Online Financial Crime Headed From Bad to Worse
By Brian Krebs
Date: December 17, 2003
In the annals of cybersecurity, 2003 should go down as one of the worst years ever, as hackers and spammers repeatedly demonstrated just how easy it is to use the latest software security holes, worms and viruses to attack businesses and trick unwitting Internet users into divulging their personal and financial information.
And 2004 could be worse.
A hint of just how bad came this week when yet another flaw in Microsoft's ubiquitous Internet Explorer surfaced. The flaw gives criminals the ability to control what is displayed in the address bar in a victim's browser window.
The implications are significant. A savvy criminal could use a cleverly designed e-mail to trick a victim into visiting what looks like a trusted Web site -- like a bank site or Amazon.com -- but which in fact is nothing more than a page designed to fool a victim into entering credit card numbers, passwords and other sensitive information.
"The main thing I'm really concerned about with these bogus e-mails is that they're quickly becoming more and more complex and sophisticated," said Johannes Ullrich, chief technical officer for the SANS Internet Storm Center, which collects data on Internet attack trends. "Even for experts like us, it's becoming harder to distinguish between what's real and what's fake."
Microsoft said last week it is investigating a software patch to fix the flaw. "Obviously this a concern of ours as people shop online for the holidays, and we wanted to make sure consumers who are entering credit card information are doing so at the appropriate site," spokesman Sean Sundwall said. "We're at stage where we're evaluating whether patch is at all necessary, and making sure that if we do issue a patch that it is well tested and doesn't cause any additional harm."
If Microsoft issues a patch to fix the flaw, it would likely be the twentieth "critical" software patch to be released by the Redmond, Wash., firm this year. The company labels vulnerabilities "critical" if they can be remotely exploited via an Internet worm, and Microsoft's constant efforts to patrol its software demonstrates the increasingly sophisticated nature of online crime.
"We're seeing a huge shift away from 'recreational' hacking to hacking for profit. Mostly this involves hijacking end-user Windows systems for use in spam, fraud or just direct marketing," said Joe Stewart, senior security researcher for LURHQ, a security firm based in Myrtle Beach, S.C.
The evolution of the "Mimail" virus in 2003 shows how criminals are increasingly focusing their work on financial scams. MiMail first surfaced in August as a relatively harmless but fast-spreading bug. The next four variants were apparently designed by spammers to attack a variety of spam "blacklists" -- online databases of suspected spammers that many Internet service providers and big corporations use to shield recipients from junk mail.
But Mimail soon morphed into an e-mail virus that urged users of the online payment service PayPal to update their credit card information via a Web page that closely mimicked the design of the eBay subsidiary's member services page.
Two weeks into November, the ninth version of Mimail took that ruse a step further, attempting to take victims to second Web page that asked for a Social Security number, date of birth, and mother's maiden name -- three pieces of data that financial companies rely on most to verify the identities of their customers. The last two Mimail variants to hit the Web also hijacked infected computers to attack anti-spam Web sites.
Ken Dunham, malicious code manager for iDefense, a security company in Reston, Va., predicted more virus authors in 2004 will start honing their creations to target specific groups of Internet users.
The most visible example of that activity came with the emergence in June of "Bugbear.B," a worm that security experts called the first Internet attack aimed directly at the financial services industry. Bugbear contains a list of nearly 1,200 Internet addresses for some of the world's biggest banks, including American Express, Bank of America and Citibank.
Bugbear was designed to tell if an infected computer belongs to a person using an e-mail address from any of those financial institutions, and then steal passwords to make it easier for attackers to hack into bank networks. Bugbear remains among Symantec's Top Five list of most prevalent Internet attacks.
Another big trend in 2003 that experts believe will only get worse in the new year is the growing number of malicious programs unleashed on the Internet that can give criminals some form of control over an infected computer, a problem fueled by the proliferation of unsecured broadband connections that make it possible for hackers to gain access to thousands of machines with the release of one cleverly written virus or worm.
Nothing demonstrated the growing threat this year better than "Sobig," a worm that spawned six different incarnations since January. Sobig and its cousins were the fastest-spreading and most infectious worms ever, according to MessageLabs Inc., a New York-based e-mail security firm.
In June, anti-virus experts discovered that computers infected with Sobig were seeded with a a tiny program that turned them into remotely controllable spamming machines. MessageLabs found that nearly two-thirds of all spam on the Internet today is being relayed through computers running software relays of the sort left behind by the latest version of Sobig -- evidence to support a suspicion among many security experts that spammers and virus writers are increasingly working together.
The success of SoBig and other similar viruses has spawned a whole new illegal marketplace, as criminals pay hard cash for lists of infected computers.
"We have ample evidence to suggest that there is an increase in hard currency being traded for [vulnerable] machines," Kevin Houle, a senior member of the technical staff for the CERT Coordination Center, a government-funded security watchdog group at Carnegie Mellon University in Pittsburgh.
"It has always been the case that there's been this underground barter system, where people will say 'I'll give you one stolen credit card number for X number of compromised machines,'" Houle said. "What we're seeing more of is 'I will pay you X number of dollars for these same resources."
While attackers are using viruses and worms to pave the way for spammers, virus authors also are also starting to use infected computers to release their wares and cover their tracks, said Craig Schmugar, virus research engineer for Network Associates, an anti-virus company based in Santa Clara, Calif.
"The line between spam and viruses will become even blurrier in the months ahead," Schmugar said.
Too Many Patches
Internet security officials regularly urge consumers to practice safe computing, such as making sure they regularly update anti-virus software and deploy the latest security fixes from software firms like Microsoft.
But even the savviest computer users can't always keep up with the large number of security patches issued every year. Most Internet worms spread by exploiting unpatched security holes in software and operating systems. This year, as in the past, the big target has been Microsoft, whose Windows operating system powers more than 90 percent of the desktop PCs on the planet.
The "Slammer" worm kicked off the virus season in January, spreading with such unprecedented speed -- it infected more than 300,000 vulnerable Microsoft servers in less than 15 minutes -- that it clogged networks worldwide, crashing bank ATMs and delaying airline flights.
The "Blaster" worm made headlines in August by crashing or infecting more than a half-million PCs worldwide, attempting to hijack them for a coordinated attack on Microsoft's security Web site.
That attack ultimately proved unsuccessful, but security experts soon had to deal with the "Welchia" worm, a so-called good worm that was intended to patch the security hole exploited by Blaster. Welchia spread so quickly that it disabled many corporate networks for days on end. Welchia and Blaster remain among the Top Five most prevalent worms to date, according to Symantec Security Response.
Christmas Virus Season
Even as criminals can exploit a whole list of newly discovered vulnerabilities, SANS's Ullrich said he expects a bumper crop of new computers to be infected with old worms and viruses still circulating on the Internet as millions of consumers plug in shiny new computers they receive over the holidays.
"The trouble is, even if your intention is take the new PC out of the box, plug it into the Internet and download the patches, it doesn't take but a few minutes for one of these worms to find you, and then 'bam,' you're infected," Ullrich said. "Most won't survive the first day without getting hit with something."
CERT's Houle agreed, and urged consumers learn more about how to protect their computers and install the latest security patches. Alternatively, he said, consumers should enable the software-based firewall that's included in the latest Microsoft systems before connecting their computers to the Internet.
^macro[showdigestcomments;^uri;Online Financial Crime Headed From Bad to Worse ]