Cyber threats get personal

NEW YORK (CNNMoney.com) -- There's an old saying in the news business that says if your mother tells you she loves you, check it out.

A similar level of skepticism is necessary in cyberspace: The volume of threatening e-mails disguised as friendly missives from family members and friends is increasing, according to online security experts.

E-mails that appear to be coming from people in your address book may actually contain vicious "malware" that can attack your computer and steal your identity. The results can be disastrous.

"We're starting to see hackers take advantage of trusted Web sites and using those Web sites to gain access to your computer," said Alfred Huger, vice president of software engineering at computer security firm Symantec. "We're moving away from broad-blast e-mail viruses down to a more targeted attack. It's based on trust."

It's all part of a download domino that begins when users install plug-ins needed to utilize various Web sites. The plug-ins contain Web robots, or bots, that search through your computer for any personal information they can find - bank account numbers, credit cards and, increasingly, log-in names and passwords used for social networking sites like MySpace and Facebook.

The social networking sites have become a particularly attractive target as hackers retrieve log-ins and then download address book names. Cyber thieves then send out seemingly innocuous e-mails to recipients in the address books. The e-mails appear to come from someone on your social networking list and often direct users to applications that are loaded with malware.

When the recipients download the applications or visit the sites, their computers become infected with spyware and other malware that relays personal information to the perpetrator.

"They're taking advantage of trust on social networking sites," Huger said . "It's rinse, recycle, repeat. For an attacker, they can harvest thousands of people like that in a day."

The use of trusted Web sites to perpetrate vicious cyber crimes is the biggest threat now, according to the report from Symantec (Charts), which releases its semi-annual rundown today of the latest trends in cyber threats. The company makes the popular Norton Disk Doctor software.

Huger said attacks are becoming more sophisticated, as evidenced with the use of plug-ins, and more targeted as they now often employ multiple ways simultaneously to infect computers and steal information. Hackers use the social networks to target people within certain demographic groups or professions.

And cyber criminal are becoming more audacious: Huger says developers are openly selling software on the black market that teaches users to how to construct infected Web sites and break into people's computers.

"You can buy it for a thousand dollars a crack and it comes with a service agreement," Huger said. "They have quality assurance, predictable release schedules. They become a business, for lack of a better description. They're definitely brazen about it, up to the point where some are giving interviews with the press."

The findings in the latest report jibe with what Symantec has discovered to be a disturbing trend - that computer attacks have gone from mere annoyances perpetrated by teenage hooligans to concerted efforts to steal, in some cases, on an international level.

According to Symantec's latest numbers, the United States leads the world in denial of service attacks, but Israel suffers the most malicious activity per Internet user and China has the largest number of bot-infected computers.

Between January and June of this year, the number of malicious code threats worldwide rose 185 percent compared to the last six months of 2006.

Symantec identified MPack, a commercially available toolkit on the black market, as one of the biggest threats to computer security. The kit can launch attacks on computers where users visit malicious or compromised Web sites.

Huger said the attacks are likely to continue to get more sophisticated, and he advocated vigilance among computer users.

"We have to start taking some of the lessons we learned from e-mail attachments and apply them to other places where we spend our time," he said. "We have to be very leery about the type of information that's being distributed to us. It all has to be suspect to some degree or another. Just exercise a basic degree of caution."