Hackers selling IDs for $14, Symantec says

Identity thieves are offering a person?s credit-card number, date of
birth and other sensitive information for as little as US$14 over the
Internet, said a new report on online threats released Monday.

The data is sold on so-called ?underground economy servers,? used by
criminal organizations to hawk information they?ve captured through
hacking, Symantec said in its Internet Security Threat Report, which
tracked online trends from June to December 2006. The information can
then be used for identity scams such as opening a bank account in a
false name.

?U.S.-based credit cards with a card verification number were available
for between US$1 to $6, while an identity ? including a U.S. bank
account, credit card, date of birth and government-issued identification
number ? was available for between $14 to $18,? the report said.

Some 51 percent of the servers hosting the information were in the U.S.,
in part because the growth in broadband Internet access in the U.S. has
created new opportunities for criminals, Symantec said. About 86 percent
of the credit and debit card numbers available on those servers were
issued by U.S. banks, it said.

One way that criminals have gained access to computers is by exploiting
zero-day vulnerabilities, or software flaws that are being exploited as
soon as they are revealed and before a patch has been released.

Symantec documented 12 zero-day vulnerabilities in the period from June
to December 2006. Only one was found in its two prior six-month
reporting periods, the company said.

Hackers have exploited some of those vulnerabilities by creating
malicious documents in Microsoft Office and other software, said Ollie
Whitehouse, a security architect at Symantec.

A malicious Word or Excel document, when attached to a spam e-mail, has
a greater chance of being opened by someone since it may appear
legitimate and be targeted at an employee of a specific company.

While security software programs will often block executable programs
attached to e-mail, common Office documents are allowed to go through,
Whitehouse said.

?A business isn?t going to say ?We will no longer accept Office
documents received via email,?? Whitehouse said. ?I think productivity
would go through the floor at that point. Unfortunately, this is where
the security requirement and the business requirement do really clash.?

A video posted on Symantec?s blog, shows a sophisticated attack where a
malicious document is opened that puts a harmful executable onto the
system and then opens a regular Word document. The attack is almost
invisible to the user, apart from a flicker on the screen before the
Word document opens.

?Office documents ? PowerPoint presentations, Excel spreadsheets ? and
graphics like JPEGs aren?t necessarily considered malicious file
formats, so the user is more inclined to open them,? Whitehouse said.
.