Cybercriminals Find New Ways to Exploit Vulnerabilities

March 2010
By Henry S. Kenyon, SIGNAL Magazine

Focused, sophisticated attacks target specific users, concentrate on social networking sites.

Strategic efforts to access top executives’ computers and to steal source code and intellectual property are taking cybercrime beyond simple financial theft. Criminals and foreign organizations are launching more sophisticated and targeted phishing and malware attacks, resulting in more prevalent infiltrations in 2009. Cybercriminals often target social media sites, such as Twitter and Facebook, and use an individual’s personal data to fool friends and colleagues into revealing valuable personal and corporate data.

A white paper called the “Cyber Intelligence Report” published by Cyveillance, a subsidiary of QinetiQ North America, covers the last half of 2008 and the first half of 2009, but the report’s author, Eric Olson, Cyveillance’s vice president of solutions assurance, maintains that the documented trends remained constant throughout the latter half of 2009. One trend that continued from 2008 was a drop in phishing attacks, but he warns that criminals have simply revised their methods and shifted from mass mailing efforts to well-researched and very specific attacks. Olson notes that the number of malicious software and phishing attempts are underreported, as is the level of malicious Web pages and attempts to access user information through social engineering and other methods. He adds that a variety of lures are used, ranging from pornography, malicious pay-per-click links to Tweets with embedded links.

Chief among the report’s findings was that antivirus software provides limited protection against malware. The study measured the effectiveness of 13 major antivirus vendors in real time. It found that even the most popular products detected less than half of the malware threats. Olson describes antivirus and firewall systems as “fixed emplacements” in the battle against viruses and hacking. Although such defenses are necessary, he explains that they are not sufficient because they are reactive to these threats. The best defense is for users to be educated and aware of trends in online criminal activity, he says.

Browser anti-phishing systems also have difficulty detecting most attacks when they are launched. The report notes that attack detection rates improve significantly after 24 hours, but adds that the majority of the damage caused by phishing takes place in the first 24 hours. Olson contends that one reason for this detection delay is that the malware’s writers also own copies of the antivirus software and know how to counter it.

Malware distribution continues to be a growing trend. The report divides malware into a fraud chain consisting of hosting sites, distribution sites and drop sites. Malware hosting sites store and deliver their binary files to malware distribution sites. According to the report, the majority of malware hosting locations are in the United States and China, with the two nations combined representing 52 percent of the global total. Criminals favor the United States as their target for hosting and compromising computers because of the nation’s high user population, Olson shares.

The United States and China also were the two top malware distributors, with the United States in the lead. Criminals use a variety of methods to attract unwary visitors to sites where their computers can be infected. The report notes that distribution sites are usually targeted at specific types of Internet users. Germany is the leading host country for malware drop sites used to collect information from computers infected with keyloggers, screen scrapers and other programs used to gather personal data passively. Olson adds that hackers and malware distributors no longer bother to use servers in their own countries. “They are simply compromising other people’s Web sites or home computers, ‘botting’ them and turning them into the Web server,” he says.

Spreading malware usually begins with a lure, most often a compromised legitimate Web site serving as a vector. Other types of lures can range from authoritative e-mails from a high-level member of a government agency or company whose name has been pulled off the Internet, instant messages or Twitter tweets with embedded links. “The idea is to have some compelling way to get a link in front of users that they will click on,” Olson says.

When a malicious site is visited, the page will execute code attempting to install the malware. Olson notes that such sites can be hosted by a legitimate organization while the malware being pushed into a computer is hosted in China, or vice versa. “The Web site you visit is not necessarily—in fact it’s quite often not—the Web site that actually drops the malware. The site that you visit is, more often than not, a legitimate site that’s been compromised by the bad guys,” he says.

A recent example of a trusted Web site being used to distribute malicious code involved the New York Times home page. Criminals legitimately bought pay-per-click advertisements and used them to lead users to malicious sites. Olson notes that the newspaper had no influence over the material placed in the banners. The false ads were placed around a specific article and were tailored to attract people who had read the story. After the incident, the Times had to apologize to its users. “Even though they had nothing to do with it—they were technologically blameless—it didn’t help their business any,” he relates.

