Archive
If it looks like it, smells like it and tastes like it, make sure you don’t tread in it
I had a Direct Message tweet from a friend and work colleague. It didn’t ring true – see for yourself:
If you get offered a free iPhone – run!
If anyone offers you a free iPhone, RUN!
But curiosity is a wonderful, if dangerous, thing. I had a look. First warning came from Bit.Ly. Multiple shortenings are things bad guys sometimes do to fool us:
Bit.Ly filters URLs that have been shortened more than once
But I persisted. I went there anyway (protected by NoScript) and asked both Web of Trust (WOT) and McAfee TrustedSource for their opinion. WOT was not very reassuring:
Hmm. No, don't think I should go there...
And McAfee was positively damning:
Further down the page, McAfee specifically warns of phishing activity
…specifically associating the website with phishing attempts. I’m sure glad I didn’t tread in it!
But what it does mean is that my friend and colleague has been hacked. And when I think about it, I know very little about Twitter hacks. So I asked Kaspersky’s Ram Herkanaidu to explain things to me.
Ram Herkanaidu, security researcher at Kaspersky Lab
“This type of attack is nothing new,” he said. “The criminals know the potential of Twitter as an infection vector, and social networks in general are an increasingly effective way for cybercriminals to deliver malware. In this instance, the account used for spamming would have had its password stolen, and the victim will not know anything about it until the criminals starts using it.”
OK; but how do the criminals go about stealing Twitter credentials?
“This is typically done using malware; many spy or password stealing Trojans can get this information,” he explained. “There are also numerous offers on the black market for stolen Twitter accounts. Another way is to use Twitter’s trending topics. They monitor the latest buzz words and use that to get people to click on the links. These lead to sites which host malware. A typical way is tell the user that they do not have the right codec (converter) to play a video. By clicking ‘Yes’ to install the codec it actually downloads the malware.”
In other words, apart from standard spyware, a common way to steal Twitter credentials is to use Twitter! So how do we defend ourselves. I asked Ram Herkanaidu for his top tips; and he said:
- Don’t respond to trending topics especially if it has a short URL.
- Use preview extension to see what the real URL is.
- Pay special attention to any tweets coming with 2 or more trending topics in the body, since these are highly likely to be malicious.
- Use a good Internet security suite.
- Use ‘https’, i.e. an encrypted connection, to log in to Twitter.
- Try to avoid logging in from open (not encrypted) WiFi networks.
- Don’t log in from a public PC available at airports, Internet cafés and elsewhere.
Fraud as a Service: a new industry for the 2010s
The economic downturn is affecting everyone; there’s just not a lot money going around these days. So spare a thought for the criminal – with less money to steal, he has to work harder for his living.
Panda Security's report on the cybercrime black market
And that is certainly the conclusion to be drawn from Panda Security’s latest report: The Cyber-Crime Black Market: Uncovered. We have already seen in a previous post that complex viruses are being developed and used, probably to run interference for the trojans. By tying up the AV industry’s top engineers in locating, unravelling and disarming these viruses, the online criminals hope to keep the work of their data-stealing trojans operational over a longer period. But just consider the organizational skills that this requires: it’s an underground black market industry that mirrors the organisation of legitimate industry. Whatever you want, you can have: at the market price.
The report comes out of Panda’s decision to have a closer look at the internet’s black market, “to see what kind of services they are selling today,” explained technical director Luis Corrons. “We found that basically it is the same as what’s been going on for years – only now the service is more specialised, and the availability more widespread. In the past they sold things like infection kits, spam services, stolen credit cards; and yes that is still available. But now the criminals are offering far more services. In the past you could buy a number of credit cards; and depending on the amount you buy, the price goes up or down.” This is still available said Corrons, “but now the criminals have started offering guarantees. OK, you can pay, say, $2 for a credit card; but if you want access to a bank account with a certain amount of money guaranteed, you pay more – and you can have that. You can even request bank accounts with more than $80,000 – but to get such credentials you’d have to pay $700.”
