Part 3 of a special five-part series.
When you think of a computer hacker, who comes to mind? It could be this: a teenage boy, sitting in his parents' basement, turning his attention away from his video game long enough to break into his school's computer network so he can alter his grades before they're officially released.
That image might have been accurate a few years ago, but today the game is changing. In the past, hackers and writers of malicious software (aka malware) were seeking attention and notoriety. Creators of viruses and worms were looking for bragging rights. Now they're after money--and they're finding it.
The transformation in motivation has changed the types of attacks, and it has also altered the profile of the attackers. Teens seeking notoriety may still be involved, but these days the likelier culprit is a hardened criminal in search of financial gain.
And that criminal isn't working alone. Loosely organized groups--which Ken Dunham, director of malicious code at security company IDefense, and other security experts call "Web gangs"--conduct much of the illegal activity online. The structure of Web gangs may be patterned on that of traditional organized crime, in which the members of the group may never come into contact with one another and may never be aware of who they are working for.
Many intelligent, tech-savvy criminals now "work as mercenaries for the highest bidder," says Tom Kellerman, until recently a specialist in data risk management for the World Bank. He calls organized Web crime "the cocaine of the new millennium," likening its mystique of lawlessness and easy money to that surrounding drug trafficking in the United States during the 1980s.
And online attacks are certainly on the rise: Investigators uncovered more than 422 new Internet security vulnerabilities during the second quarter of 2005, according to a security report for that time period that the SANS Institute released in July. This figure represents an increase of nearly 20 percent over the corresponding number for the second quarter of 2004.
In its report, SANS asserted that people who don't address these critical new Internet security vulnerabilities face a heightened threat that remote, unauthorized hackers "will take control of their PCs and use them for identity theft, for industrial espionage, or for distributing spam or pornography."