SAN FRANCISCO – As more people turn to web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said.
Users of Yahoo’s e-mail service, Google’s Orkut social networking site and eBay’s PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.
The attacks come as Microsoft, whose Windows operating system runs about 90 percent of the world’s computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.
They also come amid the growing popularity of online communities such as MySpace.com and of web-based calendar, messaging and other services offered by Google, Yahoo and others.
As larger audiences flock to websites that run on ever more powerful programming scripts, malware writers are finding them fertile ground.
“People are just now realizing that there are a ton of scripts that are vulnerable to hacking,” said Eric Sites, vice president of research and development at Sunbelt Software, which sells security products to businesses. “It’s much easier to go after these applications that haven’t been as exploited.”
One of the latest discoveries, announced earlier this month by FaceTime Security Labs, is a worm attacking Orkut.
It tricks visitors into clicking a link that promises photos but instead loads a malicious program, which automatically logs and sends to the worm’s anonymous creator data such as names and passwords along with Windows files that often store banking details.
“The bad guys are just stepping up a level and becoming a lot more malicious in what they’re trying to do,” said Chris Boyd, a FaceTime security research manager who discovered the worm. “Sadly, it’s quite a brilliant idea, and we’ll probably see a lot more of it in the months to come.”
Statistics detailing the rise of websites as security targets are hard to come by because companies such as Secunia and Symantec, which track computer attacks, generally don’t break them out that way.
In October, MySpace.com, which now has 88 million registered users, was hit by a malicious program that allowed a single user to automatically add millions of others as friends. The attack caused performance problems for MySpace – and underscored for security researchers the potential risks web applications and services face.
Security experts say that attackers are having to look for new avenues because users have become better at running security software and applying security updates.
“In some ways, we’ve forced them to be more clever because we’ve shut down the old means they had of infecting people,” said Dave Cole, director of security response at Symantec. “What we see the attackers doing is trying to slide under the radar by moving into new areas where people’s guards may be down.”
Nick Ianelli, an Internet security analyst with the federally funded CERT Coordination Center, said criminals who once launched broad attacks by sending malicious e-mails to millions of people are finding it more effective to target smaller groups of people who congregate in online communities.
“If you can send e-mails to those addresses and make it look like it’s one of their friends, the chances they’re going to do what you want them to do is better,” he said.
The worm didn’t require a user to click on an attachment, making it more virulent than many. An undisclosed number of users got infected simply by opening an e-mail from another infected user. The worm then sent itself to others in a person’s address book and transmitted those addresses to a remote server, possibly for junk e-mail, security researchers said.
The ability of Yahoo, Google and PayPal to quickly plug this month’s holes highlights one of the differences between combating worms that target websites and those that go after flaws running on an individual’s PC.
PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said. That blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal web address, security researchers say.
By contrast, companies such as Microsoft that plug holes on individual PCs have to get millions of users to download and install a patch, a process that’s more time consuming.
Over time, computer security experts said, website designers will get better at anticipating the ways their code can be exploited, but by then criminals are likely to move on to newer targets.
“The trend is definitely for blended attacks and leveraging different kinds of vulnerabilities to take the next step,” said Rick Wesson, chief executive of Support Intelligence, which tracks online abuse for corporate customers. “The arms race is going to continue.”