Web site-based crimeware hits all-time high

The number of Web sites with hidden code for stealing passwords nearly tripled in the past year, as cybercriminals targeted legitimate sites for their cybertheft, according to new report.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

The use of malware on Web sites to steal passwords and other sensitive information is skyrocketing, according to a new report from the Anti-Phishing Working Group.

The number of URLs with hidden code for stealing passwords nearly tripled between July 2007 and July 2008, to a record high of 9,529, while the number of malicious-application variants hit a high of 442 this May, the APWG reports in its quarterly report (PDF) issued this week.

Anti-Phishing Working Group

The increase is primarily due to malicious code being used in SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site. Typically, the host site is legitimate such as BusinessWeek's, not a phishing site created for the sole purpose of stealing consumer data.

The financial-services industry is the most targeted sector for phishing attacks, followed by those focusing on auctions and payment services, the report found.

"Cybercriminals continue to increase their activities to levels never before seen in the five years since the APWG has been monitoring phishing and crimeware," APWG Chairman Dave Jevans said in a statement.

The recession is prompting even more malicious activity online, he said.

"The current financial crisis has also been used by phishers to create new scams that try to scare consumers into entering their usernames and passwords into sites that mimic those of well-known distressed financial institutions," Jevans said. "As the economy degrades, we are seeing a continual increase in malicious and criminal activity on the Internet."

Another report issued this week shows that IT security professionals view cybercrime and data breaches as the top security risks, followed by mobility, outsourcing, cloud computing, mobile devices, peer-to-peer file sharing, Web 2.0 services, and malware.

Meanwhile, respondents who work in IT operations listed outsourcing as the biggest risk, followed by mobile devices and cybercrime, in the 2008 Security Mega Trends Survey conducted by The Ponemon Institute on behalf of Lumension Security. In the survey, 577 respondents work in IT security, and 825 work in IT operations.

Of those surveyed, 83 percent of the IT security workers and 79 percent of IT operations professionals reported that their organization had a data breach due to customer or employee information being lost or stolen. Overall, 92 percent of the organizations have experienced a cyberattack.

Another survey, released on Thursday by CA, looks at behaviors and perceptions among American adults and teens of their safety online.

Fifty-seven percent of adults fear that they may become victims of identity fraud online within the next two years, and 90 percent worry about the security of their personal data. Meanwhile, 35 percent of teens leave their social-networking profiles open to viewing by strangers, 38 percent post their education information, 32 percent disclose their e-mail addresses, and 28 percent reveal their birth date.

Updated at 1:15 p.m. with CA study details.