Beyond Phishing: A new threat to online bank accounts

Most Internet users are aware of such sophisticated cons as “phishing” — messages that purport to be from a bank or financial company, but which are actually attempts to steal passwords and other important personal information.

But now there is an even more insidious method of electronic con which doesn’t require victim deception or complicity: the use of keylogging software planted in email messages or hidden in websites without the user’s knowledge. The software then secretly records each keystroke as the user types in passwords, account numbers and other personal data.

Keystrokes are then saved to a file. With some programs, web forms and even snapshots of a user’s screen are recorded. This information is then sent to a website or another software program where a crook can sift through the data for useful nuggets. Once armed with this information, hackers can withdraw money from bank accounts and run up credit card charges. Money can be transferred from a victim’s bank account by a number of methods, including changing the links to outside bank accounts.

With this data-swiping software, computers are infected in much the same as with a virus, exploiting securi flaws and monitoring the path that carries data from the keyboard to other parts of the computer. The monitoring programs are often hidden within ordinary e-mail attachments, software downloads or files shared over peer-to-peer networks.

Keylogging technology is not new nor particularly sophisticated. In fact, the program itself is so simple that it can be developed even by an inexperienced hacker. And keylogging or spyware software is sold commercially as a tool to monitor children’s Internet activity or for less legitimate purposes, such as spying on a spouse in online chat rooms. In the workplace, this same monitoring program can be placed on an employee or employer’s computer to find and read confidential correspondence.

According to data compiled by some security experts, the use of “crimeware” like keylogging programs soared in 2005, often crossing international borders. And to make matters worse, one keylogger can infect millions of machines at a time.

In the United States, the Securities and Exchange Commission warned investors last year that the agency “has become aware of numerous situations in which unauthorized individuals have gained access to other people’s online brokerage accounts.”

Several brokerages have responded with the cutting edge technology to protect consumers. Ameritrade Holding Corp., for instance, offers free software to help protect against keystroke loggers and eavesdropping software by scanning a client’s personal computer.

Smith Barney, part of Citigroup Inc., uses encryption to secure personal information as well as temporary “cookies” or computer files that are stored on personal computers when websites are opened and can expire when an online session ends.

Some brokerages also deploy transaction anomaly software which tracks spending patterns for strange or unusual purchases that may signal when an account has been hijacked.

Security experts advise computer users to be wary of unfamiliar web links sent via email and to avoid questionable downloads. And, as ever, it is important to keep up to date with Windows patches and anti-virus software updates.

To safely download software, experts advise that you thoroughly investigate it first:

  • make sure to read the license agreement carefully, including the fine print.
  • search the Internet for information and reviews about the software and to discover if anyone has reported spyware problems.
  • According to US cybersecurity-research firm VeriSign iDefense Security Intelligence Services, the number of keylogger variants in circulation hit a high of 6,191 in 2005, a 65 per cent increase from 2004.

    “It’s so easy to create [keyloggers],” said Joe Payne, Vice President, VeriSign iDefense, “and there’s very little risk of being caught.” According to Payne, the fact that keylogging code is freely available tempts many people who wouldn’t otherwise engage in criminal schemes.

    But while many experts think the problem is spreading rapidly, others consider it exaggerated, saying that many personal computers are already protected.

    “I get concerned that we’re scaring people off the Internet,” Alex Eckleberry, president of Sun Belt Software in Clearwater, Florida, told The New York Times. According to Eckleberry, his anti-spyware software company had only identified approximately 30 keyloggers over the past six months.