Sport phishing morphs into cybercrime wave

Organized criminals unleash armies of botnets to steal confidential information.

Traditional e-mail phishing exploits are still growing in numbers, but they seem almost tame compared with newer, more virulent malware used by cybercrime rings that trade in financial account information.


Fighting back


These increasingly sophisticated and organized groups are using such tricks as keystroke loggers, browser redirectors and Trojan horses to harvest, store and sell stolen information. And they're using automated, untraceable armies of botnets to help.

"Phishers have begun to specialize in malware, which we think is going to be a continued push. Some specialize in payload. Others specialize in delivery. This is a business for them, and they treat it as such. It's all become very sophisticated," says Brad Keller, e-commerce business risk manager at Wachovia Bank in Charlotte, N.C.

Reported phish attacks hit all-time high

"We're at the stage, technologically, where the criminals are ahead of us, and I don't see that gap closing anytime soon," adds George Rapp, senior vice president and director of IT for Stonebridge Bank, an online commercial and retail bank headquartered in West Chester, Pa.

Stonebridge has more than 50% voluntary adoption of multifactor authentication among its user base. Most have opted to use memory-phrase authentication (such as first pet's name, elementary school name or something else only they would know), with a small percentage of more technical users opting to pay $25 a year for RSA Secure Tokens.

In the next few months, Rapp plans to require multifactor authentication for all users. Even then, he says, he's still worried about "man-in-the-middle" attacks that would let malware manipulators get at account data during the authenticated session.

New phishing sites have spiked

His concern is well founded. In February, iDefense, a VeriSign-owned security intelligence company, began tracking a growing botnet called MetaFisher. By mid-March, when iDefense reported it to the public, MetaFisher had affected more than a million account holders, most of them European.

MetaFisher transfers bank account information during open connections, which raises concerns among security experts that phishers have already foiled the industry's best planned defenses - multifactor authentication and guest integrity checks on consumer PCs - even before companies such as Wachovia or Stonebridge can deploy them.

The high cost of phishing

The stakes are high for both sides. Phishers make good money off traditional and automated techniques, which Gartner says conservatively cost consumers and businesses $2.7 billion in the first half of 2005. As phishers haul in their illicit gain, businesses stand to lose their e-commerce communications and revenue channels altogether.

Forty-two percent of 5,000 consumers surveyed say they've curbed their online shopping because of phishing fears, according to the Gartner study. Meanwhile, confidence in e-mail is at an all-time low, as 80% say they distrust e-mail claiming to be from brands they know.

At the very least, if trust is not restored, Gartner predicts phishing and similar crimes will slow Internet growth between 1% and 3% through year-end 2008.

"What you've got here is the perfect storm: A global network worth trillions of dollars offering near-perfect anonymity, instant connectivity to millions of easy marks and countless ways to launder money," says Marcus Sachs, who directs the Department of Homeland Security's cybersecurity research center.

"Everything right now is working in favor of the criminals. There's not enough trained law enforcement. And the infrastructure itself is not reliable enough for the load we've put on it," Sachs adds.

Keystroke logging records your every stroke

Homeland Security is pushing DNS owners to upgrade to DNS SEC to protect against phishing that occurs when users are redirected to hijacked DNS servers. The agency also is working with vendors, service providers and infrastructure owners to improve router protocols for better packet inspection, mapping and authentication. It's also funding academic research into new security technologies that may lead to better fraud protection at the endpoints.

Phishers turn to Trojans carrying keyloggers

While these infrastructure measures can help against browser redirectors and propagation of phony phish sites, they don't protect against the growing problem of keystroke loggers installed on victim machines.

"Direct keystroke logging software is 80% of what we see in malicious code today," says Dave Cole, director of Symantec Security Response Center, which sifts through millions of spam and malware samples daily looking for characteristics of new malicious code, outbreaks and vulnerabilities.

It's the sneaky, silent stuff that's causing the most damage by coming in under the radar, Cole continues. "It starts as a really lightweight Trojan written in a low-level programming language that gets in through the victim's browser," he says. "Then it sneaks out and downloads its big brother, a bag full of malware writing to the host file."

Once installed, the keystroke logger waits for victims to fill out Web forms, kicking in when it detects the "name" field, card number, mother's maiden name, CVV number (the three-digits on the signature strip on the back of a credit card), password, shipping address and other such fields that can be sifted for financially valuable information.

The information is then forwarded to other remote-controlled computers, where it's collected and tested by charging or withdrawing a small amount. Then it's sold, either in piecemeal or as part of a larger botnet, over Internet Relay Chat (IRC) channels for multiple fraud purposes, which includes turning them into forged plastic cards for physical use.

Web apps are malware magnets

Web sites are increasingly and unwittingly being used as keylogger propagation points, researchers say, because Web applications are riddled with vulnerabilities. Last year, WebSense noted a 170% rise in spyware-related Web sites to 130,000, along with a 271% growth in phishing sites to 27,000. Of the 2,000 new vulnerabilities tracked by Symantec in 2005 (a 40% increase over 2004), 69% were in Web applications.

Most-targeted industry sectors

"You don't have to be a Ninja hacker to hack Web sites and set them up as Trojan installers. Now you can download a complete kit for all that. And you can run it all over IRC," says Ben Butler, network abuse manager at GoDaddy, a Web-hosting company that also sells domain names and other Web-site-related services.

