While attacks such as the one above are not new, it is only recently that this method has truly become a mainstream vector. It is likely that we will continue to see more of this type of attacks in the future.

Clicking on links within emails presents potential danger to users. Cyveillance recommends only updating software from the update feature within the application or actually downloading the update from the software vendor’s Website.

The Web addresses included in these Maltweets are very dangerous, posing the threat of a malicious file download to a computer without the user’s knowledge. Once downloaded, the file may install hidden components on a computer, then attempt to execute malicious activity against the user, the user’s computer or network resources. The malware could allow criminals to takeover the computer, use it as part of an illegal botnet, install dangerous root kits and even capture sensitive user information such as usernames, passwords and other personally identifiable information for the purpose of identity theft.

More info can be found at: http://www.cyveillance.com/web/news/press_rel/2009/2009-06-23.asp

Unfortunately, GoldenCashWorld is only one of many technically sophisticated criminal groups on the Internet. These groups continue to be successful at facilitating and conducting online criminal activity. This success enables their available resources to grow and technical capabilities to improve. The success also lures many new technically proficient individuals into the cyber criminal underworld. These issues combine to create an ever-growing threat of online criminal activity volume and sophistication which the security industry must adapt to in order to minimize the effects.

Cyveillance has long been aware of these efforts by the criminals who are forced to develop very sophisticated methods to bypass detection and security countermeasures. This is a clear indication that the efforts of Cyveillance and others in the security industry are working. As we enter a new era in Security and Intelligence with our acquisition by Qinetiq NA, Cyveillance will continue to make the investments in personnel and technology needed to protect our customers and always stay one step ahead of the bad guys.

The public interest in supporting competition and protecting end-users does not support elimination of the current separation of Registry and Registrar ownership. The end result would be further consolidation of the top tier registrars, gaming of the loopholes in the current contractual reciprocity provisions, and potential increased brand abuses. These changes would, in conclusion, present a severe negative impact on competition among Registries and among Registrars and harm to end users.

Because several registrars own vast domain portfolios, the equal access and vertical separation requirements also have the positive effect of preventing particular registrants from having privileged access to domains in particular registries. Relaxing the requirements could inhibit competition in the market for domain names. Worse, it could make it essentially impossible for brand owners to prevent abusive registrations of their domains in registries where a particular registrant has a pre-emptive ability to register domains. Therefore, preventing registrants from gaining privileged access to particular registries is a compelling reason to preserve the vertical separation requirements. Because of the dangers of the competitive abuses described above, Cyveillance strongly urges the ICANN Board to maintain the separation in the current ICANN contracts and ensure the implementation of regulations that will maintain this clear separation.

More information as well as the opportunity to comment on the proposed change can be found at http://www.icann.org/en/public-comment/.

Commonly, phishers will utilize information obtained from non-financial attacks such as ISPs to launch other social engineering attacks. For example, information such as the potential victim’s email address, telephone number, physical address and other information can be obtained from a compromised ISP account. The phisher will incorporate this data in a direct email or phone call to the potential victim in order to establish credibility. Once the credibility has been established, the likelihood for the victim to divulge sensitive information increases substantially.

With the recent release of the US Government’s Cyber Security Policy Review, Cyveillance’s intelligence-led approach is quickly gaining ground as a mainstream trend in security. A major focus of policy review is the discovery and analysis of potential threats and building and implementing the policies and infrastructure needed to prevent or block them. This proactive approach to security is the foundation for our technology which produces the actionable intelligence needed to stay one step ahead of these growing and dynamic cyber threats. For more detailed information on this approach, you can download The New Protection Paradigm: Intelligence-Led Security whitepaper at: http://www.cyveillance.com/web/forms/request.asp?getFile=106.

By the marketplace reaction, many share our excitement. One posting in particular from Nick Selby at The 451 Group clearly grasped the larger picture and strategic value of cyber intelligence to today’s enterprise. Read his post here.

http://blogs.the451group.com/security/2009/05/06/some-context-around-the-cyveillance-acquisition/

You can see more story links here:

http://www.cyveillance.com/web/news/in_the_news.asp

This model, they argue, (and the paper’s title dramatically proclaims) indicates that contrary to conventional wisdom, Phishing is a “low reward activity”, that the explosion in activity is proof that each attack is unprofitable, and  that the payoff is so poor that the Phisher might do nearly as well doing something legal with their time.  However, these key conclusions suffer from three distinct sets of problems, two factual, one methodological.  Their conclusions are drawn into serious question by all of the following:

1.    Direct Evidence to the Contrary: First and most importantly, the paper lacks the simplest test for these hypotheses, i.e. asking the banks losing the money how much an attack pays the “Phisher”.

2.    They Undercut Their Own Findings: The authors estimate the profit from a typical victim is likely to be roughly $539.  Even if this were true, and each attack captured only a single victim, this would weaken their own argument about total losses from Phishing given the documented number of phishing attacks per day.

3.    Incorrect Construct: There are a number of flaws in applying the “Tragedy of the Commons” construct to the Phishing industry.  The industry’s dynamics actually bear very little resemblance to finite-resource systems like fisheries or public grazing lands.  Dramatic structural differences make a fishery a very poor analogy on which to model the Phishing industry.

For an in-depth look at each one of these points please go to http://www.cyveillance.com/web/forms/request.asp?getFile=114 to download the detailed paper.

