If you are like millions of small-business owners in America, you probably can’t imagine how a cybercriminal halfway around the world could possibly want to target little old you. After all, with so many large corporations out there in the big, bad cyberworld, your laptop or web server is hardly worth the bother, right?

Wrong.

“People expect targeted attacks to go after large enterprises, but the bad guys and the crooks don’t really care where the money comes from,” says John Maddison, senior vice president of software-as-a-service and managed services at the security firm Trend Micro, whose North American division is based in Cupertino, Calif. “If they’ve managed to get identity and credentials and information from a small business, they’ll go after them as well.”

The truth is that small businesses are increasingly becoming some of the most attractive targets today for enterprising cyberthieves. Take Support.com, for instance. The relatively small remote technical-support provider of about 600 employees finds its website under constant attack, says Mazdak Hashemi, head of technical operations at the company.

“Even though we’re a small player, we’re getting attacks from all over the world,” Hashemi says. “We’re not a big name that people hear about all the time, but apparently we have some interesting stuff that people are interested in stealing or abusing.”

Security research shows that as large enterprises do more to lock down their infrastructure, less-secure small businesses become the low-hanging fruit for cybercriminals looking to cash in on stashes of intellectual property, unprotected credit card numbers or simply the computing power of unprotected computers. And as these bad guys hone their technological tool sets, they’re building more and more automated attacks that make it easy to scan the Internet for unsecured small-business computers to infect, take over and plunder.

“It used to be that some businesses were small enough to not matter to attackers,” says Paul Judge, chief research officer for Barracuda Networks in Campbell, Calif. “But with the volume of the attacks and the automation levels of the attacks, any business that is connected online needs to be prepared with proper security measures.”

“Every day we see thousands of mom-and-pop websites being compromised,” he says. “And it’s not compromised in the traditional sense of ‘graffiti’ all over your site. Instead, your site still works, it looks fine–but the attackers are secretly infecting all of your customers as they visit the site. That can’t be great for business.”

Understanding the Infection Chain
The explosion in cybercrime comes down to one thing: money. Hackers have come up with thousands of ways to make money off of their fraudulent schemes.

“The biggest risk we’re seeing right now is a lot of bank account fraud targeting SMBs,” says Rich Mogull, a security analyst for the Phoenix-based firm Securosis, referring to small and midsize businesses. “We’ve seen cases where there have been fraud protections on the accounts, but once hackers find a set of credentials and log on to the bank website, they are still able to push that activity through.”

Many of the malware threats circulating the Internet are designed to collect user names and passwords from victims’ computers, says Kevin Haley, director of Symantec Security Response, the security research arm of Symantec Corp., based in Mountain View, Calif.

Biggest Breaches

Biggest Breaches
The annals of assault on business network

2005

Data aggregator ChoicePoint suffers a 163,000-record exposure that catalyzes the nation’s first breach-notification laws.

Hackers expose 40 million accounts of third-party payment processor CardSystems.

2006
A U.S. Department of Veterans Affairs breach compromises 28.6 million records.

A Fidelity National Information Servicesemployee steals 8.5 million records.

Details of 1.6 million Monster.com job seekers are stolen by identity thieves.

Hackers steal information on more than6.3 million TD Ameritrade customers.

2008
4.2 million credit records are stolen from Hannaford Brothers Supermarkets.

Bank of New York Mellon loses a box of backup tapes, compromising 12.5 million customer records.

A former Countrywide Financial employee is indicted for stealing 2 million customer records.

Visitors to domains of payment processor CheckFree are redirected to a data-stealing site. Five million people are exposed.

2009
A hacker steals data of more than 130 million customers of Heartland Payment Systems.

2010
A security vulnerability at financial services firm Lincoln National Corp. exposes more than 1.2 million customer records.