Governments should require mandatory reporting of cybercrime to draw attention to the constant large-scale attacks on banking customers, according to Yuval Ben-Itzhak, the chief technology officer of security vendor AVG.
"If you're a victim [of] cybercrime, there's no law, that at least I'm aware of, that requires you to go and report about that. We hear only of a few cases, and most of them go silent, so there's a false belief everything is fine," Ben-Itzhak told ZDNet Australia.
"The reality we're seeing as security vendors, investigating, dealing with criminals on a day-to-day basis, the volume is really scary and it's continuing to grow," he said. "The sophistication of attack and the innovation we're seeing in cybercrime in the last few quarters definitely indicates the people behind it are professionals."
Ben-Itzhak points to the fact that malware is continuing to be distributed globally, and can install itself onto millions of computers automatically without causing conflicts with the user's installed software.
"We're seeing malware that can hijack your web browsing session [and] intercept the exact moment when you're visiting your online banking," Ben-Itzhak said. "You believe you are interacting with your bank. The SSL lock showing on your browser is still valid. The connection looks reliable, it's the domain of your bank, it's not a phishing site. But someone managed to inject an additional field into your screen asking you a question that is not a question by your bank, it's a question by the malware."
Criminals know to match the HTML layout, and the look and feel of the banking sites, and they're constantly updating the malware as the banks update their own look and feel. "This is not a trivial task. It requires constant updates. It requires some [quality assurance] not to break anything so someone will feel something is wrong happening here," says Ben-Itzhak.
"The amount that they're charging from your account is well-calculated to make sure it goes under the radar of the bank fraud alerting system," he said.
The "AVG Community Powered Threat Report — Q2 2011" (PDF), released yesterday, points to the increasing professionalism of these attacks. As just one example, criminals now use stolen digital certificates to create "trusted malware". AVG detected 53,834 pieces of signed malware in the first five months of 2011 comparing to 39,102 during the whole of 2010, an annualised increase of over 300 per cent. Mobile malware is also on the rise.
Mac OS X and iOS users will need to re-think their security posture, according to AVG, now that their combined market share has reached 7 per cent. "The unwritten rule in security research says the 5 per cent and 10 per cent market share levels indicate when a product/OS becomes interesting enough for certain hackers to target and when the volume of attacks is expected to soar," the report said. "The first major wave for Mac users is a rogue AV [anti-virus]; the main reason is that it is the quickest and easiest way to monetise."
Ben-Itzhak's comments echo statements made at last month's AusCERT information security conference. Amil Klein, chief technology officer at Trusteer, predicted that next-generation mobile malware is only months away, and Queensland police believed that less than 1 per cent of computer crimes are reported to police.
"It's not interesting for the media if Mr X from down the street was compromised. No-one knows about that person," Ben-Itzhak said. "But suddenly, if there are five thousand people in the city being compromised, well, that's a story that will get the headlines. And I think it's for the lawmakers to start to step forward and request reports for these cases."