Your Cyber Intelligence Source

Phishers have been targeting software updates to distribute malicious software (malware). In the example below, the phisher sent the email from a spoofed Microsoft account to a Cyveillance email address, prompting the user to click on the update link in the body of the message. The link itself appears to be a legitimate Microsoft update site (update.microsoft.com). However, the link is actually obfuscated and when clicked, routes the user to a malicious Website infected with malware.

While attacks such as the one above are not new, it is only recently that this method has truly become a mainstream vector. It is likely that we will continue to see more of this type of attacks in the future.

Clicking on links within emails presents potential danger to users. Cyveillance recommends only updating software from the update feature within the application or actually downloading the update from the software vendor’s Website.

During the past couple of weeks Cyveillance has noticed an increase in the amount of phishing activity targeting Internet Service Providers (ISPs). While credentials stolen from the ISP-targeted attacks do not offer much direct financial gain for the phishers, they do offer a wealth of user information that can be leverage in other phishing or spear phishing attacks.

Commonly, phishers will utilize information obtained from non-financial attacks such as ISPs to launch other social engineering attacks. For example, information such as the potential victim’s email address, telephone number, physical address and other information can be obtained from a compromised ISP account. The phisher will incorporate this data in a direct email or phone call to the potential victim in order to establish credibility. Once the credibility has been established, the likelihood for the victim to divulge sensitive information increases substantially.

In their recent paper “A Profitless Endeavor – Phishing as Tragedy of the Commons” Cormac Herley and Dinei Florencio hypothesize that the Phishing industry is subject to the economic forces common to fisheries and public grazing lands, commonly described in a classic economic construct known as “The Tragedy of the Commons”.

This model, they argue, (and the paper’s title dramatically proclaims) indicates that contrary to conventional wisdom, Phishing is a “low reward activity”, that the explosion in activity is proof that each attack is unprofitable, and  that the payoff is so poor that the Phisher might do nearly as well doing something legal with their time.  However, these key conclusions suffer from three distinct sets of problems, two factual, one methodological.  Their conclusions are drawn into serious question by all of the following:

1.    Direct Evidence to the Contrary: First and most importantly, the paper lacks the simplest test for these hypotheses, i.e. asking the banks losing the money how much an attack pays the “Phisher”.

2.    They Undercut Their Own Findings: The authors estimate the profit from a typical victim is likely to be roughly $539.  Even if this were true, and each attack captured only a single victim, this would weaken their own argument about total losses from Phishing given the documented number of phishing attacks per day.

3.    Incorrect Construct: There are a number of flaws in applying the “Tragedy of the Commons” construct to the Phishing industry.  The industry’s dynamics actually bear very little resemblance to finite-resource systems like fisheries or public grazing lands.  Dramatic structural differences make a fishery a very poor analogy on which to model the Phishing industry.

For an in-depth look at each one of these points please go to http://www.cyveillance.com/web/forms/request.asp?getFile=114 to download the detailed paper.

For the sake of both banks and consumers everywhere, one would wish very much that Herley and Florencio’s conclusions were true.  Unfortunately, Cyveillance believes that, when examined in light of the actual dynamics in today’s Phishing industry and when real dollars actually stolen from the banks are tallied, it remains just that – a wish.

In reality, Phishing does pay, it pays handsomely (if not unimaginably) well on a per-hour-of-effort basis, and the very low likelihood of prosecution provides a risk-reward ratio that ensures it will be with us far into the foreseeable future.

To better understand the daily risks consumers face from phishing attacks, Cyveillance test sampled unique and confirmed phishing attacks uncovered against a variety of organizations. To measure the effectiveness of some of today’s leading anti-phishing solutions, Cyveillance fed these confirmed live attacks through four of the most widely used anti-phishing browser-based offerings. The data was fed in real time to each solution and then again 24 hours later to determine detection rates over a minimal period of time. The specific detection rates of each solution used during the testing are below:

As the results show, even the most popular Internet browser anti-phishing applications detect less than half of the phishing attacks when the attacks are initially launched. The attack detection rate improves significantly after a period of 24 hours. Unfortunately, the majority of the damage caused by phishing attacks is realized during the first 24 hours after an attack is launched as illustrated in The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks, which can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=112. Given these facts, reliance on browser-based tools to protect consumers against phishing attacks is not an adequate phishing defense strategy.

For more information about Cyveillance’s research findings, please visit: http://www.cyveillance.com/web/forms/request.asp?getFile=113

Recently, there have been several high-profile incidents involving a novel combination of techniques to hijack the legitimate domains of banks and other financial institutions.  This new, blended attack is a hybrid we like to call “Phish-Pharming”, where a Phishing attack is used to gather the information that in turn enables an even more dangerous Pharming attack.

