Continued from page 1

“Everything is for sale” on the crime forums, said Derek Manky, a senior security strategist at computer security firm Fortinet Inc.

He said even money-laundering and encryption-cracking services are now available online, as well as the established trade in crimeware products such as Trojan Horse programs.

A Trojan Horse is a piece of software that downloads itself onto a computer from an email attachment or an infected Web page, allowing the hacker who planted it to surreptitiously take control of the infected computer.

The programs for sale on underground websites provide a graphical user interface, or on-screen control panel, just like an anti-virus or other legitimate software package, so anyone can use them, Mr. Manky said.

So sophisticated were the vendors of these crimeware programs that they engaged in turf wars with one another, he said. Some crimeware cleaned computers infected by competitors, he said.

In banking fraud, cybercriminals use the Trojan Horse infection to install a program known as a key-logger that steals IDs and password information for online bank accounts. They use that data to log onto a victim’s bank account and steal money.

This crime, known as account takeover, can be especially devastating for small businesses. Personal account holders are protected from liability by federal regulation and good banking practice if they report fraud in a timely fashion.

But businesses are legally required to employ “commercially reasonable” security measures and can be liable for losses if the programs fail.

Estimates of the cost of online banking fraud vary, and many are produced by computer security companies or others seen as having a vested interest in exaggerating the problem.

A report by defense contractor Detica for the British government last year was the subject of widespread skepticism after it estimated that cybercrime cost Britain more than $40 billion a year, or nearly 2 percent of the country’s entire economy.

In response, a group of cybersecurity academics from Cambridge University this year published what they said was a more rigorous and conservative estimate of some cybercrime costs.

The Cambridge group concluded that the direct costs of account-takeover crime through malware and email was about $690 million a year globally – and probably $26 million in Britain.

Banks worldwide spend about $1 billion a year on technical measures to defeat cybercrime, while law enforcement agencies spend about $400 million to track down and prosecute cybercriminals.

A survey by the American Bankers Association last year revealed that the costs of electronic bank fraud in 2010 for the first time exceeded the costs of check fraud and other illegal paper transactions.

More than 90 percent of U.S. banks experienced debit-card losses that year, totaling nearly $1 billion, the survey found.

Story Continues →