The internet rather than emails is the new threat vector
The primary threat vector has changed from email to the internet. The Bad Guys used to send us the malware; now they just tell us where to go and get it. And a surprising number of us actually do just that. First the Bad Guys ‘poison’ a web site, and then they persuade us to visit it. If we’re using a browser that has the chosen vulnerability and if we land on an infected page, that’s it: the poison spreads via our browser to our computer – and we’re infected.
The first stage for the Bad Guys is to acquire the poisoned pages. Basically, there are two ways they do this: compromise an existing legitimate site; or build their own websites with their own domain names. Either way, the next step is to find some way of making us visit the poisoned site. For the former, nothing has to be done. The advantage in compromising a legitimate site is that it will already have frequent visitors who probably have an existing level of trust in that site, and won’t be expecting to encounter any malware.
For the latter route, the Bad Guys need to register new domain names and build a site – possibly just a single page that imitates the landing page of a major bank or other trading company. PandaLabs has done some research into this methodology and has found that said Bad Guys are creating 57,000 new fake websites every week. 65% of these fake websites are positioned as belonging to banks. For the most part, they pose as banks in order to steal users’ login credentials. Online stores and auction sites are also popular (27%), with eBay the most widely used. Other financial institutions (such as investment funds or stockbrokers) and government organisations occupy the following positions, with 2.3% and 1.9% respectively. The latter is largely accounted for by the US revenue service or other tax collecting agencies. Payment platforms, led by PayPal, and ISPs are in fifth and sixth place, while gaming sites – topped by World of Warcraft – complete the ranking.
The advantage in this approach is that Bad Guys don’t need to go to the trouble of compromising the legitimate site: they just build the malware into their own sites. What they do have to do is drive innocent traffic to the sites – but this is easy enough with scam emails, black hat SEO (BHSEO) techniques, or hiding the true URL as a shortened URL for Twitter trending topics. Scam emails simply latch onto a high-profile incident, and use social engineering techniques to persuade us to visit the poisoned website (see, for example, HMRC or phishers? for a current attack). BHSEO involves using legitimate search engine optimisation techniques to position the fake websites high up on Google, Yahoo or Bing’s search rankings for popular issues of the day.
The problem is that when you visit a website through search engines, it can be difficult for users to know whether it is genuine or not. For this reason, and given the proliferation of this technique, it is advisable to go to banking sites or online stores by typing in the address in the browser, rather than using search engines which, although they are making an effort to mitigate the situation by changing indexing algorithms, cannot fully evade the great avalanche of new Web addresses being created by hackers every day
Luis Corrons, Technical Director of PandaLabs
And Twitter shortened URLs simply hide the false URL as something like a bit.ly URL and then latch on to a currently trending topic. At the time of writing, Pastor Terry Jones is trending – and there are some very witty comments. If I was a Bad Guy, I’d have a Twitter account ready and I’d post something like “Pastor Terry Jones – a collection of the funniest tweets: http://bit.ly/false”. Since Pastor Terry Jones is trending, a lot of people will see this and a lot of people will click on the URL without thinking. Twitter will discover the scam and remove it pretty quick – but I may have got a few of you before it’s done.
The first route of the Bad Guys we mentioned was to compromise a legitimate site. It happens more often than you might think. Just this week, security site TechCrunch Europe was delivering the Zeus trojan to visitors – and most of us would tend to feel pretty safe on a security site. At the time, Trend Micro’s Rik Ferguson pointed out that according to VirusTotal only two AV products (DrWeb and – this will please Luis Corrons – Panda) detected the malware.
Trusteer warned a while ago that the newer version of Zeus is very effective in avoiding detection by IT security software and the increased Zeus infection rates demonstrates this. We estimate that fraud losses due to Zeus specifically are going to triple in 2011 due to the increase in distribution and lack of coverage by antivirus vendors. This latest infection of the TechCrunch Web portal is just the tip of the iceberg. The good news is that, if users of HSBC, Natwest, Santander and other UK banks download a copy of our free Rapport in-browser software, even if they are infected, the software will prevent their e-banking credentials from leaking.
Mickey Boodaei, CEO, Trusteer
So what can we do in this new version of the world wild web? Be very careful, obviously. But then we need to stop scripts running in our browser. NoScript on Firefox is good. And we need to know where the shortened URLs are sending us. Long URL Please on Firefox is good for this. And we need to keep our AV up to date. Just because few AV products recognise a malware today; that doesn’t mean they won’t recognise it tomorrow – and we need all the help we can get. And finally, of course, if we do internet banking, then we should get Trusteer’s Rapport.