Background
Phish-Pharming combines two well established types of scams.  In traditional a Phishing attack, a fake Web site tricks consumers into entering passwords, ATM card numbers and PINs or other sensitive information into a fake Web site meant to look like the legitimate site being spoofed.

Pharming is more sophisticated.  In a Pharming attack, users’ computers are directed to a fake Web site even though the user enters the correct address of the real site in their browser. What makes Pharming so challenging is that this can be accomplished at many stages in the DNS resolution chain.  For example, one common method involves infecting a PC with malware that modifies how that machine behaves, e.g. it changes the local “Hosts” file on the PC or redirects DNS queries to a fraudulent DNS resolver out on the Internet.

Another way to impact an individual user or household is to attack unsecured wireless routers used in many homes.  (Apartment dwellers in large complexes can sometimes access dozens of unsecured Internet connections, leaving their neighbors open to malicious attack.)  In yet another more challenging, but more broadly damaging variant, the machines that resolve DNS lookups for a large group such as the customer base of a local ISP, are hacked from the outside, and modified to direct all requests for a given domain name to a bogus Web site.

The ultimate extension of this line of thinking would be a method that maliciously re-directs all visitors to the bogus site, not just a few affected by a localized hack. And that is exactly what Phish-Pharming seeks to do.

How it works
The best way to hijack all the traffic to a legitimate site would be to re-delegate the domain name (that is, re-setting the IP address to which it resolves) to a fraudulent destination at the authoritative home of that instruction.  The “official” entry for the IP address(es) to which a name should resolve is dictated by the domain owner when they set up and manage their site via their hosting provider or registrar.

If the domain owner/manager’s administrative login is stolen, the criminal can re-assign the resolution for the domain to a fraudulent IP address.  When the change propagates across the ‘Net, nearly all requests for that domain name will take users to the bogus Web site.

Phish-Pharming uses a classic Phishing approach of “bogus email + spoof site” to entice the domain administrator to log in to a fake domain-management or registrar Web site, giving the criminals administrative access to that user’s entire domain portfolio.  Instead of trying to trick users to “update their bank information” (a ploy now widely and correctly greeted with suspicion), an email might say be sent to company employees saying “your registration for www.somename.com is about to expire.  Please login to renew now.”  Since registration dates, contacts and other domain-related information are publicly available, details of the email can be tailored literally down to a single individual (a practice known as “Spear Phishing”), which makes the message that much more convincing.

If an administrator falls for the same, the criminal can immediately log into the legitimate domain “control panel” for the domains in that account.Once logged in as the administrator, a criminal targeting a large enterprise could re-delegate entire portfolios of domain names, attempt to transfer ownership of unused domains (where administrators might not notice they are gone), change passwords to lock out the legitimate owners, and create many other kinds of mischief.

“What can our enterprise do to protect the company and its customers?”
Like all “social engineering” attacks, Pharming depends on the fact that people are often the weakest link in the security chain.  Awareness is the single best weapon.  Make certain that all domain-name administrators (brand owners, IP and legal staff, anyone with access to domain delegation instructions) is educated about the possibility and the reality (i.e. known cases – this actual does happen) of “being Phished to be Pharmed.”

Any message regarding domain ownership, expiration dates or other messages “from” your service provider should be examined with the same critical eye as emails claiming to come from a bank, eBay or PayPal.  Check the URL to which the link actually resolves, or better yet, type the address in manually.  Call your registrar or vendor rather than relying on email and links if you have questions or concerns about your domains.

Second, consider a monitoring service or other method that helps proactively check DNS resolution for your domains at different levels of the resolution chain.  Like all Phishing and similar types of attacks, the impact of the attack is best mitigated by minimizing the time it takes to detect and take down or control the site in question.  A proactive rather than reactive approach to detecting these attacks could save potentially critical (and expensive) minutes or even hours.

Finally, the financial industry has gone to extraordinary lengths to complicate, strengthen and validate the customer login process.  To date, some registrars and hosting providers have not yet done the same, yet if your domain is hijacked at the source, all the authentication, validation and security investments are for naught.  If you have any concerns about the level of authentication or security from your provider, ask them what they are doing to help raise awareness of spoof registrar messages, to stop login-stealing scams or to strengthen the protections they offer to your enterprise as a customer.

By Eric Olson, Vice-President, Cyveillance, Inc.