For the sake of both banks and consumers everywhere, one would wish very much that Herley and Florencio’s conclusions were true.  Unfortunately, Cyveillance believes that, when examined in light of the actual dynamics in today’s Phishing industry and when real dollars actually stolen from the banks are tallied, it remains just that – a wish.

In reality, Phishing does pay, it pays handsomely (if not unimaginably) well on a per-hour-of-effort basis, and the very low likelihood of prosecution provides a risk-reward ratio that ensures it will be with us far into the foreseeable future.

As the results show, even the most popular Internet browser anti-phishing applications detect less than half of the phishing attacks when the attacks are initially launched. The attack detection rate improves significantly after a period of 24 hours. Unfortunately, the majority of the damage caused by phishing attacks is realized during the first 24 hours after an attack is launched as illustrated in The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks, which can be downloaded at http://www.cyveillance.com/web/forms/request.asp?getFile=112. Given these facts, reliance on browser-based tools to protect consumers against phishing attacks is not an adequate phishing defense strategy.

For more information about Cyveillance’s research findings, please visit: http://www.cyveillance.com/web/forms/request.asp?getFile=113

Background
Phish-Pharming combines two well established types of scams.  In traditional a Phishing attack, a fake Web site tricks consumers into entering passwords, ATM card numbers and PINs or other sensitive information into a fake Web site meant to look like the legitimate site being spoofed.

Pharming is more sophisticated.  In a Pharming attack, users’ computers are directed to a fake Web site even though the user enters the correct address of the real site in their browser. What makes Pharming so challenging is that this can be accomplished at many stages in the DNS resolution chain.  For example, one common method involves infecting a PC with malware that modifies how that machine behaves, e.g. it changes the local “Hosts” file on the PC or redirects DNS queries to a fraudulent DNS resolver out on the Internet.

Another way to impact an individual user or household is to attack unsecured wireless routers used in many homes.  (Apartment dwellers in large complexes can sometimes access dozens of unsecured Internet connections, leaving their neighbors open to malicious attack.)  In yet another more challenging, but more broadly damaging variant, the machines that resolve DNS lookups for a large group such as the customer base of a local ISP, are hacked from the outside, and modified to direct all requests for a given domain name to a bogus Web site.

The ultimate extension of this line of thinking would be a method that maliciously re-directs all visitors to the bogus site, not just a few affected by a localized hack. And that is exactly what Phish-Pharming seeks to do.

How it works
The best way to hijack all the traffic to a legitimate site would be to re-delegate the domain name (that is, re-setting the IP address to which it resolves) to a fraudulent destination at the authoritative home of that instruction.  The “official” entry for the IP address(es) to which a name should resolve is dictated by the domain owner when they set up and manage their site via their hosting provider or registrar.

If the domain owner/manager’s administrative login is stolen, the criminal can re-assign the resolution for the domain to a fraudulent IP address.  When the change propagates across the ‘Net, nearly all requests for that domain name will take users to the bogus Web site.

Phish-Pharming uses a classic Phishing approach of “bogus email + spoof site” to entice the domain administrator to log in to a fake domain-management or registrar Web site, giving the criminals administrative access to that user’s entire domain portfolio.  Instead of trying to trick users to “update their bank information” (a ploy now widely and correctly greeted with suspicion), an email might say be sent to company employees saying “your registration for www.somename.com is about to expire.  Please login to renew now.”  Since registration dates, contacts and other domain-related information are publicly available, details of the email can be tailored literally down to a single individual (a practice known as “Spear Phishing”), which makes the message that much more convincing.

If an administrator falls for the same, the criminal can immediately log into the legitimate domain “control panel” for the domains in that account.Once logged in as the administrator, a criminal targeting a large enterprise could re-delegate entire portfolios of domain names, attempt to transfer ownership of unused domains (where administrators might not notice they are gone), change passwords to lock out the legitimate owners, and create many other kinds of mischief.

“What can our enterprise do to protect the company and its customers?”
Like all “social engineering” attacks, Pharming depends on the fact that people are often the weakest link in the security chain.  Awareness is the single best weapon.  Make certain that all domain-name administrators (brand owners, IP and legal staff, anyone with access to domain delegation instructions) is educated about the possibility and the reality (i.e. known cases – this actual does happen) of “being Phished to be Pharmed.”

Any message regarding domain ownership, expiration dates or other messages “from” your service provider should be examined with the same critical eye as emails claiming to come from a bank, eBay or PayPal.  Check the URL to which the link actually resolves, or better yet, type the address in manually.  Call your registrar or vendor rather than relying on email and links if you have questions or concerns about your domains.

Second, consider a monitoring service or other method that helps proactively check DNS resolution for your domains at different levels of the resolution chain.  Like all Phishing and similar types of attacks, the impact of the attack is best mitigated by minimizing the time it takes to detect and take down or control the site in question.  A proactive rather than reactive approach to detecting these attacks could save potentially critical (and expensive) minutes or even hours.

Finally, the financial industry has gone to extraordinary lengths to complicate, strengthen and validate the customer login process.  To date, some registrars and hosting providers have not yet done the same, yet if your domain is hijacked at the source, all the authentication, validation and security investments are for naught.  If you have any concerns about the level of authentication or security from your provider, ask them what they are doing to help raise awareness of spoof registrar messages, to stop login-stealing scams or to strengthen the protections they offer to your enterprise as a customer.