According to the Wall Street Journal article, “Hackers Shift Attacks to Small Firms,” as small businesses make the leap to computerized systems, they are becoming prime targets for cyber thieves.

Business owner Joe Agelastri, who runs a pair of magazine shops in the Chicago-area, found out the hard way. After cyber criminals planted a software program on his cash registers, which sent customer credit-card numbers to Russia, the breach cost him around $22,000, slicing his annual profits in half. Though somewhat puzzled, Agelastri is just one of a growing number of small business owners who have experienced firsthand how prolific a problem cyber fraud has become in the SMB community.

“We thought there would be very little chance that somebody would come into a business of our size to pull off something like this.”

According to former hacker and small business security consultant, Bryce Case Jr., the “too small to hack” mentality is what hackers take advantage of. Weaker security due to budgetary limitations, combined with the fact that in the same time it takes to hack a major company cyber thieves can undetectably steal data from dozens of small companies, is playing a key role in more small companies being targeted by cyber criminals. In Case’s words:

“the juice has become worth the squeeze. Even the pizza place has addresses, names and credit-card information.”

In fact, a 2010 study by the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit that investigates attacks found that 63% of data breaches were within companies with 100 employees or less. The WSJ article also cites that Visa estimates that 95% of the credit-card security breaches it finds come from its smallest business customers.

The problem with small businesses that are operating with inadequate security in place is a single breach can potentially cost them their business. This isn’t the case for larger companies, who generally have the budget and experts on staff to protect their assets. If anything, stories like these are lessons for small businesses, who need to overcome the mentality that they are too small to hack and take appropriate measures to safeguard their customers and valuable business assets. After all, when it comes to hacking, cyber criminals don’t discriminate.

Anyway, Cringley’s credit card was recently hacked. And if his card can be hacked, anyone’s can. Like many cardholders, Cringley received a notification from his credit card company’s fraud department, informing him that his card data was being used overseas, on an online dating website.

A scammer used Cringley’s credit card number to create a fake profile, posing as a woman named Katya to lure desperate, unsuspecting men into dating scams.

Cringley determined that the IP address associated with the fraud was anonymized, going through numerous channels to disguise its origin. A Russia-based email address may mean Russian criminals are involved in the hack.

Cringley’s card was used to purchase Badoo credits, which are used to unlock certain features of the dating website, such as chatting with another user or requesting photos. The scammer used Cringley’s card to buy Badoo credits in numerous countries, making her profile internationally accessible.

Cringley surmises that his card data may have been skimmed when he used an ATM or handed his credit card to a store clerk or waiter, or possibly stolen when used to make an online purchase. Even if you are giving your card number to a legitimate online merchant, there’s always the risk they may get hacked. It’s also possible than an unknown worm could have slithered onto Cringley’s PC and sniffed out a credit card transaction.

Even a security expert’s PC can fall victim to hackers, and even someone who knows plenty about security can get hooked. So you must be that much more alert, aware, and on top these issues.

Websites like Badoo can eliminate scammers with device reputation scanning. Real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for fraud, as well as expose all of the accounts associated with the suspicious device or group of devices, allowing websites to immediately shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)

In the article, they explain a scenario involving an infection called the Clampi trojan, but the success of an account theft or takeover isn’t dependent on any specific trojan. All it takes is some method of infecting a computer in order to provide real time data from that computer back to the online criminal. The NY Times article details the way a trojan spreads and watches for ideal account targets.

“When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.”

The way the attack works is that any time a user logs into their online bank from an infected computer, the trojan recognizes this and sends account information, including one-time passwords, back to the criminal in real time. The criminal can then use this information to log into the stolen account from his own computer or from a remote session on the infected computer. As unlikely as this sounds, we know of confirmed incidents of this attack.

Does this mean that multi-factor authentication is a waste of time? Not at all. Using tokens is still a best practice for account protection and is far more secure than a simple account ID and password combination. Primarily, the use of these trojans simply highlights the increasing sophistication of criminals in collecting and using personal data for their own financial gains. We have highlighted that online crime is far beyond curious kids and is now big business. Criminals are coordinating their efforts, working together, sharing tools and targeting the personal and account data that they need to be successful.

All this should be a reminder that, when it comes to security, companies should be working together—sharing techniques and information, and diversifying their defenses to meet this serious threat. Going it alone online is a losing proposition long term.