Turn off your PC

2006-05-01

Tomer Honen

Aladdin Knowledge Systems, Israel
Editor: Helen Martin

Abstract

Tomer Honen explains why being mugged at gunpoint could cost you less than being the target of the next multi-stage phishing attack.


Introduction

He knows you by name and probably knows some of your friends' names as well. He knows where you work, what your company's products are and your annual income. He knows your website by heart and by Googling for an hour he can also find out where you live and at which bank your company's main account is stored.

Without getting off his chair he can devise a most insidious attack against your company. Or he can clear out your bank account in the time it takes you to eat your breakfast. Not too long ago he was a script kid, but he grew up and realized how easy it is to bankrupt you and your company.

Multi-stage targeted phishing attacks are too attractive for malicious coders to ignore. They are an unholy joining of Trojan, spyware and phishing techniques, utilizing the best (or worst) of each to launch an attack. Mindless computer worms infecting PCs at random may be a challenge, but they won’t buy you a brand new 4x4. In a sense, these phishing attacks are the perfect crime, promising substantial profit at minimum risk – the dark side of rags to riches, if you will.

If your security systems are just a tad short of perfection you may be the target of the next multi-stage phishing attack. So turn off your PC, leave the office and take a stroll downtown. Today, getting mugged at gunpoint will probably cost you less.

Nuisance

Computer virus analysts usually take great care when writing articles – it's very easy to cause public hysteria and frighten anyone who is not 'in the know' with stories about some super-powerful new virus. Most of the headline-making viruses (especially those that make it to the nine o'clock news) seem very complex and quite sinister. In reality, even the most notorious malware outbreaks might be caused by the simplest of worms. The truth is that most malware is nothing more than a nuisance.

Think about it: all they usually do is get the user to install them and spread to other systems. Cleaning them (at least to the point where they can't ever be executed again) can often be done manually by those savvy enough to know what drive C looks like and how to press Alt, Ctrl and Delete simultaneously, open the Task Manager, find the suspicious application, close it and then delete that same file from wherever it might have landed on your PC. End of story. Registry entries might still attempt to run this file on every startup until the end of time – but they will always fail; the file has ceased to be, expired and joined the choir invisible.

Some might say that this is an over-simplification of the problem – they would be wrong. Of this year's worms and last year's outbreaks over 90% were simple self-propagating code that can do little else. As for the rest of them, only a fraction pose a real threat to home users and the corporate world alike. While virus analysts may tread carefully where other threats are concerned, phishing – especially the latest incarnation – is a subject that cannot be sugar-coated. While few people are likely to be exposed to such extreme threats, those that will be targeted are risking everything they own if they fail to take adequate measures to protect themselves.

Let's go phishing

The term 'phishing' was coined in the mid-1990s by hackers, describing an attempt to 'fish' for usernames and passwords from AOL dial-up customers (in hacker-slang 'ph' often replaces the letter F). The stolen accounts would then be used for spam, hacking and a myriad of other illegal activities.

The modus operandi for obtaining the account information was for the hacker to pose as an AOL staff member and contact users via AOL Instant Messenger. They would then ask users to 'verify their account' by submitting their account information and even the credit card details used to pay for the account. The effectiveness of this method forced AOL to take several measures to protect itself and its customers.

For a few years following these incidents the phishing phenomenon took second place to other types of malware. Then, just a few years ago, phishing attempts started popping up in users’ mailboxes spammed as messages from popular services such as PayPal and eBay. But the real devastating potential of phishing has only recently been realized with the adoption of a relatively new technique: targeted attacks.

A few widely publicized targeted attacks came into the media's spotlight last year. Hackers somehow managed to coerce otherwise careful users in an organization to execute a seemingly harmless file. The file then opened a backdoor on the infected system, allowing the hackers to log keystrokes, steal documents and sensitive data and do almost anything an authorized user sitting in the infected station can do. What separates these attacks is that they were not launched at random, against an anonymous user. They were carefully thought out and planned to affect a specific target, even a specific user within an organization. It is safe to assume the publicized attacks were only the tip of the iceberg, as most of these incidents were discovered by chance.

Targeted phishing attacks work in the same way as spammed phishing; both try to persuade the user to visit a specific website and enter the requested details (username and password, credit card information etc.). Targeted attacks are far more disturbing as they are usually sent only to a single user whom the attacker knows to some extent. If the target is a public figure, knowing a thing or two about his personal life is quite easy. If the target is a private person the attack may originate closer to home.

Setting up the bait

For example, let's say John is the president of a large company. Having been interviewed by many magazines and TV stations, he is probably a well-known public figure. A would-be attacker knows John's name, his company’s profile and the names of a few of his employees. The attacker also knows who John's wife is, where she works, what his kids are called and the name of all his pets.

With these seemingly unrelated pieces of information, the attacker could compose a simple email to John, to his wife or to one of his employees. The email will entice the recipient into clicking on a link, entering his or her financial details and hitting the 'Submit' button – all without arousing suspicion. An email from : 'John’s wife' to him might state that she intends to take the cat to the vet, that there's food in the fridge, that the kids will be home late from school today, and asking if he would mind taking a look at their online bank account details and verifying the information there – link included.

The email entices the recipient into clicking on a link.

Figure 1. The email entices the recipient into clicking on a link.

