Over the last 18 months, an ominous change has swept across the Internet. The threat landscape once dominated by the worms and viruses unleashed by irresponsible hackers is now ruled by a new breed of cybercriminals.
Cybercrime is motivated by fraud, typified by the bogus emails sent by “phishers” that aim to steal personal information. The tools driving their attacks and fueling the blackmarket are crimeware - bots, Trojan horses, and spyware.
Online Fraud
Phishing and Pharming
The explosive growth of online fraud has made “phishing”, and to a lesser extent “pharming” part of nearly every Internet user’s vocabulary during 2005. Phishing and pharming are two popular forms of fraud that aim to dupe victims into believing they are at a trusted Web site such as their bank, when in fact they have been enticed to a bogus Web site that intends to steal their identity and drain their financial resources.
What is Phishing?
Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, fake Web sites, crimeware and other techniques to trick people into divulging sensitive information, such as bank and credit card account details. Once they’ve captured enough victims’ information, they either use the stolen goods themselves to defraud the victims (e.g., by opening up new accounts using the victim’s name or draining the victim’s bank accounts) or they sell it on the black market for a profit.
How phishing Works
In most cases, phishers send out a wave of spam email, sometimes up to millions of messages. Each email contains a message that appears to come from a well-known and trusted company. Usually the message includes the company’s logo and name, and it often tries to evoke an emotional response to a false crisis. Couched in urgent, business-like language, the email often makes a request of the user’s personal information. Sometimes the email directs the recipient to a spoofed Web site. The Web site, like the email, appears authentic and in some instances its URL has been masked so the Web address looks real.
The bogus Web site urges the visitor to provide confidential information — social security numbers, account numbers, passwords, etc. Since the email and corresponding Web site seem legitimate, the phisher hopes at least a fraction of recipients are fooled into submitting their data. While it is impossible to know the actual victim response rates to all phishing attacks, it is commonly believed that about 1 to 10 percent of recipients are duped with a “successful” phisher campaign having a response rate around 5 percent. To put this in perspective, spam campaigns typically have a less than 1 percent response rate.
Over 2005, phishers became much more sophisticated. They began using crimeware in conjunction with their phony, hostile Web sites by leveraging common Web browser vulnerabilities to infect victim machines. This trend means that by simply following the link in a phishing email to a bogus Website, a user’s identity could be stolen as the phisher would no longer need to get you to enter your personal information – the Trojan or spyware placed onto your machine would capture this information the next time you visit the legitimate Web site of your bank or other online service. Throughout the past year, this genre of crimeware has become more targeted (capturing just the information the phisher wants) and more silent, using rootkit and other aggressive stealth techniques to remain hidden on an infected system.
Another example of the growing skills of the phishing groups is their use of flaws in Web site design to make their attacks more convincing. For example, a flaw in the IRS Web site allowed phishers to make their “bait” URLs appear to be the IRS’ Web site, even though the victim was headed to a different, criminally-owned Web server. This is one of many potential examples of the steadily advancing skills of online fraudsters.
What is Pharming?
Pharming (pronounced “farming”) is another form of online fraud, very similar to its cousin phishing. Pharmers rely upon the same bogus Web sites and theft of confidential information to perpetrate online scams, but are more difficult to detect in many ways because they are not reliant upon the victim accepting a “bait” message. Instead of relying completely on users clicking on an enticing link in fake email messages, pharming instead re-directs victims to the bogus Web site even if they type the right Web address of their bank or other online service into their Web browser.
Pharmers re-direct their victims using one of several ploys. The first method – the one that earned pharming its name – is actually an old attack called DNS cache poisoning. DNS cache poisoning is an attack on the Internet naming system that allows users to enter in meaningful names for Web sites (www.mybank.com) rather than a difficult to remember series of numbers (192.168.1.1). The naming system relies upon DNS servers to handle the conversion of the letter-based Web site names, which are easily recalled by people, into the machine-understandable digits that whisk users to the Web site of their choice. When a pharmer mounts a successful DNS cache poisoning attack, they are effectively changing the rules of how traffic flows for an entire section of the Internet! The potential widespread impact of pharmers routing a vast number of unsuspecting victims to a series of bogus, hostile Web sites is how these fraudsters earned their namesake. Phishers drop a couple lines in the water and wait to see who will take the bait. Pharmers are more like cybercriminals harvesting the Internet at a scale larger than anything seen before.
