 |
|
||||||||||||||||||
Older and wiser
Topics:
Online Fraud, Fraudsters
|
Phishing
Today (the date I'm writing this entry) is my birthday. Birthdays are a time of quiet contemplation for me (and quiet desperation for my mother). As I think about the past year and the progress I've made (things are looking good for my long-term goal of spending my old age miserable and alone), I keep thinking of change and how people and things advance. The past year has shown much progress. Women have rejected me, technology products have been launched, iPhones were purchased and even the world of financial crime has not been silent. The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters. Within the past few weeks there has been a new advance -- the inclusion of identity theft malware (or Crimeware) into the Rock group's phishing attacks. I have written before about the problems this type of malware poses, but coupled with the robust infrastructure the Rock group has at its disposal, this is more than double the trouble. This new twist to the attacks run by the Rock group was recently uncovered by RSA's Anti-Fraud Command Center (AFCC). Full details can be found here. This is how it works: The victim is duped into visiting a phishing site. However, whether or not the victim surrenders his/her credentials into the site is irrelevant (many people click on phishing links but do not fill in meaningful information): with this new attack-twist, the victim will still be infected with a Trojan horse. This is done via a technique called "drive-by infection", wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman). This particular case of drive-by infection was masked particularly well. The code that attempted to infect the machine was hosted on a domain named in such a way that it blatantly infringed on Google's trademark, but with the end-result that it made advanced users or heuristic security software more likely to allow content from the domain. The URL itself was also dynamically generated so blacklisting it or adding it to a trivial pattern match would fail. The Trojan that was used in this attack belonged to the "Zeus" family of malware. Zeus is a nefarious type of Trojan for multiple reasons: 1. The Zeus Trojan is a kit for sale: Anyone in the criminal community can purchase it for roughly $700. This means that the Rock group did not need to develop new skill-sets to write Trojan horses; they just purchased it on the open market. In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day. 2. Resistance to detection: The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective. Just like in most cases, this particular use of the Zeus kit did not have any anti-virus detection (with the popular engines we tested) at the time of this writing. 3. Rich feature set: the Zeus Trojan has many startling capabilities. In addition to listening in on the submission of forms in the browser, the Trojan also has advanced capabilities, for instance the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs (remember when you clicked on the "Remember this password?" checkbox?)... And the features-list goes on. As I look upon this blissful union of fraud and crime technologies, I can only envy the criminals who can find such coupling. Looking forward to my next birthday, I can only hope that I will have the opportunity to find such partnership in my own life (and maybe give my mother one less reason for disappointment). CommentsHappy Birthday Well written and very interesting post. Noted a lot of people have written about it, but no one took the time to wish you a Happy Birthday. Here is to your being being surrounded by many beautiful women in the next year and the hope that someone will take out the Rock Phish gang. - ed dickson
Older and Wiser It's the first time I read about a technical subject (Rock Phish),being written this way.Easy to read,friendly with a touch of humor and self-disgust (you're fooling no one,though. If Graham Greene was technologically-inclined,I guess he would be writing like Uriel Maimon. Belated Happy B-day,sir.I hope you get your beautiful woman,not the phised variety. The old gang Very interesting description of the new advances of the RP Gang. Rock Phish and their new tool that enhances usual Trojan technique could be a real threat also to Banks in Germany that still not have the damages like in US/UK. Looking forward to the next story of this guy...What guy that might be?? - AndreT
|
Post A Comment