Malware can be propagated through a variety of methods. Although it is now relatively rare, malicious attachments are still used, but criminals have become more sophisticated and selective about whom they target. These types of researched, specific attacks are spear phishing. “While the e-mail vector is a much smaller percentage than it used to be, the cases where it does appear are increasingly targeted at members of specific agencies, specific lines of work, specific professional organizations and the like,” he observes.

One example of a spear phishing attack involved a number of corporate chief executive officers (CEOs), including the CEO of Cyveillance. The victims received a detailed e-mail disguised as a court summons citing their names, titles, types of business and the address to the district court closest to their headquarters. The letter notified the CEOs that their companies were being sued for an offense that was credible to their specific businesses. The letter then indicated that to view the complaint or subpoena, the recipient should open the attached PDF file. “This was something that was clearly targeted at getting access to specific executives’ computers via malicious attachment,” he says.

Another type of attack is a malicious Web page that exploits a vulnerability in a browser to conduct a “drive-by download.” The very act of visiting these pages will activate malware that will attempt to install on the user’s computer. But not all malware is an installed application. Olson notes that an increasing amount of malware runs directly in the browser window in non-executable code. When a user closes the browser, the code is gone—there is nothing in the user’s computer, the malware just runs in the browser. He notes that antivirus software has yet to catch up with these trends because there are so many weaknesses in browsers, PDFs and other legitimate programs that criminals can exploit. (See sidebar above for an antivirus vendor’s view of the situation.)

Criminals also can use social engineering to convince a user to accept a download voluntarily. Olson notes that forums and message boards are now filled with automated postings of pornographic thumbnails. Once a person has clicked on the link, it will indicate that they must download a media player to watch the video and to click onto the link to allow the installation. He notes that in these cases, users actually allow their machines to be compromised by an executable application. Other examples include advertisements for downloadable programs to animate mouse cursors or screen backgrounds that serve as a front for additional material being installed on a computer. “It’s 3 k [kilobytes] of code to turn your cursor into a kitty cat and the other six megabytes is all malware,” he relates.

Phishing is a social engineering technique that combines technology and human interaction to gather personal data for fraud and identity theft. The report found that while phishing attacks dropped to 23,000 per month in the first half of 2009, down from 36,000 per month in the second half of 2008, the attacks themselves have become more sophisticated.

Among its findings, the report indicated that while banks and credit unions remain the major targets of phishing attacks, criminals now are focusing on government and commercial organizations. Social networking sites are quickly becoming a target of choice because of the amount of personal data that can be accessed. Olson notes that social networking “takes social engineering to a new level of sophistication, and unfortunately, ease.”

Large-scale spamming and even relatively narrowly targeted phishing and malware attacks still must get past the intended victim’s initial mistrust of receiving a message from a stranger. Olson explains that hackers phish a variety of sites with no monetary value because if they can recover a password or other personal information, it provides criminals with tools to access a person’s social and business contacts.

Once hackers have a user’s password, considerable damage can be done, Olson says. He notes that seven out of 10 times, most people use the same password for multiple sites. By accessing a person’s e-mail account, criminals can approach a person’s friends and relatives in the guise of that person. This is because the sender now appears to be from inside the recipient’s circle of trust or acquaintance. Because of this trust, Olson asserts that the infection and victimization rate of compromised personal information is much higher. “That social networking context means that once a user’s account or device is compromised, that user’s network is at extremely high risk. An inherent circle of trust exists around that user, and most people fail to distinguish from the user and their device or their account,” he says.

Olson explains that while social networking is a great tool, it also leverages what he sees as the underlying vulnerability of the Internet in terms of transparency, efficiency and instantaneous connectivity to anyone anywhere. “You have just about no way to know that anyone is whom he or she claims to be, because what you’re counting on is that the account or login or device equates to the person, and that isn’t necessarily true,” he says.

Financial fraud is another major target for malware. Olson notes that this is attractive to criminals because it is relatively easy to access people’s financial data. However, small-time financial crime is not his key concern. Olson’s greatest fears are incidents such as the Chinese malware attack propagated through malicious PDF attachments that sought out source code and intellectual property from more than 30 major companies with operations in China. These companies included Hewlett-Packard, Apple, Yahoo and Google.

