Please forgive me for the title of this post - it is ever-so-slightly tongue-in-cheek. The Swine Flu itself cannot actually steal your personal information. However, cyber-criminals are using concern about the Swine Flu to spread an ugly, old problem.

Analysts from Symantec announced today that a document titled "Swine influenza frequently asked questions.pdf" has been circulating around the internet. While the document contains real questions and answers about the Swine Flu, it also contains an ugly piece of malicious software known as an 'infostealer'. An infostealer's sole purpose is to steal your information - it will log your key strokes, capture screen shots and monitor your internet activity.

As part of my research into how much identity theft costs people, I decided to do some research on identity theft on a per capita basis. To facilitate this research, I used two sources of information. First, I used population data from Stats Canada's 2006 census. And second, I used a 2006 report from Phonebusters, which bills itself as "Canada's Anti-Fraud Call Centre". Here are the raw numbers that I used:

There are some problems with interpreting these numbers.

An incredibly interesting report on electronic crime recently crossed my desk. "E-Crime Survey 2009" was conducted by the 7th Annual e-Crime Congress in partnership with KPMG. Electronic crime is growing at an alarming pace. This paper sheds light on some of the reasons why electronic fraud is growing so rapidly. I do not scare easily, but one particular quote, made by Uri Rivner, who is the Head of New Technologies - Identity Protection and Verification Solutions, RSA,The Security Division of EMC, actually sent chills down my spine. Rivner wrote:

Trojan kits such as Zeus and Limbo are now so affordable and user-friendly that many non-sophisticated fraudsters that were previously focused on Phishing are now diversifying to crimeware. If your Trojan isn’t configured for a specific target bank, worry not: for $10 you can buy a custom HTML injection template for use with your Trojan. It will address any specific defences used by the bank, and even automatically check the balance for you. And for less than $300 per month you can even buy a “Software as a service” subscription to a Zeus Trojan hosted in a “bulletproof” server and connected to an infection kit. Just pay the subscription, sit back, and start infecting machines around the world and harvesting the victim’s credentials. 

The standard for online merchant security is PCI DSS or payment card industry data security standard. The Washington Post reports there is a rekindled debate as to whether this standard is relevant because there have been recent data breaches on sites with newly acquired PCI certificates. To chime in on this debate I think the answer is obvious and there really isn't much to ‘debate' about.

PCI compliance or any other standard out there is playing a catch up game. Hackers innovate and PCI DSS will then try to update. PCI compliance is better than nothing, but they play the game which hackers love; a never ending cycle of one-upsmanship. "The premise behind PCI -- that millions of retail establishments will systematically keep pace with the ever-evolving sophistication of today's professional hacker -- is just not realistic," said David Hogan, senior vice president and chief information officer for the National Retail Federation.

Several weeks ago, Don Power wrote an article on this site about Conficker (aka the April Fools Worm) and its similarity to the Y2K issue. I came across an article today that lends weight to this comparison and thought that I should share.

Dennis Fisher wrote an excellent article on Threatpost about research done on the Conficker botnet. The good folks at Kaspersky Labs have analyzed the P2P network that Conficker uses to send updates to infected machines. Turns out that there are only around 200,000 computers connected to the botnet. Talk of Conficker's famed 'sleep mode' notwithstanding, 200,000 is a big number, but it is a far cry from the global calamity that some sources were predicting.

Have you ever gotten an email that looked like it came from a company you do business with? It might contain words like 'verify your account details', or it might warn you to some suspicious activity in your bank account. And, its call to action will be a link to a page where you should log in immediately.

Of course you have - I just described a phishing attack and phishing is nothing new. However, have you ever wondered why the links shown can look so incredibly legitimate? The 'answer' is that there is a quirk within HTML (aka 'the markup language that makes web sites look the way they do') that makes it possible to 'show' a different address than you are really going to.

Identity Theft has some very real wallet consequences, but thats not all it has to offer.

Spam Laws reports credit card fraud costs cardholders and credit card issuers as much as $500 million a year. But it's not always about the money is it? Here are some other reasons to protect yourself:

Have you ever read an article about identity theft and thought, 'it couldn't happen to me! I am far too vigilant with my financial information'? Unfortunately, identity theft can happen to you and a Canadian police officer can prove it.

According to an article on the CBC's website, a Newfoundland based RCMP officer fell victim to a phishing scheme. He moved to St. John's and promptly accessed his Paypal account to change his address and other important information. A few days later, he receive an official looking email that asked him to verify the changes he had made. He followed the link to an equally official looking Paypal site.