Dawn of the Undead PC

But that’s not the scary problem. The scary problem is what happens out there in the depths of cyberspace.

In the last two years, we’ve seen wave upon wave of email worms sent with a single purpose: to take control of our computers. They rummage through your address book and send themselves to all your friends and associates, so the email looks like it’s coming from someone you know and trust.

Many worms come in the guise of what looks like a harmless file attachment. But when the file is opened, it can unleash any number of e-plagues. For example, it might install a keylogger —software that captures everything you type and secretly transmits the data back to the sociopaths who sent you the worm. Some keyloggers are clever enough to wait until you visit your bank’s web site, then capture your account information and password and shoot it off to cyber criminals halfway around the world.

Alternately, the attachment may install “malware" that lets someone take complete control of your machine, turning it into a “zombie” that can be used to send more worms, spew spam, launch attacks against web sites, or steal your personal information. The number of zombie PCs increased by 1500 percent in the first six months of 2004, according to a report issued by security vendor Symantec. There are probably millions of remotely controlled PCs in the wild. Nobody knows the exact number—especially not the owners of the zombies.

Even if you’re savvy enough to avoid worms, keyloggers, and malware, your privacy can be compromised in myriad other ways. Visit the wrong web site or download the wrong “free” software, and your computer could end up with a spyware infection (see Figure 1-2). Spyware can not only pop up obnoxious ads every time you surf the Web, it can also record the address of every page you look at and “phone home” with the information. Anti-spyware vendor PC Pitstop says at least one out of five PCs tested on its web site (http://www.pcpitstop.com/spycheck/default.asp) report some kind of spyware infection.

You could also be duped by a “phisher” email that pretends to be from your bank. But the link inside the email message leads not to your bank’s web site but to a cleverly designed fake. Once you’re on the fake site, it captures the account information and password you enter into the bogus page. Some phishers are even cleverer—the link brings you to the bank’s actual site, and then pops up a new browser window where you enter your data. Needless to say, that data never makes it to the bank. Nearly 2 million Americans got hooked by phishers in 2003, according to a report by the Gartner research group, with losses to financial institutions estimated at $1.2 billion (see Table 1-1).

Particularly nasty spyware can hijack your browser’s home page to a directory of advertisers and pop up scary advertisements for, among other things, anti-spyware tools. (In case you’re wondering, those tools don’t really work.)

Figure 1-2. Particularly nasty spyware can hijack your browser’s home page to a directory of advertisers and pop up scary advertisements for, among other things, anti-spyware tools. (In case you’re wondering, those tools don’t really work.)

Table 1-1. Hooked by phishers.

The scams

The math

* December, 2004.

Sources: Gartner Group, http://Anti-Phishing.org

Americans who received phisher email in 2003.

57 million

Consumers who clicked links inside phisher emails

11 million

Consumers who provided account and other sensitive information to phisher sites.

1.8 million

Percentage of phisher emails spoofing banks and other financial institutions

85 percenta

Average monthly growth in phishing scams from July to December 2004

38 percent

Odds that a phisher will end up being caught

>700 to 1

But wait, we’re not done. Any unprotected computer sitting on the Internet is easy pickings for hackers, who scan thousands of Internet addresses each minute, probing for insecure machines. In tests conducted in November 2004 by USA Today , an unprotected Windows XP system was attacked within 4 minutes of hooking up to the Net.

Once inside, hackers can snoop around as if they were sitting at your keyboard, check your email, scan your Quicken data, install software to control your machine, delete everything on your hard drive—pretty much do anything they want. And unless they nuke all your files, you’ll probably never find out.

For these and other reasons, we are in the throes of an identity theft epidemic. With identify theft, someone can use your information to open up bank accounts, run up credit card bills, apply for jobs, buy cars and houses, and commit crimes in your name. They don’t need very much information; sometimes your username and password are enough. The more information the thief has—especially sensitive data like your credit card number, date of birth, Social Security Number, or mother’s maiden name—the more damage he can do.

By all accounts, recovering from identity theft is a nightmare. On average, it takes 600 hours and $1,400 for consumers to straighten out their records and clear their name, according to the Identity Theft Resource Center (http://www.idtheftcenter.org/index.shtml).

The Federal Trade Commission estimates that nearly 10 million Americans suffered some form of identity theft in 2003, with total losses to businesses and consumers in excess of $50 billion. So far only about 1 in 10 of those thefts happen over the Net, but that percentage is likely to grow dramatically as phishers proliferate and more consumers move their finances online.

The good news? You don’t have to be a victim of online snoops or identity thieves, as long as you’re aware and prepared. (For information on how to keep your PC safe from online intruders, see Chapter 3.)

Get Computer Privacy Annoyances now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.