Wednesday, June 15, 2005

The Next Generation of Phishing Tools

(Picture credit
Excel-web sharing of spreadsheetsThe folks at SC Magazine -- or, maybe just Maksym Schipka -- describe the interesting ramifications of program complexity. Windows XP, according to Schipka, consists of a scant 40 million lines of code. A conservative figure of five bugs per KLOC (one thousand lines of code) yields the potential of perhaps 200,000 bugs. Schipka posits that about one-tenth of one percent of that figure will be remote-execution security issues: in other words, about 200 serious remote vulnerabilities.

Worse, the trend towards blended, polymorphic attacks continues unabated. Recent generations of trojans blatantly scan for vulnerabilities, rip down defensive barriers such as anti-virus protection, and hijack trusted applications and libraries.

From the phishing perspective, the trend is equally serious:

...A recent phishing attack, purporting to be a communication from a major UK bank to its customers, provides a significant pointer to likely future developments in the email banditry arena.

It works like this: customers receive an email that makes the usual phishing bid to gain personal banking details -- but it also has a more purposeful payload. Before attempting the phish, it first uses an IFRAME exploit to download a trojan installer without the user's knowledge.

The installer checks a number of parameters on the system -- for example, the versions of Windows and Internet Explorer being used, whether Norton AV updater or McAfee AV updater are running and what version of Java Virtual Machine is in use. Based on the information it collects, the installer chooses one of the four different exploits to perform the trojan executable drop.

The innovation here is that, not only are different exploits and vulnerabilities used to penetrate the user's computer, but also that a trojan installer is an integral component of the phishing attempt.

If this new technique proves as successful as its criminal perpetrators surely hope, we can expect to see even greater uses of such convergence in the future. With the prospect of spam messages arriving in your inbox trying to sell you a product while attempting also to obtain your personal banking information -- and planting a trojan on your computer at the same time -- the case for adopting comprehensive email security has surely never been more pressing...

This conforms pretty much exactly with CounterPane's assessment. Blackhat activities revolve around criminal, not recreational, endeavors. Bruce Schneier:

Another 2004 trend that we expect to continue in 2005 is crime. Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money. Hackers can sell unknown vulnerabilities -- "zero-day exploits" -- on the black market to criminals who use them to break into computers. Hackers with networks of hacked machines can make money by selling them to spammers or phishers. They can use them to attack networks. We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks. The more these extortions are successful, the more emboldened the criminals will become.

We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. We also expect to see more insider attacks with a criminal profit motive. Already most of the targeted attacks -- as opposed to attacks of opportunity -- originate from inside the attacked organization's network...

One thing is for certain: endpoint security has never been more critical.

SC Magazine: The Potential for Bugs

No comments: