Your Cyber Intelligence Source

Phishers have been targeting software updates to distribute malicious software (malware). In the example below, the phisher sent the email from a spoofed Microsoft account to a Cyveillance email address, prompting the user to click on the update link in the body of the message. The link itself appears to be a legitimate Microsoft update site (update.microsoft.com). However, the link is actually obfuscated and when clicked, routes the user to a malicious Website infected with malware.

While attacks such as the one above are not new, it is only recently that this method has truly become a mainstream vector. It is likely that we will continue to see more of this type of attacks in the future.

Clicking on links within emails presents potential danger to users. Cyveillance recommends only updating software from the update feature within the application or actually downloading the update from the software vendor’s Website.

To better understand the daily risks consumers face from phishing attacks, Cyveillance test sampled unique and confirmed phishing attacks uncovered against a variety of organizations. To measure the effectiveness of some of today’s leading anti-phishing solutions, Cyveillance fed these confirmed live attacks through four of the most widely used anti-phishing browser-based offerings. The data was fed in real time to each solution and then again 24 hours later to determine detection rates over a minimal period of time. The specific detection rates of each solution used during the testing are below:

As the results show, even the most popular Internet browser anti-phishing applications detect less than half of the phishing attacks when the attacks are initially launched. The attack detection rate improves significantly after a period of 24 hours. Unfortunately, the majority of the damage caused by phishing attacks is realized during the first 24 hours after an attack is launched as illustrated in The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks, which can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=112. Given these facts, reliance on browser-based tools to protect consumers against phishing attacks is not an adequate phishing defense strategy.

For more information about Cyveillance’s research findings, please visit: http://www.cyveillance.com/web/forms/request.asp?getFile=113

Recently, there have been several high-profile incidents involving a novel combination of techniques to hijack the legitimate domains of banks and other financial institutions.  This new, blended attack is a hybrid we like to call “Phish-Pharming”, where a Phishing attack is used to gather the information that in turn enables an even more dangerous Pharming attack.

Background
Phish-Pharming combines two well established types of scams.  In traditional a Phishing attack, a fake Web site tricks consumers into entering passwords, ATM card numbers and PINs or other sensitive information into a fake Web site meant to look like the legitimate site being spoofed.

Pharming is more sophisticated.  In a Pharming attack, users’ computers are directed to a fake Web site even though the user enters the correct address of the real site in their browser. What makes Pharming so challenging is that this can be accomplished at many stages in the DNS resolution chain.  For example, one common method involves infecting a PC with malware that modifies how that machine behaves, e.g. it changes the local “Hosts” file on the PC or redirects DNS queries to a fraudulent DNS resolver out on the Internet.

Another way to impact an individual user or household is to attack unsecured wireless routers used in many homes.  (Apartment dwellers in large complexes can sometimes access dozens of unsecured Internet connections, leaving their neighbors open to malicious attack.)  In yet another more challenging, but more broadly damaging variant, the machines that resolve DNS lookups for a large group such as the customer base of a local ISP, are hacked from the outside, and modified to direct all requests for a given domain name to a bogus Web site.

The ultimate extension of this line of thinking would be a method that maliciously re-directs all visitors to the bogus site, not just a few affected by a localized hack. And that is exactly what Phish-Pharming seeks to do.

How it works
The best way to hijack all the traffic to a legitimate site would be to re-delegate the domain name (that is, re-setting the IP address to which it resolves) to a fraudulent destination at the authoritative home of that instruction.  The “official” entry for the IP address(es) to which a name should resolve is dictated by the domain owner when they set up and manage their site via their hosting provider or registrar.

If the domain owner/manager’s administrative login is stolen, the criminal can re-assign the resolution for the domain to a fraudulent IP address.  When the change propagates across the ‘Net, nearly all requests for that domain name will take users to the bogus Web site.