Pharming example
One of the first known pharming attacks was conducted in early 2005. Instead of taking advantage of a software flaw, the attacker appears to have duped the personnel at an Internet Service Provider into entering the transfer of location from one place to another. Once the original address was moved to the new address, the attacker had effectively “hijacked” the Web site and made the genuine site impossible to reach, embarrassing the victim company and impacting its business. A pharming attack that took place weeks after this incident had more ominous consequences. Using a software flaw as their foothold, pharmers swapped out hundreds of legitimate domain names for those of hostile, bogus Web sites. There were three waves of attacks, two of which attempted to load spyware and adware onto victim machines and the third that appeared to be an attempt to drive users to a Web site selling pills that are often sold through spam email.
What is Bot?
“Bot” is actually short for robot – not the kind found in science fiction movies or on the production line in a manufacturing business. Bots are one of the most sophisticated types of crimeware facing the Internet today. Bots are similar to worms and Trojans, but earn their unique name by performing a wide variety of automated tasks on behalf of their master (the cybercriminals) who are often safely located somewhere far across the Internet. Tasks that bots can perform run the gamut from sending spam to blasting Web sites off the Internet as part of a coordinated “denial-of-service” attack. Since a bot infected computer does the bidding of its master, many people refer to these victim machines as “zombies.”
Bots sneak onto a person’s computer in many ways. Bots oftentimes spread themselves across the Internet by searching for vulnerable, unprotected computers to infect. When they find an exposed computer, they quickly infect the machine and then report back to their master. Their goal is then to stay hidden until they are awoken by their master to perform a task. Bots are so quiet that sometimes the victims first learn of them when their Internet Service Provider tells them that their computer has been spamming other Internet users. Sometimes a bot will even clean up the infected machine to make sure it does not get bumped off of the victim’s computer by another cybercriminal’s bot. Other ways in which a bot infects a machine include being downloaded by a Trojan, installed by a malicious Web site or being emailed directly to a person from an already infected machine.
Bots do not work alone, but are part of a network of infected machines called a “botnet.” Botnets are created by attackers repeatedly infecting victim computers using one or several of the techniques mentioned above. Each one of the zombie machines is controlled by a master computer called the command and control server. From the command and control server, the cybercriminals manage their botnets and instructs the army of zombie computers to work on their behalf. A botnet is typically composed of large number victim machines that stretch across the globe, from the Far East to the United States. Some botnets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal.
Trojans & Spyware
In the cyberworld, there are numerous methods available to commit identity theft and other cybercrimes. Learn more about trojan horses and spyware—two of the most popular methods used by cybercrimals.
What is a Trojan Horse?
This term “Trojan Horse” comes from a Greek fable, in which the Greeks presented a giant wooden horse to the Trojans as a peace offering. However, a nasty surprise awaited the Trojans as Greek soldiers sprung out of the hollow horse and captured Troy. Similarly, a Trojan horse program presents itself as a useful computer program, while it actually causes havoc and damage to your computer.
Increasingly, Trojans are the first stage of an attack and their primary purpose is to stay hidden while downloading and installing a stronger threat such as a bot. Unlike viruses and worms, Trojan horses cannot spread by themselves. They are often delivered to a victim through an email message where it masquerades as an image or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities in web browser software such as Microsoft Internet Explorer.
After it is installed, the Trojan horse lurks silently on the infected machine, invisibly carrying out its misdeeds, such as downloading spyware, while the victim continues on with their normal activities.
What is Spyware?
Spyware is a general term used for programs that covertly monitor your activity on your computer, gathering personal information, such as usernames, passwords, account numbers, files, and even driver’s license or social security numbers. Some spyware focuses on monitoring a person’s Internet behavior; this type of spyware often tracks the places you visit and things you do on the web, the emails you write and receive, as well as your Instant Messaging (IM) conversations. After gathering this information, the spyware then transmits that information to another computer, usually for advertising purposes.
Spyware is similar to a Trojan horse in that users unknowingly install the product when they install something else. However, while this software is almost always unwelcome, it can be used in some instances for monitoring in conjunction with an investigation and in accordance with organizational policy.
Spyware is installed in many ways:
Most often spyware is installed unknowingly with some other software that you intentionally install. For example, if you install a “free” music or file sharing service or download a screensaver, it may also install spyware. Some Web pages will attempt to install spyware when you visit their page.
A person who wants to monitor your online activities may also manually install spyware. Depending on how this is done, this might be acceptable surveillance of an individual or an unwelcome, even illegal, invasion of privacy.
Trojans, Spyware & Crime
Trojans and spyware are crimeware—two of the essential tools a cybercriminal might use to obtain unauthorized access and steal information from a victim as part of an attack. The creation and distribution of these programs is on the rise—they are now 37% of all of the thousands of malware Symantec processes on a weekly basis.
Kaynak : Symantec
Yazılarr (RSS)