How much trouble can an image the size of a single pixel actually cause? Despite their size, and the fact that they may often be invisible if they are the same colour as the page they’re hidden on, these images nonetheless act as mini-spies tracking the behaviour of Internet users. Called "web bugs", these informers are much more widespread than you might think and can be found all over: personal websites use them to count the number of visitors, online advertising sites to collect information, even governmental sites have made use of them – the National Security Agency (NSA) in the United States admitted last December that it had used web bugs to obtain information on visitors to its site. We run into these nasty creepy-crawlies everywhere. In theory they represent a limited risk - although they can threaten privacy if combined with other devices - web bugs are still unknown to the majority of Internet users.
Web bugs are primarily marketing and statistics tools used to record the number of visitors to a site and draw up a visitor profile, but the nature of the information they are capable of gathering means that they could border on classifying as spyware. They are sometimes openly displayed, as is the case for numerous visitor counters. So when a visitor connects to this kind of site, web bugs can record information such as the visitor’s IP address, what kind of web browser they have, websites they have previously visited, etc. No major risks so far, since this information remains anonymous but, when combined with a cookie which gathers other kinds of information, web bugs make it possible to draw up complete profiles of Internet users without their knowledge. The major worry undoubtedly comes when they are used in emails (for example newsletters or marketing emails): web bugs enable their sender to check that the Internet user’s address is valid or to find out about their email-reading habits.
Another irritating aspect of web bugs is their use by online advertising brokers: in these cases, the cookies that make up the counting system aren’t sent by the original site, but by visitor trackers (such as the renowned Double-Click). The cookie makes it possible to follow the Internet user on the web and to display adverts specially targeted at their interests (established by spying on the web pages that they visit). According to the Privacy Foundation, an American association specialised in defending privacy rights, merely including JavaScript or ActiveX elements in a web bug would transform it into a truly malicious code capable of spreading very quickly to computers throughout the whole world…
Experts have lately noticed a worrying rise in cases of banking fraud involving keyloggers. A fraud targeting the London offices of the Japanese bank Sumitomo was discovered in March 2005, resulting in one person being arrested as they prepared to embezzle 20 million euros using access codes obtained thanks to keyloggers. The fraudster had planned to use this method to misappropriate as much as 315 million euros. Also last March, a hacker in New York was sentenced to 27 months in prison for collecting almost 450 passwords using keyloggers that he had installed on Internet terminals located in airports and cybercafés. Customers of French banks have also been targeted by authors of keyloggers who tried to trick them with infected emails.
Faced with these risks, several banks have developed extra protections against keystroke espionage. More and more banks are using virtual keyboards which allow customers to enter their codes by clicking on figures in the form of images.
