INTERNET SECURITY New ID theft method stuns

Identity thieves are keeping one step ahead of Internet users and security experts.
LOS ANGELES TIMES
Bank customers know to shield their ATM passwords from prying eyes. But with the rise of online banking, computer users may not realize electronic snoops might be peeking over their shoulder every time they type.
In a scary twist on online fraud, hackers and identity thieves are infecting computers with increasingly sophisticated programs that record bank passwords and other key financial data and send them to crooks over the Internet.
That's what happened to Tim Brown, who had account information swiped right off the PC at his Simi Valley, Calif., store.
"It's scary they could see my keystrokes," said Brown, owner of Kingdom Sewing & amp; Vacuum.
Brown discovered the scam only after security researchers stumbled onto a computer that was harvesting information from hundreds of PCs and felt compelled to alert some of the people who had the most data exposed.
Realizing he was lucky to get the call last month, Brown changed his passwords and is hoping for the best.
"This even staggered us," said Alex Eckelberry, president of Sunbelt Software Inc., which found that the so-called keylogger program installed itself in a way most anti-virus software could not block.
Attacks increasing
Such attacks are on the rise, even as other sorts of Internet scams decline. Security experts attribute the new approach to rising savvy among computer users and crooks.
Many users, for instance, know not to reply to unsolicited "phishing" e-mails requesting financial information, even if they look as if they were sent by a bank.
The number of phishing attacks fell in July from June for just the third monthly drop recorded by the Anti-Phishing Working Group, which is backed by most of the biggest U.S. banks and Internet service providers. But the number of programs aimed at stealing passwords more than doubled.
"We're seeing explosive growth in 'crimeware,'" said Peter Cassidy, the working group's secretary general.
The shift comes as people are increasingly jittery about online security. More than 42 percent of consumers say those concerns have caused them to change their electronic shopping habits, according to research firm Gartner Inc.
Banks and other institutions, though, want to encourage more online transactions because they are cheaper than branch visits or calls to a customer service center.
How programs work
The keylogging programs can install themselves after computer users open faked e-mails, instant messages or even advertisements on mainstream Web sites. Once installed, they can record everything typed on a computer -- or just what's typed during user visits to specified financial sites.
Such information is sometimes sent back to the original hackers in neat bundles, with a column for the relevant financial Web site followed by columns for the user's log-in name and password.
Information purloined from such customers so far has been used once at a time, with criminals impersonating victims in order to withdraw or transfer cash.
In one of the most alarming developments, security experts found last fall a malicious program that had been planted on personal computers and designed to intercede whenever the user logged on to an electronic payment site called e-Gold, based on the Caribbean island of Nevis.
Instead of just recording the user's password and other data for some future attempt at fraud, the software -- dubbed Grams -- immediately tried to capture and send e-Gold funds to another person's holdings.
The program "actually cleans out an account and transfers it," said Jason Milletary, an analyst with the CERT Coordination Center, the chief U.S. team responding to computer security breaches.
U.S. institutions targeted
Variants of the Grams software have targeted U.S. banks and other financial institutions as well, said Nathan Johns, chief of information technology at the Federal Deposit Insurance Corp., which guarantees bank deposits in case of insolvency. He declined to give details.
In July, the FDIC strongly encouraged U.S. banks to evaluate the risks from computer fraud, educate their consumers, and consider adding new measures. Some banks complained that the inconvenience of such devices would cost them customers, but the FDIC differed.
"Although consumers are certainly interested in convenience, they are also very concerned about the security of their accounts," the agency wrote.
So far, according to many experts, the arms race is favoring the bad guys.
With 80 percent of adults online worried about identity theft, banks are "losing a battle of confidence," said analyst Jonathan Penn. "Security needs to come out of the closet."