If you're a regular reader of this column--and even if you're not--I'm assuming you've taken the basic precautions and locked down your Windows system by updating it with Microsoft's latest patches and installing firewall, antivirus, antispam, and antispyware protection (or an entire security suite). You're probably thinking that you're sitting pretty, reading about the latest cybercrimes from a secure perspective. And for the most part, you are correct. But in conversations I had with security experts at the recent RSA Conference in San Jose, California, it's clear we're all now affected in subtle ways by the activities of a few criminals online. Botnets, the latest cyber-based criminal threat, are no longer just about stealing our identities or credit, some are after something even more precious: our online trust.

	Botnets, the latest cyber-based criminal threat, are not just about stealing our identities or credit, some are after something even more precious: our online trust.

Botnets 101
Botnets are the new spyware, the new spam, the new e-mail virus threat. I'll be talking more about botnets in the next few months, so here's a primer. Botnets are networks of compromised computers controlled by a person known as bot herder, who will lease out a high-bandwidth Web server, install an IRC server (a program that communicates messages across an IRC network) for command and control, then construct a worm or a Trojan horse designed to report back to that command/control center. The worm or Trojan will infect vulnerable computers, which attempt to connect to the command/control center. Using IRC or P2P commands, the bot herder remotely controls these compromised computers. In the beginning, bot herders used compromised PCs to attack rival Internet gangs in mostly harmless denial-of-service attacks. Then a few years ago, someone started using botnets to launch online extortion attacks: Pay us money today, or we'll shut down your e-commerce site tomorrow. Now the bot herders are much more subtle with their activities.

Fast track to $$$
A couple of weeks ago, I wrote about Jeanson James Ancheta, an enterprising young man who found a clever way to generate cash from his botnets. He set up a bogus Web site and registered that site as an affiliate advertising program with Gammacash and Loudcash, advertising distributors that pay Webmasters for each user who clicks their ads. Ancheta unleashed a botnet of 10,000 compromised computers upon his bogus Web site, with each compromised computer directed to hit the affiliated ads, generating literally thousands of dollars for Ancheta per month. Ancheta's attack is an example of the most calculating and lucrative form of click fraud.

How can you spot bogus storefronts? You probably can't, but there are some steps you can take to minimize your chances of encountering one.

The compromised computer users, of course, had no idea their machines were being used in this way (other than the more astute users noticing slower system performance or unusually active Internet activity). Even Gammacash and Loudcash didn't know they were being defrauded. According to a study done by CERT, the code used by some bot herders supplies a referral URL, so it appears the user came from another Web page. To further defeat click fraud protection, Ancheta paid an accomplice to control the number of hits so that it appeared to be normal Internet traffic. Overall, the scheme appeared to hurt the advertisers more than the common user. Or did it?

Theft of trust
Here's where the extended use of botnets gets really interesting--and scary. Some bot herders are now creating bogus online storefronts and registering these stores with credible shopping and auction sites, such as eBay. The bot herder then sends his compromised computers to the bogus store and, using stolen credit cards, over time "purchases" various items. The transactions are all registered through the shopping site, thus boosting the seller's reputation online. Later, you come along, see something you want, and stumble across this reseller with a platinum sales reputation, only to find your purchase has vanished into the ether. Not only have criminals stolen your money, they've also stolen your trust.

Eventually the bogus store is discovered and shut down; that's OK; the criminals behind it have now moved on to create another bogus storefront. This may seem like a lot of work on the part of the criminal, but career criminals do this work all the time. Back in the golden days of network hacking, crackers would first scan a network (requiring several days, so as not to set off any alarms), then find vulnerabilities, exploit those vulnerabilities, install a rootkit, then wait a few days more before beginning to sniff network data or steal files, or whatever they intended to do in the first place. The overall process took weeks, even months. Indeed, the much publicized data thefts at ChoicePoint last year actually occurred over a period of several weeks.

Trusty defense
How can you spot bogus storefronts? You probably can't, but there are some steps you can take to minimize your chances of encountering one. First, always start with a reputable shopping or auction site. Trusted sites such as eBay have a security and fraud policy in place; read it; some sites will reimburse your expenses if lost due to fraud. Next, do a little research. Just because someone's a premium seller doesn't mean much. Try a Google search. If you have information such as a phone number, call it. Finally, trust your instincts: if something appears to be too good to be true, such as a really low price on a plasma flat-screen TV, then it's probably not true at all.

Do you buy online? If so, what safeguards do you use to ensure you won't be taken to the cleaners? Talk back to me.