Researchers say the most common way Web applications are hacked is through vulnerabilities in code written in the PHP scripting language used in interactive forms for registration, information requests and other server-side transactions.

"If you've got a Web site, and PHP isn't patched and up-to-date, somebody's already figured out a way to piggyback malware onto your PHP communications field in your interactive Web application," says Butler, who's active in the Anti-Phishing Working Group and Digital PhishNet. "PHP is an extremely hacked application, because a novice user may have put up a Web site with a PHP form in it two years ago and missed the 37 patches that have come out since."

Crimeware installers also are targeting Web servers running e-mail servers so they can propagate spam, adds Kyle Lutz, a volunteer with Shadowserver.org, a grass-roots, botnet takedown group. Lutz says he's keeping an eye on 40 active botnets, some involving 75,000 compromised devices. Wherever Shadowserver volunteers find one infected Web site, they usually find malware across the entire server farm, he adds.

Botnet cleanup is a problem for ISPs

"The biggest problem we have is getting ISPs and hosting providers to do a better job at taking down these networks once we report them," Lutz says. "Often the service providers just give you an e-mail bin to send complaints to, and you never know if they act upon them. We have the same problem when contacting law enforcement, which is particularly difficult outside the U.S."

Botnet cleanup is a big challenge for service providers, adds Danny McPherson, chief research officer for Arbor Networks. In September, Arbor conducted a survey of 52 Internet backbone and service providers, 43% of whom said they felt unable to deal with the botnet problem.

This phish tries to hook PayPal customers

"You've got to find the compromised Web sites, which can only be measured by looking for spam relays running on the Web servers or by monitoring certain ports," McPherson says. "And when hosting providers do find a hosted site running some form of malware installers, they'll have to be able to shut down just that site without affecting other customers. Right now, they think they have to pull the plug on the whole server."

GoDaddy, with 12 million domain name registrants, employs seven abuse investigators to handle an averages of 5,000 abuse complaints daily. Butler says the team looks at each complaint and correlates the information in order to turn off purposefully criminal Web sites and to help owners of infected sites clean and patch their applications.

"The truth of the matter is that not everyone who puts up a Web site is a security genius," Butler says. "So we do a lot of work around user education."

Forensics support and education are a start. What's missing is a serious discussion about hosting providers assuming security responsibility over the applications hosted on their customer Web sites, Keller says.

Service providers caught in the middle

But putting this burden on the hosting service providers opens a whole can of worms the industry's not ready for, Butler says. Patch management alone would be a huge effort. And how do you standardize, control and support the applications among millions of users? Not to mention putting service providers in the uncomfortable position of being liable for customer computer support, he adds.

These are the same reasons e-businesses with brands to protect aren't taking care of their part of the problem by checking the integrity of their customer computers at log-in.

In the past year, Panda, Symantec and most other leading antimalware vendors have released remote services capable of quickly scanning consumer PCs for basic security, patch configurations and even commonly known viruses.

"There's always other support issues wherein perception becomes the reality and someone calls and says, 'Did you break my computer?'" Keller says. "And there's also the perception among consumers that this is invasive."

Guest integrity checking is the most viable way of stopping automated phishing attacks, according to Symantec CEO John Thompson during a keynote address at RSA in February. Rather than being seen as invasive, Thompson says that helping consumers with their security builds better brand-to-consumer relationships.

Companies considering such technologies should look to products that are vendor neutral, meaning they can check any brand of firewall, antimalware technology, and all leading operating systems and browsers for patch and security configuration.

That's because, in the last year, Shadowserver and other researchers have found bot-controlled Linux and Mac OS/X systems. According to CERT and other security analysts, keylogger installs have occurred on handhelds in Europe and Asia, where telephone computing is popular.

Enterprise tools

Ideally, enterprises also should look for tools that scan in combination with authentication so that logon credentials are not allowed until the integrity check is completed.

Toolsets like these would go a long way toward quelling concerns among financial services companies that man-in-the-middle attacks can bypass stronger authentication by taking over accounts during authenticated sessions, Rapp says. But he's not convinced they can totally block man-in-the-middle attacks.

"These phishing packages contain rootkits, which can turn off the security and make it look to a scanner like it's all up to snuff when really it's infected with malware," he says.

The final authentication piece needed, says Sally Steward, vice president of strategy for TriCipher, is a way to follow up on authentication by working with the financial institutions' fraud-detection systems. That way, should a criminal somehow slip past all these front-end defenses, open new accounts and transfer funds in a way that's suspect, the system could follow up by logging the event and alerting investigators.

As with every other information security problem to arise since the beginning of IP networking, protecting online commerce from the phishing blight calls for education and layered security. But we also need to look forward to new standards, technologies and frameworks to deal with increasingly sophisticated problems, Sachs and others say.

"The bad guys are ahead of our best defenses at this moment in time," Rapp adds. The gap isn't going to be as easy to close as it has been in the past. But I urge everyone doing financial business on the Internet to at least start out with multifactor authentication to make it that much more difficult for the criminals to get at our consumers' financial data."

Radcliff is a freelance writer specializing in online safety and network security. She can be reached at www.debradcliff.com.

Learn more about this topic

Big bank goes phishing 05/15/06

Opinion

Symantec launches anti-phishing group

05/01/06

MIT researchers attack wireless shortcomings, phishing

04/04/06

German bank fights phishing with electronic signatures

03/30/06

1 2 3 4 5 Page 1
Page 1 of 5
IT Salary Survey: The results are in