ID thieves using social network sites

Identity thieves are moving beyond traditional phishing attacks and using popular social networking and video-sharing sites to infect our computers with spyware.

Symantec's latest Internet Security Threat Report, which covers the last half of 2007, is scarier than any summer movie.

While malware used to be aimed at affecting a user's computer, the report says, now it's aimed at stealthily collecting the user's information.

Marc Fossi, one of the computer security firm's researchers for the report, spins this scenario: ID thieves compromise your friend's account and infect his Web page with malicious code dressed up as something you might want to download -- a picture or a link. When you click on it, your computer is infected with a tiny piece of malicious code called a Trojan.

"That very first Trojan is pretty dumb in itself," Fossi said. Its job is to sit undetected and then surreptitiously download instructions from a website the hacker controls.

Its first assignment may be to collect your account user names and passwords. Once it has collected and transmitted that information to its programmer, Fossi said, it may get new instructions for a series of other spy and hacking jobs on your accounts. Hackers may use your user name and passwords to plant malicious codes on your Web pages and sell the rest of your information on the black market.

Hackers have been so successful at getting our information, the report says, that black market prices have dropped.

Your Gold Card's worth about 80 cents -- down from a dollar in the first half of the year.

Bank accounts trade for about $10, Symantec said. And sellers give discounts to those who buy in bulk.

Trojans aren't easy for end users to find. They may use a "shotgun attack" to exploit multiple gaps in your computer security at the same time, the Symantec report said.

"It's pretty scary and overwhelming," Fossi said.

When a computer security guy says this, it's time for the rest of us to be very afraid.

So what can you do to protect yourself?

• Take a holistic approach to security, Fossi said, and have many layers of protection. Antivirus software isn't enough. You also need firewalls and anti-spyware or anti-phishing software that can tell you if information is being exported from your computer.

• Don't use the same user names and passwords for all your accounts. It makes a hacker's job easier.

• Don't open or respond to phishing e-mails, which often carry malicious code. Delete them without reading them. If your bank really tried to contact you, you will find the same information when you log into your account.

• Look at URLs to make sure you weren't redirected to a spoof, or counterfeit, site.

• Don't download information from sites you don't know and check over your own Web pages to make sure there's nothing lurking that you didn't post.

The FTC has an easy-to-understand guide to computer security at onguardonline.gov. The site also can help you find reliable tools to protect your computer.

Staysafeonline.org also provides good information about computer security and has links to products.

The U.S. Computer Emergency Readiness Team issues alerts and posts helpful information on its site, www.us-cert.gov. See its "Recovering from a Trojan Horse or Virus" for a step-by-step guide.

To read Symantec's report, go to symantec.com/threatreport/.