Keystroke logging records your every stroke

The push is on for DNS owners to upgrade to DNS SEC to protect against phishing that occurs when users are redirected to hijacked DNS servers. In the US, Homeland Security is also working with vendors, service providers and infrastructure owners to improve router protocols for better packet inspection, mapping and authentication. It's also funding academic research into new security technologies that may lead to better fraud protection at the endpoints.

While these infrastructure measures can help against browser redirectors and propagation of phony phish sites, they don't protect against the growing problem of keystroke loggers installed on victim machines.

"Direct keystroke logging software is 80 percent of what we see in malicious code today," says Dave Cole, director of Symantec security response centre, which sifts through millions of spam and malware samples daily looking for characteristics of new malicious code, outbreaks and vulnerabilities.

It's the sneaky, silent stuff that's causing the most damage by coming in under the radar, Cole says. "It starts as a really lightweight trojan written in a low-level programming language that gets in through the victim's browser," he says. "Then it sneaks out and downloads its big brother, a bag full of malware writing to the host file."

Once installed, the keystroke logger waits for victims to fill out Web forms, kicking in when it detects the "name" field, card number, mother's maiden name, CVV number (the three-digits on the signature strip on the back of a credit card), password, shipping address and other such fields that can be sifted for financially valuable information.

The information is then forwarded to other remote-controlled computers, where it's collected and tested by charging or withdrawing a small amount. Then it's sold, either in piecemeal or as part of a larger botnet, over Internet Relay Chat (IRC) channels for multiple fraud purposes, which includes turning them into forged plastic cards for physical use.

Web apps are malware magnets

Web sites are increasingly and unwittingly being used as keylogger propagation points, researchers say, because Web applications are riddled with vulnerabilities. Last year, WebSense noted a 170 percent rise in spyware-related Web sites to 130,000, along with a 271 percent growth in phishing sites to 27,000. Of the 2000 new vulnerabilities tracked by Symantec in 2005 (a 40 percent increase over 2004), 69 percent were in Web applications.

"You don't have to be a Ninja hacker to hack Web sites and set them up as trojan installers. Now you can download a complete kit for all that. And you can run it all over IRC," says Ben Butler, network abuse manager at GoDaddy, a Web hosting company that also sells domain names and other Web-site-related services.

Researchers say the most common way Web applications are hacked is through vulnerabilities in code written in the PHP scripting language used in interactive forms for registration, information requests and other server-side transactions.

"If you've got a Web site, and PHP isn't patched and up-to-date, somebody's already figured out a way to piggyback malware onto your PHP communications field in your interactive Web application," says Butler, who's active in the Anti-Phishing Working Group and Digital PhishNet. "PHP is an extremely hacked application, because a novice user may have put up a Web site with a PHP form in it two years ago and missed the 37 patches that have come out since."

Crimeware installers also are targeting Web servers running e-mail servers so they can propagate spam, adds Kyle Lutz, a volunteer with Shadowserver.org, a grass-roots, botnet takedown group. Lutz says he's keeping an eye on 40 active botnets, some involving 75,000 compromised devices. Wherever Shadowserver volunteers find one infected Web site, they usually find malware across the entire server farm, he adds.