Trojans: worse than a virus
When some of the most prolific viruses, such as Sobig and Lovebug, infected the world's computers, it was international news. The rise of the potentially more serious threat from trojans has been stealthier.
Even though the number of trojans being created outnumber new viruses by four to one, many computer users are unaware of the threat. Computer security experts say the authors of trojans are ruthlessly exploiting this ignorance.
A trojan could be installed when downloading a screensaver or other software, or opening an e-mail attachment. Once installed, it sits on the computer and "harvests" personal information that is then relayed to another computer.
Data stolen from personal computers are stored on servers and offered for sale to fraudsters. An American company, Sunbelt Software, last month found a server storing data harvested from personal computers. It included passwords for online accounts from 50 banks as well as eBay and PayPal logins and hundreds of credit cards numbers.
Konstantin Gavrilenko, managing director of Arhont, a London-based information security firm, said: "A few years ago viruses were sent round by enthusiasts, but 90% are now set up for money-making purposes. They are commissioned by fraudsters to be tailor-made to steal things from people's computers."
Some trojans, such as Arhiveus-A, Ransom-A and Zippo-A, do not steal information, but threaten systematically to destroy files or lock them with a password unless a ransom is paid. Users are warned that contact with the police will lead to the loss of their files.
The Ransom-A program flashes up a message that says: "Is this computer valuable? It better not be. Is this a business computer? It better not be." It then warns it will destroy a file every 30 minutes unless a ransom of £6 is paid.
Last week, The Sunday Times conducted an e-mail interview through an intermediary with one of the criminals who uses trojan software to steal data. "On an average basis," he said, "without applying too much effort, I can get £10,000 to £20,000 a month from online fraud activities.
"Any information is accessible. Date of birth, National Insurance numbers, address change history, mother's maiden name and account details are no problem. If it's stored electronically, we can get it. I value my reputation and the information I sell is ‘virgin', meaning that it has never been used for fraud before.
"When the designers of the online payments systems say 100% protection, it makes me laugh. The only thing it means is that they will return the money to the customer, but they absolutely cannot prevent fraudulent activity. anti-virus [software] and firewalls are not that effective. The malware [malicious software] we use is not being detected by the anti-virus companies for months.
"The only thing that can help you stay safe is to regularly update your anti-virus software for security advisories. Update - the rest is bullshit."
Reproduced from an article published by The Sunday Times
© The Sunday Times
The original article can be viewed here:
http://www.timesonline.co.uk/article/0,,2087-2340554,00.html
Permalink Bookmark Digg this story