Phish-Pharming uses a classic Phishing approach of “bogus email + spoof site” to entice the domain administrator to log in to a fake domain-management or registrar Web site, giving the criminals administrative access to that user’s entire domain portfolio.  Instead of trying to trick users to “update their bank information” (a ploy now widely and correctly greeted with suspicion), an email might say be sent to company employees saying “your registration for www.somename.com is about to expire.  Please login to renew now.”  Since registration dates, contacts and other domain-related information are publicly available, details of the email can be tailored literally down to a single individual (a practice known as “Spear Phishing”), which makes the message that much more convincing.

If an administrator falls for the same, the criminal can immediately log into the legitimate domain “control panel” for the domains in that account.Once logged in as the administrator, a criminal targeting a large enterprise could re-delegate entire portfolios of domain names, attempt to transfer ownership of unused domains (where administrators might not notice they are gone), change passwords to lock out the legitimate owners, and create many other kinds of mischief.

“What can our enterprise do to protect the company and its customers?”
Like all “social engineering” attacks, Pharming depends on the fact that people are often the weakest link in the security chain.  Awareness is the single best weapon.  Make certain that all domain-name administrators (brand owners, IP and legal staff, anyone with access to domain delegation instructions) is educated about the possibility and the reality (i.e. known cases – this actual does happen) of “being Phished to be Pharmed.”

Any message regarding domain ownership, expiration dates or other messages “from” your service provider should be examined with the same critical eye as emails claiming to come from a bank, eBay or PayPal.  Check the URL to which the link actually resolves, or better yet, type the address in manually.  Call your registrar or vendor rather than relying on email and links if you have questions or concerns about your domains.

Second, consider a monitoring service or other method that helps proactively check DNS resolution for your domains at different levels of the resolution chain.  Like all Phishing and similar types of attacks, the impact of the attack is best mitigated by minimizing the time it takes to detect and take down or control the site in question.  A proactive rather than reactive approach to detecting these attacks could save potentially critical (and expensive) minutes or even hours.

Finally, the financial industry has gone to extraordinary lengths to complicate, strengthen and validate the customer login process.  To date, some registrars and hosting providers have not yet done the same, yet if your domain is hijacked at the source, all the authentication, validation and security investments are for naught.  If you have any concerns about the level of authentication or security from your provider, ask them what they are doing to help raise awareness of spoof registrar messages, to stop login-stealing scams or to strengthen the protections they offer to your enterprise as a customer.

There has been no shortage of press regarding malware on the Internet over the past several months. Malware continues to grow in volume and evolve in complexity. As security companies continue to address the problem, the number of Web sites that distribute the unwanted downloads is growing out of control.

What classifies a malware download as a drive-by download? While there is no one standard definition, the problem can be described simply as a file downloaded to a user’s computer without permission or user action when visiting a Web site. This feat is typically accomplished by exploiting a vulnerability in the web browser or operating system.

So, with the exploding growth of malware on the Internet, how many malicious web sites distribute malware via drive-by downloads? Based on a sample of hundreds of thousands of malware distribution web sites discovered in the past 60 days, sixty-eight percent of malware distribution sites deliver malware via drive-by downloads.

Think about it, there are millions of malicious web sites on the Internet. Not only do you have the fear of your AV software not detecting malware on your computer as described in an earlier Cyveillance report (http://www.cyveillance.com/web/forms/request.asp?getFile=111), but simply visiting a web site could infect your computer.

Users can minimize the risk of being infected by a drive by download through several ways. One of the most effective protective measures is to use the more secure settings on your web browser. This action may cause some inconvenience by requiring users to respond to security prompts when visiting feature rich web sites, but it will reduce potential malware infections. Another common sense protective measure is simply to avoid going to unfamiliar or disreputable Websites.

Additionally, security companies that provide user protection through desktop clients can significantly improve protection against drive-by downloads through the use of Cyveillance Malware Protection™. The service evaluates web sites by both signature-based and behavioral-based technologies. This multi-pronged approach to detecting online threats allows Cyveillance to collect the most comprehensive and up-to-date intelligence regarding new malware and attack methods

Fueled by scalability and ease of use, it is not surprising that malware attacks delivered via the Web have more than doubled in frequency. What is interesting is the creativity taken by malware writers to evade detection and mitigation through technical means and wider geographical distribution.

