Pages:     | 1 |   ...   | 4 | 5 || 7 |

For example, in February 2008 a new attack was discovered spoofing a U.S. consumer advocacy site, purporting to relate to a complaint filed against the recipient. The site, a legitimate organization, was founded in order to develop and foster a trust between businesses and gathers information on the reliability of businesses, alerting the public to fraud.

This particular attack involved approximately 900 targeted Trojans that were intended for named senior executives within businesses worldwide. The email contained the full name of the business and the recipient, apparently harvested from a major professional social networking Web site. The email also contained a link to the real Web site. The link was to the search engine page on that site and was constructed in such a way as to automatically take the visitor to the site of a particular consumer advocacy affiliate.

The affiliate site in question had already been compromised by the attackers prior to the attack, such that when the link in the message was followed, the site redirected the visitor automatically to another site, which in turn attempted to compromise the users browser by using some exploit code. If that attack failed, the visitor would be asked to download an Adobe Acrobat component to view the alleged complaint. If successful, the attack would result in the deployment of a spying Trojan onto the target computer. Such techniques highlight the lengths to which online criminals will go to reach their intended targets.

Manipulating Recruitment Sites In another example, on May 28, 2008, MessageLabs Intelligence identified a malware attack masquerading as a resume for a job application, purportedly sent from a recruitment agency Web site. Further investigation revealed that it had passed through the agencys email servers because the companys Web site, like many others, allows visitors to upload resumes to their Web site, which then automatically sends the document on to interested companies.

The email appeared with a.RTF document attachment, purporting to be a resume for a job application. The.RTF file contained a malicious.PDF file within the document, which would install a generic backdoor Trojan if activated.

Example of malicious.PDF contained in a resume sent via a recruitment Website 4.4 Malware predictions for Malware Makes Its Mash-up MessageLabs Intelligence predicts that in 2009, Web 2.0 will provide an environment for contextual malware, which can consolidate multiple dynamic data streams to create a malicious environment from a number of diverse, unrelated sources. Individually, these data streams will not pose a risk. But when combined, they can be used to construct a malicious attack. Mash-ups typically enable users to combine data from many Web sites into one location, but when an XML stream containing seemingly innocent data is processed in the right context, it could be used to construct a malicious attack.

Similarly, Malware-as-a-Service will emerge allowing the bad guys to request the type of malware they are seeking from an automated system and have it delivered instantaneously. Finally, malware will become more disposable as cybercriminals find newer and faster ways to change their malware so as to make it undetectable by newly adopted anti-virus systems.

Botnet Renaissance In 2009, as the major botnets seek to reassert themselves, it is expected that they will find hosting services in countries such as Russia, Brazil or China, precipitating an improvement in the technology behind many of these botnets, creating a new vanguard.

The most sophisticated will take the form of hypervisor technology, where the malware will exist as a virtualization layer running directly on the hardware and intercepting some key operating system calls. This will mean that the real operating system will remain unaware of the existence of the underlying malware controlling the computer.

Technology such as rootkits for evading detection and kernel-mode drivers that operate closer to the core operating system for performance benefits and stealth are expected to emerge as malicious hypervisors. A customized TCP network stack may allow the botnet to use its own scalable SMTP mail engine to bypass Windows security countermeasures, and to optimize the traffic to suit its own purpose.

Legitimate Web sites are expected to continue to be attacked more aggressively, by botnets such as ASPROX to spread their malware. SQL injection and cross-site scripting attacks will likely be more commonplace, turning the Web into an increasingly hostile environment.

Mobile Mayhem Attacks disguised as free application downloads and games have already targeted mobile smartphones in 2008. While these threats were more prank-like than truly malicious, 2009 will likely see mobile attacks become more malicious as criminals devise ways to make money by exploiting these devices further. Mobile attacks are far behind PC attacks with 300 mobile viruses in circulation compared with 400,000 for that of PCs but MessageLabs Intelligence expects mobile attacks to parallel PC threats. For example, the porndialers of the last decade targeted PC users with modems, causing the infected PC to automatically dial premium-rate numbers established by the cyber-criminals often replacing the owners ISP dial-up number with an international number unbeknownst to the PC user until the phone bill arrived.

Similarly, criminals will target mobile users in the same way, autodialing SMS texts to such numbers with the intent of bilking credit from the mobile users account.

5 Fraud, Scams and Phishing: Top Threats of 5.1 Phishing Summary The overall trend for email-borne malware in 2008 shows that phishing activity averaged around 1 in 244.9 (0.41%) emails, compared with 1 in 156.0 (0.64%) for 1 in 1 in 1 in 1 in 1 in 1 in 1 in Phishing rate 1 in 2005 2006 2007 Average global proportion of phishing in email traffic Phishing activity peaked in February 2008 at 1 in 99.1 emails. This increase is due partly to the increased availability of plug-and-play style phishing kits that require very little technical skill to configure. Another factor has been an increased use of specialized botnets for phishing activity.

The use of botnets to host multiple phishing sites is a relatively new trend, first observed in January 2008, with Storm.

Previously, botnets had been largely used for sending spam messages and distributing malware.

Although the intensity of phishing attacks hasnt changed significantly overall during 2008, the types of organizations targeted has widened, to include recruitment agencies, online retailers and internet grocery sites.

Furthermore, although major international financial institutions continue to be targeted, increasing numbers of smaller, state-level banks and credit unions continue to receive the attention of the phishers. As it becomes harder to secure credit, financial institutions are more likely to deploy two-factor authentication techniques for online banking.

Consequently, the number of specialized banking Trojans is set to rise further.

5.2 New Techniques, changes etc In 2008, MessageLabs Intelligence found that legitimate businesses, with a long-standing online presence, were being targeted to host phishing attacks. By taking control of their Domain Name Service (DNS) database records, phishers were able to take advantage of the existing good reputation of these domains since they are unlikely to have already been blocked by filtering solutions.

