to better predict what is going to happen in the arena of malware."
Phishing is tricking someone into giving up private data by masquerading as an authority. This is mostly accomplished using e-mail or instant messages, directing the recipient to a fraudulent Web site that appears legitimate.
"It's only recently that researchers and security practitioners have recognized the human factor of Internet security, and criminals already have established an advantage," said Jakobsson, who also serves as associate director of the Center for Applied Cybersecurity Research at IU.
Here's why: Most security experts assume the techniques they develop are correctly configured, used correctly, and the end-user will pay attention to important security advisories, said Jakobsson.
"This often is not the case," he said. "Programs often are actually poorly configured, users chose weak and obvious passwords, or default passwords are not replaced. And the reality is many users don't notice the presence of important warnings or the absence of information that tells them that everything is as it should be."
Jakobsson headed a select group of experts participating in the symposium, Malware: The Next Big Internet Threat, at the annual meeting of the American Association for the Advancement of Science, Feb. 15 to 19, in San Francisco. The Feb. 18 panel discussed the economic forces behind the threat, how attacks are likely to evolve and what is done or could be done to defend against this new threat.
Other panelists included Aaron Emigh, Radix Labs; Ari Juels, RSA Laboratories; Zulficar Ramzan, Symantec; and Susanne Wetzel, Stevens Institute of Technology.
To view a copy of a related description Jakobsson has written on this subject, go to http://www.malware-jakobsson.info. Details about Jakobsson's and other IU experts' security research are at http://www.stop-phishing.com.