So the question remains, how safe is it to surf the Internet? The answer is not one people want to hear.

The reality – the majority of active malware attacks go undetected, with leading anti-virus (AV) solutions detecting only 50% of instances or less. These results came to light when we recently test-sampled malware that we routinely uncover against several of the top AV products. The findings were released in our “1H 2008 Online Fraud Report” and can be seen in the table below.

The fact that these results are based on a 30-day period, only further emphasizes the dynamic nature and scalability of today’s malware attacks. Given the reactive nature of today’s malware and AV detection technology, traditional AV solutions are inherently at a disadvantage when it comes to keeping up with these constantly changing and emerging threats. Now granted, no solution will ever be 100% effective against all real-time and zero-day threats, but by adding proactive intelligence gathering techniques to reactive AV solutions, the gap between infection and protection can be greatly reduced.

Online criminals are using any and every means available to maliciously infect computers and evade detection. Online security solutions should take heed and implement a truly comprehensive approach to security that includes both defensive and offensive elements, or online criminals will remain one step ahead.

It’s hardly newsworthy that security experts at the RSA Conference this week pointed to malware as the biggest threat facing the Internet today.  However, a more thought provoking, if not somewhat controversial idea about malware was put out there by a noted security expert who offered that “the most effective approach to tackling botnets would be to impose penalties on people who allow their computers to become infected, making users take more responsibility.”  Read the story here. 

While it’s critical that we explore new solutions, the idea of holding consumers responsible for becoming infected with malware is hard to imagine.   For starters, given that between 20 to 40 percent of malware is not detected by endpoint security software, is it reasonable to expect every day Internet users to protect themselves from a continual barrage of malware-based attacks?  Our best and brightest security experts have been unable to address the malware threat.  Will a largely non technical Internet audience significant reduce malware problems because of the threat of penalties?

Clearly, consumers have a responsibility to take reasonable precautions in order to protect themselves from online attacks. But it’ll take new approaches by businesses, security providers and government to really make a dent in the problem. Consumers are the weak link in the security chain. Social engineering combined with increasingly sophisticated technical attacks are too much for the average Internet user to overcome. A big part of the malware solution has to be hardening the consumer against human-based vulnerabilities. Otherwise, we’ll create an Internet that is not practical for use by the average Joe.

Yesterday’s revelation that certain Google search results contain tainted URLs that simultaneously take consumers to their intended site, as well as redirect them to a second site for the purpose of installing malware, shows the bad guys continue to get creative. Read about it here in USA Today Cross site scripting, phishing and web-delivered malware are not new threats, but the combination of these elements along with proven search engine optimization techniques poses a pretty lethal combination.

Hopefully, Google will take steps to protect its customers from these attacks. Web site operators can do their part, too. You can help protect your Web site from cross site scripting attacks by ensuring that your application performs validation of all headers, cookies, query strings, form fields and hidden fields.

The online ticket site EuroTicketShop.com was identified as distributing malware to visitors when they attempted to buy tickets for the upcoming soccer tournament. According to a security alert from Sophos, as reported in ComputerWorld, hackers were able to inject malicious code into the site which is downloaded to the computers of fans visiting the legitimate ticket site. The article points out that Google pay-per-click advertisements were being used to attract visitors to the hacked site as well.

(more…)

Byron Acohido and Jon Swartz report in USA TODAY that 40% of all computers connected to the Internet are part of a botnet.

(more…)

I am just seeing the summary data discovered by our malware crawlers during February. Sites hosted in the United States represent 52% of all the sites we detected distributing malware.

It’s important to note that just because the sites are hosted in the United States doesn’t mean they all represent the actions of U.S.-based individuals. It’s probably fair to assume that a significant portion of the site we discovered in February were:
(more…)