Whoever planned and carried out the deadly bombing of the Boston Marathon may have had plenty of help, experts say, from the Internet.

“Every aspect of a terrorist attack is now managed or researched” in some way using the Internet, said Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, an independent research institute that assesses cyber threats.

“That's where people figure out what their target is, how to go after the target, it's how they learn how to make bombs, it's how they coordinate their activities with each other,” he told NBC News’ Lisa Myers in an interview.

Borg said there are hundreds of websites in multiple languages advising and instructing people how to commit terrorist acts.

Last month, al Qaeda in the Arabian Peninsula published a how-to guide that urged small-scale attacks in the United States and other Western countries using easily obtainable materials.

Titled the “Lone Mujahid Pocketbook” and published in the spring edition of the terrorist group’s “Inspire” online propaganda magazine, the guidebook borrowed from social media speak and rap lyrics to encourage Islamic extremists in the West to commit acts of violence. The guidebook also offered detailed instructions to “Make a bomb in the kitchen of your Mom,” including detailed, illustrated instructions on making pressure cooker bombs – the type of explosive authorities say was used in the Boston Marathon attack.

Richard Esposito, NBC News’ senior executive producer for investigations, calls the prevalence of online bomb-making guides “a frightening development.”

FBI via AP

This image from the FBI shows the remains of a pressure cooker that the FBI says was part of one of the bombs that exploded during the Boston Marathon.

But he adds that the same websites and chat rooms that would-be jihadists use in their planning can also be a hunting ground for the U.S. intelligence and law enforcement officials looking for whoever built the Boston pressure cooker bombs.

The intelligence community is already at work there, experts say – watching for signs of imminent attacks, but also sowing disinformation and altering recipes for bombs.

“Law enforcement actively attempts to post content on these websites,” said Esposito. “They use all the investigative tools that are now available to them to thwart the terrorists online.”

So far, those methods have been very effective. And experts say the easy availability of bomb-making formulas does not seem to have increased the frequency of attacks. But they worry it may be making the successful ones more lethal.

Related stories

• Bomb type gives first clue on path to perpetrator
• Pressure cooker bombs used around the world for years

Slideshow: Aftermath and reaction following Boston bombings

Shannon Stapleton / Reuters

Heightened security, empty streets, and memorials mark the the day after the Boston Marathon bombings.

Launch slideshow

Follow @IsikoffNBC

COLUMBIA, S.C. -- A single malicious email sent to workers at the South Carolina  Department of Revenue last August enabled an international hacker to crack into state computers and gain access to 3.8 million tax returns, including Social Security numbers and bank account information, in what experts say is the biggest cyber-attack ever against a state government, according to details in a report released Tuesday.

“We were a cocktail for an attack,” Gov. Nikki Haley said, referring to the necessary ingredients for cyberassault, as she released a report by a computer security firm Mandiant, which was commissioned to investigate the data breach. At the same time, Haley accepted the resignation of her Department of Revenue director, Jim Etter, and acknowledged that state officials “could have done more” to protect the personal data of state residents.

The release of the report came amid a mounting political uproar here over the cyberattack and criticism of Haley over her handling of the issue.

“I’ve gotten more phone calls and emails about this than anything else in the last four years,” said Tom Davis, a state senator and former chief of state to Gov. Mark Sanford. “There’s a great degree of anger and frustration over what happened. This is information you’ve got to give the government; if you don’t, they put you in jail. There’s a real sense of betrayal,” he said.

According to the Mandiant report, the cyberattack, which state sources say is believed to have originated inside Russia, started with a “phishing” scheme, a common tactic used by cyber criminals. 

Last Aug. 13, a hacker sent multiple South Carolina Department of Revenue  employees a malicious email containing an embedded link containing malware or a computer virus. When at least one of the employees clicked on the link, the malware was activated and allowed the hacker to steal the employee’s user name and password.

From there, the hacker was off to the races. Two weeks later, the attacker logged onto the remote-access service for Department of Revenue computers, using the credentials of an employee who had clicked on the Aug. 13 email. The invader then “leveraged the user’s access rights to access other Department of Revenue systems and databases with the user’s credentials,” the report states.

The attacker performed “reconnaissance activities” over the next several weeks, then started copying large amounts of data and transferring them onto zip files that were moved onto the Internet. The breach was not discovered until the Secret Service notified state officials on Oct. 10 that it had uncovered information that data on three state residents had been stolen.

Since then, Haley and other state officials have scrambled to react as the magnitude of the attack has become increasingly apparent. In addition to 3.8 million tax returns, including the Social Security numbers of 1.9 million children and other dependents, the hackers got access to data on 699,900 business tax returns and 3.3 million bank accounts.

The attack has exposed vulnerabilities that experts say will cause state governments across the country to reexamine their cyber-defenses. Although South Carolina had encrypted credit card numbers according to industry standards, it had never encrypted the Social Security numbers. And some cyber experts say there is evidence that that data may now be marketed on Internet black market sites that peddle personal information on millions of Americans.

Haley on Tuesday blamed the federal government for not requiring Social Security numbers to be encrypted. She released a letter to IRS Commissioner Steven Miller “to strongly encourage the Internal Revenue Service to require all states to have stronger security measures for handling federal tax information, particularly encryption of tax information that is stored or ‘at rest.’”