Sandra E. is a human resources professional who lives in a small town in Miami, Florida. She has used a computer in her job for more than ten years. At work, her computer is maintained by her organization’s IT department, and she has never experienced any security problems with the computer in her workplace.
Sandra considers herself to be computer savvy and believes that she is at low risk of online fraud for the following reasons:
She never shops online because she doesn't want to risk exposing her credit card information, and she doesn't like the idea that data about her purchases might be stored and used to make a profile of her likes and dislikes.
She uses her home computer only for personal email with friends and family, to surf the Web for information about new developments in her field, and to do banking once a month via her bank's Web site.
Occasionally she looks other things up on the Web, but not often.
Sandra's situation seems safe enough, right?
Unfortunately, looks can be deceiving. At work one day last summer, she heard about a new Internet Explorer browser vulnerability; it was so critical that emergency patches for all work computers in her organization had been distributed by her IT department that same day. She wanted to be sure her home computer was protected too, so when she got home she went online to get more information about the vulnerability, and determine if she was protected.
Using a popular search engine, she found a Web site that offered not only information about the vulnerability, but the option to have a patch for the vulnerability downloaded automatically to her computer. Sandra read the information, but opted not to accept the download since she was taught to download information only from authorized sources. Then she went to the official Microsoft site to obtain the patch.
So, what went wrong?
Unfortunately, as Sandra was reading information about the vulnerability on the first site, the criminal who had created the Web site was taking advantage of the fact her computer actually had the vulnerability. In fact, as she was clicking "No" (to refuse the download that was being offered), unbeknownst to her the automatic installation of a small, but powerful, crimeware program was already taking place on her computer.
The program was a keystroke logger. Simultaneously, the Web site’s owner was already receiving a notification that the keystroke logger had been secretly and successfully installed on Sandra’s computer. The program was designed to covertly log everything she typed in from that moment on, and to send all of the information to the Web site owner as well. It functioned flawlessly, too - recording everything Sandra typed- every Web site she visited, and every email she sent, passing the stolen text on to the cybercriminal.
Later that evening, Sandra finished up her monthly online banking. As she logged into her personal bank account, the keystroke logger recorded those keystrokes too, including confidential information: the name of her bank, her user ID, her password, the last four digits of her Social Security number and her mother’s maiden name. The bank’s system was secure, and all the data she typed in was encrypted so no one along the route could casually discern the information. However, the key logging program was recording the information in real time - as she typed it in - before it was encrypted; thus, it was able to bypass the security that was in place.
It was just a matter of time before her bank’s name, her user ID, her password and her mother’s maiden name were in the hands of the cybercriminal. He added her name, and all of the associated information, to a long list of names of other unsuspecting users, and sold the list to someone he had met on the Internet - someone who specialized in using stolen bank information to make illegal withdrawals. When Sandra went to make a deposit the several weeks later and asked for her balance statement, she was shocked to find that her bank account was almost empty. Sandra had been the victim of a cybercrime.