Apart from the guarantees, the whole process has become more integrated. “You can buy the credit card details which you can use,” he continued, “and then you can hire additional services so they will take care of and make all the money transfers for an additional fee. Or, let’s say you buy some luxury items with these stolen credit card details – such as a big LCD TV. Well you can’t have it sent straight to your house because obviously the police can track it. No problem. There are people offering to do this for you. You want to buy this – we’ll do it for you, and take care of sending it to your house.”
| From the comfort of an office or bedroom, with a single computer and spurred on by the lack of international legislation or cooperation between countries to facilitate investigations and arrests, cyber-criminals have been making a lucrative living from these activities. |
Corrons even described a site in Russia that offers to provide you with anything you want for just 20% of the usual cost. How? Well FAQs on the site explain that they will use stolen credit cards to buy primarily from US online stores, and let you have the goods for 20% of the cost – which they take from you for their fee. This Russian site only supplies Russian residents, but is indicative of how the black market is evolving.
| Products | Price |
| Credit card details | From $2-$90 |
| Physical credit cards | From $190 + cost of details |
| Card cloners | From $200-$1000 |
| Fake ATMs | Up to $35,000 |
| Bank credentials | From $80 to 700$ (with guaranteed balance) |
| Bank transfers and cashing checks |
From 10 to 40% of the total $10 for simple account without guaranteed balance |
| Online stores and pay platforms |
From $80-$1500 with guaranteed balance |
| Design and publishing of fake online stores |
According to the project (not specified) |
| Purchase and forwarding of products |
From $30-$300 (depending on the project) |
| Spam rental | From $15 |
| SMTP rental | From $20 to $40 for three months |
| VPN rental | $20 for three months |
Clearly, there is so much money to be made from these activities, even in difficult times, that what Panda is describing is the beginning of a new industry: cloud-based Fraud as a Service.
“In the last two years, we have seen a growing number of new viruses…” Panda’s Luis Corrons explains
Differentiating between one type of malware and another is neither easy nor, ultimately, particularly useful. Nevertheless, there is a temptation to say that the purpose of a virus is to attack and probably harm the target, while the purpose of a Trojan is to steal from the target. In other words, a virus is a weapon and a Trojan is a tool.
New malware in 2005
The very nature of cybercrime is changing: it is evolving from the indiscriminate carnage wreaked by earlier viruses, into an organised criminal business. It is little wonder then, that by 2005, the number of new viruses (weapons) was being dwarfed by the number of new Trojans (business tools). Figures from Panda’s new report, The Cyber-Crime Black Market: Uncovered (of which more in a later post) show that the generation of new viruses was so small that it had to be included in the ‘other malware’ category. Trojans, however, accounted for nearly half (49%) of all new malware.
Luis Corrons, PandaLabs’ technical director, told me that the latest figures show an even greater dominance of new Trojans, so that by 2010 Trojans account for just about 56% of all new malware. Again, this is not surprising. Trojans are the tool by which cybercriminals extort, steal and fraudulently obtain their income. The surprise, however, is that the virus is showing signs of a recovery: no longer lost within the 10% of other malware, during 2010 it accounted for more than 22% of all new malware.
New malware in 2101
Why? Why should an uneconomic attack weapon resurface when logic would suggest it continue to decline. I asked Luis Corrons to explain.
“We used to get a lot of viruses in the past; and then everything became Trojans and worms, and there were only a few new viruses,” he said. “But in the last 2 years we have seen a growing number of new viruses appearing; not necessarily many different ones, but many new variants of the same ones.”
The cause remains a mystery. “We often ask ourselves, why should this happen?” His answer is a bit surprising. “The virus is, for us, a really painful process; even though as an industry it’s where we come from. A virus is far more complex to detect than any other threat, such as a Trojan or a worm. In the final analysis,” he continued, “with a Trojan or a worm, the whole file is malicious.”
Viruses are different. “The virus embeds itself into good files, making detection considerably more tricky. But the bottom line for us isn’t just detection; it’s disinfection. And we have to remove every trace of the virus from the file, returning it to a clean state similar to its condition before the infection. This takes a lot of time and is something that we cannot completely automate. So it involves high level engineers spending a lot of time on the problem.”
Luis Corrons, technical director, PandaLabs
In short, Corrons is explaining that a disproportionate amount of time and expertise has to be spent on anti-virus rather than anti-Trojan activities. But here’s the anomaly. “Some of the new viruses we are seeing these days are really, really complex and could only be written be very skilled people. But most of these viruses don’t have any Trojan content, so financial gain is not a motivation.”
So, what is the motivation?
“Our guess,” he suggests, “although we don’t have any hard proof of this, is that the trojan criminals are also engaged in the creation of these high level computer viruses so that it takes a lot of our time and resources to prevent us focusing on their real business: Trojans and financial theft. We’ve tried to find a better explanation, but we really cannot.”
And that’s a bit worrying. It suggests that the criminal gangs are more organised, better resourced, and more determined than I for one had realised.
