Did you know that you could be part of a cyber-espionage network? Or of a cyber warfare army that brings down information systems in other countries?

That’s a real possibility if you download music from a file-sharing site, click on links directly from an email a friend has sent you or download applications and run executable files from unknown sites. For, along with that you could be downloading malware or bots (malicious software) which enables someone in another continent to hijack your computer. And you will be blissfully unaware that you have been conscripted into the shadowy world of the cyber underworld.

In February alone, CERT-In (Indian Computer Emergency Response Team), a division of the ministry of information technology that tracks and responds to IT security breaches, tracked 16 command and control servers (these infiltrate other computers) and 15,8,851 bot-infected computers in India.

Last week, Canadian researchers based at the University of Toronto’s Munk School of Global Affairs, collaborating with ShadowServer Foundation (an American voluntary group tracking cybercrime), revealed that a Chinese espionage operation had infiltrated and taken sensitive defence and security files from Indian ministries and embassies. The report, Shadows in a Cloud: Investigating Cyber Espionage 2.0, found that the primarily India-focused operation also targeted the United Nations and the Dalai Lama’s office. The attackers were found to have used Twitter, Google groups, Google pages, Blogspot and Yahoo! Mail, among other platforms, to access and control computers.

Whether the computers from which this was done belonged to the guilty party or someone completely innocent isn’t known. Individual personal computers (PCs) may have been hijacked or profiles of individuals may have been spoofed in emails in order to get into the target computers, says Gulshan Rai, director general of CERT-In.

Hackers take control of computers in various ways. They can send an email (which could even be from someone you know but without his knowledge) and link it back to the hacker’s server, which will take control of the computer using file transfer protocol (FTP).

Or they could take advantage of vulnerabilities in browsers and applications, like Adobe Acrobat Reader or Realtek Player, to download malware into an individual’s computer. Symantec, the US Internet security firm that manufactures Norton Anti-Virus, documented 5,491 vulnerabilities in 2008, a 19 per cent increase over the 4,625 vulnerabilities in 2007.

Playing on what is called the FUD (fear, uncertainty, doubt) syndrome, hackers could tell people that their computer is unprotected and get them to download anti-virus software. Dubbed as scareware, this may actually contain malware or make the computer further vulnerable. As of June 2009, Symantec found over 250 rogue security software programmes.

KEEPING YOUR PC SAFE ■ Use only licensed software ■ Get the latest version of operating systems and browsers and get the latest patches ■ Keep your anti-virus program up to date ■ Ignore security warnings in pop-up windows or ads that offer free anti-virus software. ■ Get some content filtering software like firewalls and malware protection ■ If your computer slows down, get someone to check it for malware ■ Download anti-virus updates and applications like Acrobat Reader or Flashplayer only from the sites of the developers ■ Don’t click on links in your emails. Cut and paste the link in another window

“Once you are on the Net, a computer in a Manhattan corporation is linked to one in a Mangalore home. Any computer without the right kind of security compromises the entire network,” says Sanjay Pandey, CEO of information security firm iSec Services.

Most people only worry about a computer virus crashing their systems, bringing with it the headache of reformatting one’s PC and losing files. But security threats have gone beyond that. In fact, hackers may actually ensure that your computer doesn’t crash as they will need it running to conduct their criminal activities. Some years back, a spam mail financial racket was traced to a Russian cyber mafia which had hijacked 70,000 computers across the world. “The threat is very real and very worrying,” says Vikas Desai, lead technology consultant, India and SAARC at RSA, a global security solutions firm.

“Hacking has moved from tricks to a money game,” says Kamlesh Bajaj, CEO of the Data Security Council of India, an industry body that devises best practices on data security for companies. Hackers enter people’s computers and steal their personal data, especially information relating to credit cards and bank accounts. There’s a thriving market for all these in the cyber underworld, which is now said to be bigger than the international drug mafia.

According to Symantec, credit card information goes for between $1 and $100 per card, bank account credentials for $2-$1,000 and email accounts for $5-$12. Credit card information is the most traded commodity in the underworld, accounting for 18 per cent of all goods and services. The dreaded Zeus Trojan that targets banking information goes for anything between $1,000 and $10,000, according to Desai.

What’s more, computing power — networks of compromised computers — is sold. Gangs rent out compromised computers for particular periods to other gangs, says Rai. “The cyber underground has secure networking or sometimes better than formal channels,” laughs Desai, pointing out that gangs have service level agreements (setting down the service that is provided) as well as bronze, gold and platinum customer support. “Malware is reaching new heights and is currently at an inflexion point,” laments Vishal Dhupar, managing director, Symantec India. “There is more malware than goodware going around.”

The Canadian report didn’t come as a huge surprise. India has been targeted before — two years back, the Cabinet secretariat detected a problem in its computers. On investigation, it was found that traffic was being generated to an unknown Internet protocol address in China. Email accounts of ministry of external affairs personnel have also been hacked earlier.

India is not just the target but also the originator of a lot of cybercrime. A Symantec Intelligence Quarterly report for October-December 2009 found India tops in malicious codes and spam zombies (infiltrated PCs that are used to send spam) in the Asia Pacific Japan region and ranks second in both, globally. “There are hacking syndicates in India,” says Anirban Sengupta, managing consultant at consulting firm PricewaterhouseCoopers, “but no one knows how many and who they are.”

Earlier, notes Dhupar, hackers would take pride in claiming responsibility for attacks. “It was an ego trip. Now it is all about stealth as big money is involved.”

Information security experts worry about the casual approach in India to the subject. Many government sites are vulnerable, says Sengupta, but they often don’t realise it. “There are no preventive detection and intrusion prevention systems.” In the corporate sector, notes Pandey, it is only the multinational companies or information technology and business process outsourcing companies that serve foreign clients that are paranoid about security and have systems in place. “We do not put a premium on routine activity,” laments Bajaj.

Worse, security breaches are hardly ever notified or publicised. Less than 20 per cent of security breach incidents are reported to CERT-In, says Rai. The real danger could come from computers of individuals, who often use operating systems and other software that have become obsolete and for which manufacturers have stopped developing security patches.

With Internet penetration increasing by the day, the problem may only be exacerbated. “The more the penetration, the more the usage, the more the vulnerability,” notes Dhupar. But that should not mean people should panic or stop leveraging the benefits of the Internet. “Just like we take extra precautions while locking our houses, we have to be extra careful while securing our computers,” says Bajaj.

Take heed, India.