In the following example, the domain included in the phishing link belonged to the Web site for a legitimate Japanese company. However, the attackers compromised the DNS and added a range of sub-domains and wildcard records spoofing the target banks domains. These DNS entries were added without the genuine owners knowledge or consent.

Example of compromised DNS records used in a phishing attack The IP address these sub-domains referred to belong to a machine connected to an academic network based in Taiwan, perhaps a compromised machine being used as a Web server.

In other similar attacks, phishers have compromised legitimate businesses Web servers, rather than the DNS database, and have used them to host their phishing sites.

A weakness in the fundamental design of the DNS (Domain Name Service) protocol emerged in mid-2008, potentially affording the opportunity for an attacker to corrupt the cache of a vulnerable DNS server. Insecure DNS domains and vulnerable Web sites were used in phishing attacks during 2008. Taking advantage of the reputation of the vulnerable domains, this approach forgoes the more traditional approach of hosting typo-like phishing domains.

Typo-like domains would need to be registered in advance and could be prone to being taken down once reported.

Using a nonspecific example domain name, such as onlinebanking.com as the target, cyber-criminals may register a domain like on1inebanking.com to host a phishing site; a cursory glance may not spot the use of the number 1 in place of the lower-case letter L, rendering this a typo-like domain.

By the second half of 2008 there was a notable hike in Web-based password-stealing Trojans for well-known online games, perhaps testament to the ability of cyber-criminals to use these virtual worlds for converting virtual wealth into real-world cash and for laundering their ill-gotten gains.

As the global credit crisis took hold toward the end of 2008, and credit became harder to obtain, MessageLabs Intelligence noted an increase in phishing attacks as well as other financial and loan related spam.

5.2.1 Social Engineering The type of social engineering used in some phishing attacks during 2008 changed. In one example, the attackers had foregone the usual Security Alert! approach in favor of spoofing a U.S. banks Go Green campaign, in which environmentally conscious victims were being invited to sign-up for online eStatements, rather than traditional paperbased ones.

As the global credit crisis worsened toward the end of 2008, MessageLabs Intelligence witnessed an increase in phishing attacks spoofing banks. Between September 2008 and October 2008, the number of phishing attacks more than doubled. The subjects of the attacks were mostly national and global banks, smaller state banks, credit unions and online retail sites. As pressures on the global banking system increased, scammers sought to take advantage of the confusion surrounding potential mergers and bailouts, by targeting many major U.S. and UK banks.

MessageLabs Intelligence analysis of source IP addresses determined that Cutwail, one of the largest botnets controlling approximately 1 million active bots at the time, was responsible for a large number of these scams.

The social engineering involved in phishing scams is continually improving, with the shadow economy catering more to these increasingly sought after skills especially with the goal of engaging in phishing attacks against social networking sites. These attacks provide criminals with a rich supply of real data about individuals as well as access to their friend lists.

5.2.2 Advance-Fee Fraud, 419s In late 2008, phished accounts of major social networking sites were also abused by scammers who used the victims accounts to spam messages to their friends requesting a transfer of funds. In some examples, the fraudsters suggested the person was stuck in another country and needed financial assistance to return home.

Moreover, messages used as bait in 419 advance-fee fraud scams were increasingly being sent from accounts that had been automatically created using CAPTCHA-breaking tools.

Scammers also took advantage of social networking sites in a number of more traditional advanced fee fraud scams. For example, in one advance-fee fraud scam the scammer included a link to a social networking profile in his messages to lend credibility to his background. The fraud comprised of a request to fund the production and sponsorship of a poorly written film script, hastily composed by the scammer upon request and attached as a Word document.

Shorter Scams Examples of 419s appearing toward the end of 2008 highlighted that the scammers turned to using shorter messages, using only one or two sentences in the body of the email, making it harder to recognize them as scams. The recipient needed to respond to a unique business opportunity, requesting more information before the true nature of the scam would slowly begin to be revealed.

Attachment Fraud By the end of 2008, 419 advance-fee fraud scammers increasingly used attachments. The content of the email body became shorter, requiring deeper analysis of the attachment to identify the true nature of the correspondence, including the real message in attachments, such as Microsoft Word documents and Adobe Acrobat.PDFs.

Example of 419 using Microsoft Word document attachment The attachment in the example above included the traditional 419 advance-fee fraud wording in the document, suggesting that scammers believed that this approach would enable them to bypass traditional anti-spam filters that only analyze the content and origin of the message itself, ignoring the content of the attachment.

Example of Word document that contained the scammers message Phishing - Voice over IP In 2008, examples of VoIP services being used in phishing emails surfaced in large numbers. In the example below, a phishing email invited recipients to call the number, which emulated the automated switchboard of the real bank using a DTMF activated menu system. The victim would be asked to leave their details after the tone in a voicemail.

Example of phishing attack requesting the victim to record their details on a VoIP call 5.2.3 Botnets evolutions (part 3: fraud, phishing) Using the fast-flux technique, each phishing domain is then updated with a rapidly-changing IP address and results in an increased lifespan for these types of phishing sites. This in turn causes the sites to be available for a longer period of time and makes it much harder to disrupt them. One interesting discovery has been the use of secret backdoors in some of the more freely available phishing kits, through which the original authors can bilk the ill-gotten gains from the criminals who deploy them.

In 2008, phishing attacks from specialized botnets became more apparent, and in May 2008 the Srizbi botnet was responsible for spreading a number of phishing emails, in particular targeting one bank using secure https: links.

Pages:     | 1 |   ...   | 4 | 5 || 7 |

2011 www.dissers.ru -

, .
, , , , 1-2 .