Hackers take aim at web services

Users of Yahoo email service, Google’s Orkut social networking site and eBay’s PayPal online payment service were among the targets of attacks in recent weeks.

All three companies have acknowledged and plugged the security holes.

The attacks come as Microsoft, whose Windows operating system runs about 90% of the world’s computers, plugged many easily exploited holes in its email programme, browser and other products after several embarrassing breaches.

They also come amid the growing popularity of online communities such as MySpace and of the web-based calendar, messaging and other services offered by Google, Yahoo and others.

Malicious programmes

With larger audiences flocking to websites that run on ever more powerful programming scripts, hackers are finding them fertile ground.

“The bad guys are just stepping up a level and becoming a lot more malicious in what they’re trying to do” Chris Boyd, FaceTime security research manager

“People are just now realising that there are a tonne of scripts that are vulnerable to hacking,” said Eric Sites, vice-president of research and development at Sunbelt Software, which sells security products to businesses.

“It’s much easier to go after these applications that haven’t been as exploited.”

One of the latest discoveries, announced earlier this month by FaceTime Security Labs, is a worm attacking Orkut.

It tricks visitors into clicking a link that promises photos but instead loads a malicious programme, which automatically logs and sends to the worm’s anonymous creator data such as names and passwords along with Windows files that often store banking details.

Chris Boyd, a FaceTime security research manager who discovered the worm, said: “The bad guys are just stepping up a level and becoming a lot more malicious in what they’re trying to do.

“Sadly, it’s quite a brilliant idea, and we’ll probably see a lot more of it in the months to come.”

New avenues

Statistics detailing the rise of websites as security targets are hard to come by because companies such as Secunia and Symantec, which track computer attacks, generally do not release the data.

“In some ways, we’ve forced them to be more clever because we’ve shut down the old means they had of infecting people” Dave Cole, director of security response at Symantec

But anecdotal evidence is not hard to find. In October, MySpace, which now has 88 million registered users, was hit by a malicious programme that allowed a single user to automatically add millions of others as friends.

The attack caused performance problems for MySpace and underscored for security researchers the potential risks that web applications and services face.

Security experts say that attackers are having to look for new avenues because users have become better at running security software and applying security updates.

“In some ways, we’ve forced them to be more clever because we’ve shut down the old means they had of infecting people,” said Dave Cole, director of security response at Symantec.

“What we see the attackers doing is trying to slide under the radar by moving into new areas where people’s guards may be down.”

Power and flexibility

Nick Ianelli, an internet security analyst with the federally funded CERT Co-ordination Centre, said criminals who once launched broad attacks by sending malicious emails to millions of people are finding it more effective to target smaller groups of people in online communities.

“If you can send emails to those addresses and make it look like it’s one of their friends, the chances they’re going to do what you want them to do is better,” he said.

Also spurring the attacks is the growing power and flexibility of web programming languages that allow web browsers to look and act more like word processors, spreadsheets and other computer programmes.

The recent Yahoo worm targeted faulty scripts based on a technology called Ajax, or Asynchronous JavaScript and XML.

The worm did not require a user to click on an attachment, making it more virulent than usual. An undisclosed number of users got infected simply by opening an email from another infected user.

The worm then sent itself to others in a person’s address book and transmitted those addresses to a remote server, possibly for junk email, security researchers said.

Internet ‘arms race’

The ability of Yahoo, Google and PayPal to quickly plug this month’s holes highlights one of the differences between combating worms that target websites and those that go after flaws running on an individual’s PC.

Google’s services are among those that have been hit

PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said.

This blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal web address, security researchers say.

By contrast, companies such as Microsoft that plug holes on individual PCs have to get millions of users to download and install a patch, a process that is more time consuming.

Over time, computer security experts said, website designers will get better at anticipating the ways their code can be exploited, but by then criminals are likely to move on to newer targets.

“The trend is definitely for blended attacks and leveraging different kinds of vulnerabilities to take the next step,” said Rick Wesson, chief executive of Support Intelligence, which tracks online abuse for corporate customers.

“The arms race is going to continue.”