Clicking on the link would lead John to a specially crafted website that looks identical to his bank's website, where he would be greeted by the usual login screen. Punching in his details and hitting the enter key would simultaneously log him into his bank account (this time, the real thing) and make one hacker very happy indeed; John just handed his bank account over to a complete stranger. In a few hours John may discover the ruse, but by then it will be too late.

Multi-stage targeted phishing attacks work in the same way as described above, but in this case the crafted website will download spyware invisibly onto the target's PC. There's little or no need for any user interaction – the spyware is programmed to 'phish' for data (financial details, proprietary information etc.) automatically. For the attacked party, it can take months to figure out from where the information leak originates and how to seal it.

In the above example, let us focus our attention for a moment on Irene, Chief Financial Officer at John's company. Although she is not a public figure, her picture, name and occupation appears on the company's website – this information is sufficient for the hacker to launch the attack. While John is abroad on a business trip or on vacation, Irene receives an email apparently addressed to other employees as well (but actually sent only to her). In the message, 'John' will state that he will not be available in the next few hours and that the link below shows a local website that holds some interest to the company. A short note following the link states that since the address is local he's not sure if it will work for all recipients.

Being the obedient employee, Irene will click on the link, have spyware installed on her system without her knowledge, and be redirected to a false error message stating that the website is only available to local IP addresses – which is exactly what 'John' stated in his email. Since this is a minor issue and not really related to her work, Irene will quickly forget about it and never remember to bring this up in the future when speaking to John.

The most disturbing aspect of these attacks is that they are so incredibly easy to perform. All a hacker needs to do is read a few articles and create a credible story. With some coding experience, some patience, attention to detail and just a bit of luck, anyone can become rich (albeit in a criminal way) with just a few days' work. If only the solution to these attacks was as simple.

New, better, smarter phish

It's never a bad idea to treat every unsigned electronic communication with a certain level of suspicion. Email, after all, is a very simple tool that can be manipulated easily. Browsing the Internet is not in any way safer. The solution must first come from the users. The most sophisticated anti-malware application is useless when a user disables it, forgets to update it or just doesn't use it at all because it hogs system resources.

Like in many other fields and professions, understanding the problem is half the battle to find the cure. But users cannot eliminate such threats on their own. Without an adequate anti-malware solution even the most security-aware person cannot be perfectly safe.

Unfortunately, targeted attacks use unique malicious code that is entirely different from any other virus or worm ever released; so desktop-based anti-virus products that rely on signatures can be tossed right out of the window.

Since that specific malware is not in the wild (in active circulation around the world) and never will be, a signature-based solution will not detect it. A better solution would be proactive – a product that is able to detect threats based not on their unique signature but rather on what they were actually designed to do. A product like this will be able to block such threats as it will recognize suspicious activities like key logging or the theft of certain documents.

Another problem is that anti-virus solutions (both desktop and network-based) can easily be manipulated by certain malware. Many worms are capable of disabling security-related processes on the infected system. Adding this feature to a targeted phishing attack is both easy and highly effective, leaving the user completely exposed – not only to this attack but to any future threats as well. Most users will not be able to resolve this issue without taking some radical action such as to reformat the infected machine.

Even network-based anti-virus solutions are not enough to protect an organization completely against such threats (see Figure 2). While a system administrator may eventually find out about a system exposed to hostile actions it may simply be too late. For corporate users, the best solution to such problems is to employ a gateway-based proactive solution.

Content first gets into the system and only then inspected.

Figure 2. Content first gets into the system and only then inspected.

No phishing zone

In an environment where all content is inspected before it arrives at the user's system (see Figure 3), the targeted system is much safer. This is simply because recognized malware will be blocked before it has a chance to be executed.

Content is inspected before it gets into the system.

Figure 3. Content is inspected before it gets into the system.

A gateway product that offers a proactive response to both known and obscure threats is the best solution for phishing. All content is scanned and the product can identify suspicious trends in a file as it is being downloaded. If John's company used a proactive gateway solution, things would work out differently. He would receive the email from his 'wife' but will not be able to get anywhere by clicking on the link – because the system would have identified suspicious code embedded within the website John wanted to visit. Instead, he will be presented with an error message explaining why the website was blocked.

Since gateway filtering systems are designed to support a large number of computers, owning one at home is a little over-the-top – not to mention expensive. Most home users are connected to the Internet using an Internet Service Provider. Since all data already passes through the ISP's servers before being sent onward, it only makes sense to perform content filtering on the data before it reaches customers. Users may have to pay a little extra for this service, but the alternative is much more expensive.

Surviving these incidents is not impossible, but it requires users and administrators alike to stay vigilant and even expect phishing attacks to come. If your company is using proactive content filtering at the gateway, you can probably breathe easy. You may find that getting mugged at gunpoint somehow sounds less and less appealing.

Phishing facts

Phishing is the fastest growing threat in the world today. The damage already caused by current phishing attacks is estimated in the billions of US dollars. The following are a few statistics gathered by the Anti Phishing Working Group (APWG) (http://antiphishing.org).

January 2006 phishing statistics:

  • 17,877 unique reports (12,845)

  • 9,715 unique phishing websites (2,560)

  • 184 unique password-stealing apps (77)

  • 31 days – longest time online for phishing website

Note: The numbers in parenthesis represent the statistics from the same period last year, i.e. January 2005.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.