Security researchers with VeriSign’s iDefense say keyloggers, malicious software folded into silent Trojans, spyware and other malicious code, are growing at an alarming rate and threaten a range of identity information that is being converted into criminal gain.
The iDefense data indicates keyloggers have risen from only 300 in 2000 to 3,753 in 2004 and, more recently, to a record 6,191 this year — a jump of 65 percent since last year. IDefense senior engineer Ken Dunham told TechNewsWorld that advances in attacker techniques and technology are also alarming.
“If you’re low-hanging fruit, look out,” he said. “They are increasing in sophistication and increasing in automation, so they can do this efficiently.”
According to iDefense, the keyloggers put tens of millions of Internet users’ financial, personal and account information at risk. The security company, which maintains a malicious code report database with more than 115,000 unique threats to date, also warned that, like spyware and Trojans, the keyloggers are often capable of eluding antivirus and firewall defenses.
“There are so many victims because so few know the risk or the early warning signs,” VeriSign iDefense Security Intelligence Services Vice President Joe Payne said in a statement. “In addition to basic protections like up-to-date antivirus programs and well-configured firewalls, the best defense for keylogging is to carefully track the organizations and hackers who promulgate these programs.”
The keyloggers, iDefense said, are largely distributed by organized cyber theft groups, typically through packaging with phishing emails and spyware.
Lucrative for Criminals
Dunham said researchers have seen business models and markets take shape around malware, whereby some groups produce, trade, collaborate and sell the actual software, while other groups put it to use gathering sensitive information, and still others buy the data to commit fraud and other criminal activity.
“Most people have no idea about the complexity of these things, such as the re-shipment of IDs and the way they barter,” Dunham said. “There’s just a wide variety of these things that people don’t know about.”
IDefense indicated that the stolen information is used to run up charges averaging US$3,968 per victim. Sixteen percent of victims, the firm said, were required to pay for at least some of the fraud and spent an average of 81 hours resolving the keylogger crimes.
Webroot Vice President of Threat Research Richard Stiennon said his anti-spyware company could corroborate the iDefense findings of more keyloggers, which have also been the focus of U.S. and United Kingdom scorn for industrialized attack via keyloggers supposedly from China.
While there are legitimate uses of keyloggers, Stiennon said, such as monitoring children’s or employees’ Internet use, the software represents a threat in its ability to capture usernames and passwords, evade detection and violate privacy.
Referring to hundreds of thousands of versions of keyloggers, Stiennon said the relatively simple-to-use software may be subject of U.S. legislation against secretive-installation spyware, which was recently the focus of a Federal Trade Commission crackdown.