The same group behind this first attack also was linked to PDFs sent to defense contractors planning to attend a conference in Las Vegas. “To me, that says they’re after source code; they’re after intellectual property; they’re after people who work in the defense industry. Frankly, I’d rather deal with guys who are just up to robbing banks because this [theft of intellectual property] smacks of someone with a much more strategic agenda,” he says.

QinetiQ North America:

Education a Key Defense Against Cyberthreats

The past year has seen an increase in sophisticated malware and online scams. These trends in cybercriminal activity will continue in 2010, says Keith Rhodes, senior vice president and chief technology officer for the Mission Solutions Group of QinetiQ North America. He explains that a broader challenge for organizations is that passive network defenses are inadequate because malware and other types of attacks are outmaneuvering firewalls and intrusion detection systems. The pace of software and hacker toolkit development has become highly automated. “It’s almost a production line approach,” Rhodes says.

A key factor is that malware and phishing are moneymaking criminal enterprises. “This is no longer just trying to get your hacker bona fides. This is now a business,” he says. Because of the money involved, cybercrime moves at a pace relevant to the environment.

The best defense, Rhodes maintains, is to be educated about cyberthreats. “You have to be an active participant in protecting yourself, which means you have to look at what’s going on out there in the wild, away from yourself and as close to a source as you can get,” he says. For example, chief information officers who are worried about the criminal element in Eastern Europe should actively study trends and events there. Education and awareness of threats applies to all users. “You are absolutely an active participant in looking at the world and what is going on there,” he says.

Rhodes says that last year’s increase in browser-based attacks and online fraud will continue, if not increase. Another factor is that these attacks now require less active cooperation from users to have malware payloads inserted into their computers. “It’s requiring less participation on the victim’s part in order to have the system be corrupted, which means that the user population has to have a much more active role in protecting itself, and you protect yourself primarily with knowledge,” he says.

“As with lots of things, the defenders have to be right 100 percent of the time, and the adversaries have to be right once. That is the struggle. In cyber, the adversary has the upper hand because there is so much software, infrastructure and equipment out there that is at varying levels of sophistication and protection that the adversary doesn’t have to go directly against a person or organization, he can go against someone who is connected to the target but isn’t as well protected,” he says.

Security providers understand that they are challenged by real-time threats, Rhodes explains. In response, these firms are providing more tailored offerings for their customers. Vendors now are conducting risk analysis of organizations and trying to create more analytical capabilities. However, the challenge is that these responses must be tailored to an organization’s specific needs.

Antivirus Defenses Must Be Agile to Counter Malware Threats

The Cyveillance Cyber Intelligence Report for 2009 indicates that antivirus vendors’ products, while important, are not completely effective against malware and other sophisticated online threats. David Markus, director of security research and communications at McAfee Labs, agrees with some of the report’s key assumptions about the rise in malware attacks and their financial focus, but believes that antivirus products are more effective than the report indicates. Some of the varying results come from the way the testing is done, he allows.

“Standard antivirus technology is kind of passé at this point in time because threats are complex,”“Markus says. Because the threats are so varied, he emphasizes that McAfee does not offer simple signature-based malware recognition systems but rather a range of flexible technologies such as host-based intrusion prevention systems and white listing technologies.

Speaking for McAfee, Markus notes that gathering intelligence about cyberthreats is vital for antivirus vendors. This data is embedded into each new generation of the firm’s antivirus and network protection technologies at a variety of levels. He adds that mitigating threats at the appropriate layer in the network is the key for future network and antivirus systems. “The bad guys are smart. They’re good at testing against security products. That’s kind of the one-up they have on us good guys. They can create testbeds with all of our technologies in them and run samples against every single [antivirus] technology and adjust it,” he says. However, he adds that firms such as McAfee with a breadth of global intelligence and research experience can insert defenses across all layers of a network.

Because criminals take advantage of weaknesses in browsers and network architecture, Markus explains that antivirus vendors must be agile. This flexibility includes conducting research across a variety of technologies and security applications. However, he notes, detection and response to malware and virus attacks is not perfect. “There’s always going to be that person who runs across that site or that piece of malware for the first time,” he says. But he guarantees that such new threats are quickly collected, analyzed and the appropriate patches or defenses then are distributed to users.

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.