Cybercriminals Find New Ways to Exploit Vulnerabilities

Focused, sophisticated attacks target specific users, concentrate on social networking sites.

Strategic efforts to access top executives’ computers and to steal source code and intellectual property are taking cybercrime beyond simple financial theft. Criminals and foreign organizations are launching more sophisticated and targeted phishing and malware attacks, resulting in more prevalent infiltrations in 2009. Cybercriminals often target social media sites, such as Twitter and Facebook, and use an individual’s personal data to fool friends and colleagues into revealing valuable personal and corporate data.

A white paper called the “Cyber Intelligence Report” published by Cyveillance, a subsidiary of QinetiQ North America, covers the last half of 2008 and the first half of 2009, but the report’s author, Eric Olson, Cyveillance’s vice president of solutions assurance, maintains that the documented trends remained constant throughout the latter half of 2009. One trend that continued from 2008 was a drop in phishing attacks, but he warns that criminals have simply revised their methods and shifted from mass mailing efforts to well-researched and very specific attacks. Olson notes that the number of malicious software and phishing attempts are underreported, as is the level of malicious Web pages and attempts to access user information through social engineering and other methods. He adds that a variety of lures are used, ranging from pornography, malicious pay-per-click links to Tweets with embedded links.

Chief among the report’s findings was that antivirus software provides limited protection against malware. The study measured the effectiveness of 13 major antivirus vendors in real time. It found that even the most popular products detected less than half of the malware threats. Olson describes antivirus and firewall systems as “fixed emplacements” in the battle against viruses and hacking. Although such defenses are necessary, he explains that they are not sufficient because they are reactive to these threats. The best defense is for users to be educated and aware of trends in online criminal activity, he says.

Browser anti-phishing systems also have difficulty detecting most attacks when they are launched. The report notes that attack detection rates improve significantly after 24 hours, but adds that the majority of the damage caused by phishing takes place in the first 24 hours. Olson contends that one reason for this detection delay is that the malware’s writers also own copies of the antivirus software and know how to counter it.

Malware distribution continues to be a growing trend. The report divides malware into a fraud chain consisting of hosting sites, distribution sites and drop sites. Malware hosting sites store and deliver their binary files to malware distribution sites. According to the report, the majority of malware hosting locations are in the United States and China, with the two nations combined representing 52 percent of the global total. Criminals favor the United States as their target for hosting and compromising computers because of the nation’s high user population, Olson shares.

The United States and China also were the two top malware distributors, with the United States in the lead. Criminals use a variety of methods to attract unwary visitors to sites where their computers can be infected. The report notes that distribution sites are usually targeted at specific types of Internet users. Germany is the leading host country for malware drop sites used to collect information from computers infected with keyloggers, screen scrapers and other programs used to gather personal data passively. Olson adds that hackers and malware distributors no longer bother to use servers in their own countries. “They are simply compromising other people’s Web sites or home computers, ‘botting’ them and turning them into the Web server,” he says.

Spreading malware usually begins with a lure, most often a compromised legitimate Web site serving as a vector. Other types of lures can range from authoritative e-mails from a high-level member of a government agency or company whose name has been pulled off the Internet, instant messages or Twitter tweets with embedded links. “The idea is to have some compelling way to get a link in front of users that they will click on,” Olson says.

When a malicious site is visited, the page will execute code attempting to install the malware. Olson notes that such sites can be hosted by a legitimate organization while the malware being pushed into a computer is hosted in China, or vice versa. “The Web site you visit is not necessarily—in fact it’s quite often not—the Web site that actually drops the malware. The site that you visit is, more often than not, a legitimate site that’s been compromised by the bad guys,” he says.

A recent example of a trusted Web site being used to distribute malicious code involved the New York Times home page. Criminals legitimately bought pay-per-click advertisements and used them to lead users to malicious sites. Olson notes that the newspaper had no influence over the material placed in the banners. The false ads were placed around a specific article and were tailored to attract people who had read the story. After the incident, the Times had to apologize to its users. “Even though they had nothing to do with it—they were technologically blameless—it didn’t help their business any,” he relates.

Malware can be propagated through a variety of methods. Although it is now relatively rare, malicious attachments are still used, but criminals have become more sophisticated and selective about whom they target. These types of researched, specific attacks are spear phishing. “While the e-mail vector is a much smaller percentage than it used to be, the cases where it does appear are increasingly targeted at members of specific agencies, specific lines of work, specific professional organizations and the like,” he observes.