The following post is in response to a presentation recently given at the APWG General Members Meeting and eCrime Researchers Summit by Tyler Moore and Richard Clayton:

http://www.apwg.org/events/2008_generalMeeting.html
http://www.ecrimeresearch.org/
http://www.lightbluetouchpaper.org/2008/10/16/non-cooperation-in-the-fight-against-phishing/

Executive Summary
A.    Moore and Clayton are partly right – Every hour a phishing site is up equates to phished consumers and significant, real-dollar losses. Thus speed of both detection and takedown are critical.
B.    Superior speed and capability takes massive investment in people, technology and systems, and that must produce an ROI or companies will stop making the investment.
C.    Sharing the results of that investment would reward those who can’t perform on the dime of those who can
D.    This disincentive will push the competent to exit the market and spend their capital and expertise on other products
E.    This will rapidly result in poorer detection, few choices and longer takedown times when the banks have only the least competent vendors remaining to choose from
F.    There are other less critical flaws in the proposal which are noted as well

Full Brief
I read with interest the presentation entitled “The consequence of non-cooperation in the fight against phishing” by Tyler Moore and Richard Clayton.  The basic premise of their argument is that all “phishing takedown vendors” should be forced by the banks who are their clients to share phishing URLs immediately upon detection, ensuring the earliest possible initiation of takedown by a given bank’s vendor. I commend Messrs. Moore and Clayton for elucidating with their model that time is the critical matter in the detection and takedown of phishing sites.  This is illustrated in a conceptually-similar model we ourselves have developed here at Cyveillance (see graphic below). It too shows that every hour a phishing site is live equates to real customers phished and real-dollar impact.

phish_life_cycle

However, if this model is true, then the market should reward superior performance and encourage investment in it, not mandate a process that would quickly lead to a decrease in available service and the voluntary exit from the industry by all but the least competent players.  Consider the following argument:

1.  Lifespan time, not just takedown time, is the driver of dollars lost
First, it should be noted that the critical metric is the total lifespan of a phish from launch to takedown, not just from detection to takedown. As shown in the curve above, the financial impact is minimized by reducing both the time-to-detect and the time from detection to takedown.

2.  Timely detection requires investment
While Cyveillance was not one of the two vendors profiled in Moore and Clayton’s analysis, I am sure our peers face the same challenges we do in solving this problem.  In order to detect phishing attacks in the shortest possible time, Cyveillance has systems that identify thousands of unique phish each day by examining content from billions of multilingual spam messages, a global array of honeypots, hundreds of thousands of new domain registrations, and all our customers “abuse” messages on a minute-by-minute basis.  In the ever more critical quest for detection speed, Cyveillance has even developed a patented system that offers pre-attack intelligence before the phishing email is ever sent, allowing takedown to begin literally the minute the fake page is created.

According to hard data from customers who have objectively tested multiple vendors in “bake off” competitions, these investments have led to detection that often runs four to eight hours faster than other methods, and this is before takedown is even initiated.  Thus, if all takedowns were of equal length and equal cost, superior detection performance can still provide significant hard-dollar savings. This performance gap came only at the cost of many millions of dollars in investment, and Phishing evolves so fast that only constant, continued investment will enable vendors to keep pace with the criminals.

3.  Faster takedown requires investment too
In reality, all takedowns are not created equal, nor are takedown vendors.  Streamlined, 24×7 response and effective takedown processes require the hiring and training of expert, multi-lingual staff, development and continuous refinement of operating procedures, refined processes and building relationships with ISPs, CERTs, registrars, registries, hosting providers, search engine providers and law enforcement all over the world.  This too takes huge amounts of capital.  Here again, criminal innovations such as fast-flux and rockphish (or soon Pharming) attacks demand the constant evolution of processes and systems, as well as ever more skilled, experienced and talented (read as “higher-cost”) staff.

4.  Disincenting Performance
The model that Moore and Clayton propose essentially suggests that those vendors who have invested millions of dollars and years of effort into the most innovative, competitive, effective and successful products should take the results of those efforts (and therefore the business value and pricing power earned by those investments) and give them, free of charge, to their feebler competitors.  Under such a model, what possible motive would our company have to continue investing in providing superior performance?

As an Executive Team, our responsibility is to allocate scarce resources, and we have a fiduciary responsibility to our investors to maximize the return on the capital with which they have entrusted us. What Moore and Clayton’s model would do, if implemented, is drive the capable, the flexible and the competent out of the market.  In very short order, by trying to “force cooperation” this proposal will actually eliminate the healthy competition that pushes performance ever upward, and leave banks with only the worst performers to choose from.  Certainly our systems, people, domain expertise and capital can easily be applied to other services instead, ones where we can compete fairly, charge a fair price and generate profits.

Though the word is sometimes maligned, it is only profit that allows us to continue to exist, to serve our customers, and even to “give back” to the industry and the community.  We are not opposed to sharing data where it is beneficial, or even to giving it away for free where we choose to do so.  Cyveillance does leverage its multi-million dollar platform for shared benefit in many areas, e.g. in providing data and analysis services pro bono to the National Center for Missing and Exploited Children.  We do this voluntarily because it is a cause we believe in, but any proposal that mandates giving away value robs every vendor of the profits necessary for them to continue to both provide valuable services and support philanthropic or charitable endeavors.

5.  A final note –  Other flaws in the argument
While less critical, I find other flaws in the proposal as well.  First, no matter how automated, vendors have to invest some level of time and resources in detecting and delivering phish against a specific target or range of targets.  For example, if I am vendor A and I have been contracted by XYZ bank but not ABC bank, why would I devote resources to isolating phish against ABC bank? Who will bear each vendor’s costs of detecting phish for banks that are not paying them? Surely Messrs. Moore and Clayton do not suggest the industry should mandate that all vendors find and deliver phish against all banks as a charity initiative?

Second, on a related note, it should be evident that as a group, “the banks” have neither reason nor leverage to make the proposed demand for cooperation.  With very rare exceptions, each bank has decided on a single vendor.  What incentive would XYZ bank (my client) have to demand that I share my data with another vendor they don’t use? Similarly, what leverage does ABC bank (not my client) have to demand I share my data with the vendor they do use?  I don’t work for them.

Finally, Moore and Clayton hold up the anti-virus industry as a model where sharing among all the vendors works to everyone’s benefit.  There are two flaws with this argument.  First, A/V companies do have a mutual benefit from sharing. They know that every competitor collects and analyzes lots and lots of virus before they do. Everyone has huge holes in coverage and analysis bandwidth, so they all could, in theory, benefit from pooling their knowledge.  The phishing space is much more narrowly and clearly defined, and the weaker vendors have essentially nothing to offer the stronger ones.  Thus, there is no incentive (barring Moore and Clayton’s proposed external demand) for any competent vendor to participate in the data sharing.  Only the weak players could love this idea.

Second and just as important, the hard data is that the A/V industry model, which they hold up as an example, isn’t actually working worth a hoot.  Despite the supposed pooling of information about viruses and malicious binaries across the industry, you can run any 100 pieces of malware through virustotal.com and you will see wildly different detection capabilities across dozens of “brand name” A/V engines.  (We’ve already done a much larger study on this point, and the results are appalling.  You can learn more on the subject here:  http://www.cyveillanceblog.com/malware/how-protected-are-we-really-against-malware )

Conclusion
In closing, it seems that, although their notion of time-is-critical is absolutely correct, the solution is NOT forced exposure of valuable data developed at enormous cost, skill and investment.  It is to let the banks demand ever faster and more successful solutions of their vendors, with performance rewarded by patronage and profits, and non-performance rewarded with extinction.

Cyveillance offers SLAs on detection timeliness, accuracy and takedown times, by which we are rewarded for performance and penalized for non-performance.  This is the right approach.  Forced sharing of data would reward those who can’t make those guarantees with a free ride on the coattails of those who have spent millions so that they can.

Cyveillance’s President and CEO, Panos Anastassiadis, was targeted by new approach to an old scam, spear phishing. Earlier this morning, the following email was sent to Mr. Anastassiadis:

Like many other spear phishing attacks, the phisher performed research before launching his or her attack. Specifically, the individual was able to locate use our CEO’s email address and the Cyveillance phone number in the email. This information was used to enable and build additional credibility for the attack. 

The email instructed Mr. Anastassiadis to appear in the US Courthouse on May 7, 2008 and provided a link to download the subpoena for specific information. Clicking on link takes you to the following page:

As you can see, the Web page claims that the case has been closed and no further action is required from the visitor. However, clicking on the link will not only load this page, but will also download a Trojan-Downloader onto the computer that would not be detected by the majority of Anti-Virus companies. Specific information about the malware used in the attack can be found at: http://www.virustotal.com/analisis/13bfb6913f9c328c7b657fce4ba4c731.

The size of this attack is not yet known, but security managers should ensure that personnel, especially executives, are aware of this latest phishing attack vector.

Search Engine Roundtable reports a new round of phishing attacks that target the credit and debit card numbers of Google AdWords customers. This more classic form of phishing, in that a Web form is served up to collect financial information, is different than the AdWords malware fraud reported earlier this month. Don’t be surprised if future variants of these phishing attacks target login credentials so the phishers can take control of the accounts and serve up fraudulent advertisements to lure consumers to bogus Web sites.