One example of a spear phishing attack involved a number of corporate chief executive officers (CEOs), including the CEO of Cyveillance. The victims received a detailed e-mail disguised as a court summons citing their names, titles, types of business and the address to the district court closest to their headquarters. The letter notified the CEOs that their companies were being sued for an offense that was credible to their specific businesses. The letter then indicated that to view the complaint or subpoena, the recipient should open the attached PDF file. “This was something that was clearly targeted at getting access to specific executives’ computers via malicious attachment,” he says.

Another type of attack is a malicious Web page that exploits a vulnerability in a browser to conduct a “drive-by download.” The very act of visiting these pages will activate malware that will attempt to install on the user’s computer. But not all malware is an installed application. Olson notes that an increasing amount of malware runs directly in the browser window in non-executable code. When a user closes the browser, the code is gone—there is nothing in the user’s computer, the malware just runs in the browser. He notes that antivirus software has yet to catch up with these trends because there are so many weaknesses in browsers, PDFs and other legitimate programs that criminals can exploit. (See sidebar above for an antivirus vendor’s view of the situation.)

Criminals also can use social engineering to convince a user to accept a download voluntarily. Olson notes that forums and message boards are now filled with automated postings of pornographic thumbnails. Once a person has clicked on the link, it will indicate that they must download a media player to watch the video and to click onto the link to allow the installation. He notes that in these cases, users actually allow their machines to be compromised by an executable application. Other examples include advertisements for downloadable programs to animate mouse cursors or screen backgrounds that serve as a front for additional material being installed on a computer. “It’s 3 k [kilobytes] of code to turn your cursor into a kitty cat and the other six megabytes is all malware,” he relates.

Phishing is a social engineering technique that combines technology and human interaction to gather personal data for fraud and identity theft. The report found that while phishing attacks dropped to 23,000 per month in the first half of 2009, down from 36,000 per month in the second half of 2008, the attacks themselves have become more sophisticated.

Among its findings, the report indicated that while banks and credit unions remain the major targets of phishing attacks, criminals now are focusing on government and commercial organizations. Social networking sites are quickly becoming a target of choice because of the amount of personal data that can be accessed. Olson notes that social networking “takes social engineering to a new level of sophistication, and unfortunately, ease.”

Large-scale spamming and even relatively narrowly targeted phishing and malware attacks still must get past the intended victim’s initial mistrust of receiving a message from a stranger. Olson explains that hackers phish a variety of sites with no monetary value because if they can recover a password or other personal information, it provides criminals with tools to access a person’s social and business contacts.

Once hackers have a user’s password, considerable damage can be done, Olson says. He notes that seven out of 10 times, most people use the same password for multiple sites. By accessing a person’s e-mail account, criminals can approach a person’s friends and relatives in the guise of that person. This is because the sender now appears to be from inside the recipient’s circle of trust or acquaintance. Because of this trust, Olson asserts that the infection and victimization rate of compromised personal information is much higher. “That social networking context means that once a user’s account or device is compromised, that user’s network is at extremely high risk. An inherent circle of trust exists around that user, and most people fail to distinguish from the user and their device or their account,” he says.

Olson explains that while social networking is a great tool, it also leverages what he sees as the underlying vulnerability of the Internet in terms of transparency, efficiency and instantaneous connectivity to anyone anywhere. “You have just about no way to know that anyone is whom he or she claims to be, because what you’re counting on is that the account or login or device equates to the person, and that isn’t necessarily true,” he says.

Financial fraud is another major target for malware. Olson notes that this is attractive to criminals because it is relatively easy to access people’s financial data. However, small-time financial crime is not his key concern. Olson’s greatest fears are incidents such as the Chinese malware attack propagated through malicious PDF attachments that sought out source code and intellectual property from more than 30 major companies with operations in China. These companies included Hewlett-Packard, Apple, Yahoo and Google.

The same group behind this first attack also was linked to PDFs sent to defense contractors planning to attend a conference in Las Vegas. “To me, that says they’re after source code; they’re after intellectual property; they’re after people who work in the defense industry. Frankly, I’d rather deal with guys who are just up to robbing banks because this [theft of intellectual property] smacks of someone with a much more strategic agenda,” he says.

WEB RESOURCES
Cyveillance: www.cyveillance.com
QinetiQ North America: www.qinetiq-na.com