Embed Size (px)
Citation preview
Peter CassidySecretary General – APWG
Director of Research – TriArche Research [email protected]
The Robot Thief Comes of AgeStalking an Automated Criminal Intelligence
Attack Growth Flattens; Shifts in Approach & Targets
Growth rate for conventional phishing attacks in 2005 lower than in 2004 or 2003
Techniques are becoming more sophisticated, more automated and less reliant on direct deception of consumers
The focus is increasingly on banks, topping 92% in January
The number of different companies being attacked is also increasing, mostly banks of increasingly smaller customer base size and capitalization
Logistics Changing• Far more server power to drive attacks and collect consumer data• Phishers Adapting to Targeted FIs growing efficiency in taking down
phish sites and thwarting attacks before and after launch time
• Larger arrays of servers being used in attacks• Redirect techniques used to hide host location and multiply landing servers• Greater Precautions Taken to Cover Trails
January ’06 Report Highlights• Number of unique phishing reports received : 17,877• Number of unique phishing sites recorded: 9715• Number of brands hijacked by phishing campaigns: 101• Number of brands comprising the top 80% of phishing
campaigns: 6• Country hosting the most phishing websites in January:
United States• Contain some form of target name in URL: 45 %• No hostname just IP address: 30 %• Percentage of sites not using port 80: 8 %• >>Average time online for site: 5.0 days• Longest time online for site: 31 days
Phishers Focus: Financial Services
Financial Institutions hardening as a principal focus. Since last fall, we’ve seen a resurgence of attacks on big banks. In the latest campaigns against big banks the approach is geared more to retrieve full-kit personal data for ID theft and credit card PINS, apparently for cash withdrawals. Overall, banks accounting for consistently more than 85% of all attacks from month to month
Targets Began Fragmenting in 2004• Phishers began conventional phishing attacks
against regional banks in late Summer ’04 and would begin targeting state-service banks and community credit unions soon after
• Some of this change represents innovation in conventional phishing attacks– Creating focused lists based on affinity of a bank
with another institutions• In conventional phishing attacks, phishers are
becoming much better ‘marketers’
NC State Employees’ Credit Union
Reports of the North Carolina State Employees’ Credit Union, a $12 billion thrift, were detected in mid-May. In this particular scam, the fake URL was covered over by an image of the true domain name, making the counterfeit site appeared to be the ncsecu.org site.
Phishers Now Target the Smallest• May, 2005, Phishersuse University of Kentucky email addresses to attack the University’s Federal Credit Union customers. 33,000 members and assets of $152 million capitalization
• Phishers learning to work probabilities in their favor by collecting lists of email addresses of consumers with likely relationship to bank
•Phishers optimizing list creation – third leg of the marketing triad
Phishing Matures as an IndustrySuccesses Fueling Massive Criminal R&D Effort Into Crimeware
A Burgeoning eCrime Economy• Increasing technical sophistication requires increasing
investment and a working economy• Identity information is the new currency for an expanding
cyber-crime underground• Specialization within the new eCrime Economy already
readily apparent– Botnet controllers: Infrastructure Providers– Crimeware designers/programmers– Data brokers and aggregators– Data farmers
• Incredibly fluid and responsive to opportunities– Windows Meta File vulnerability discovered in December inspired
a number of exploits schemes in days
Crimeware for Sale: $1,100• Programmer advertising on cracker boards to
build custom crimeware – for a price– Keylogger– Clipboard logger– e-gold stealer– Form grabber– UK bank screen logger– Disables anti-virus– Sneaks out through personal firewalls– Polymorphic packing (to evade anti-virus)– Claims to defeat German Transaction Authorization
Number schemes (TAN)
Phishers in Massive R&D and Crimeware Deployment Effort
• Symantec reported last year, phishersmassively increased deployments of malicious code created specifically to expose confidential information– Such code now makes up 54 per cent of the top
50 most prevalent malicious code samples received in the study
• 27 of the top 50 malicious messages were designed to expose confidential information
Crimeware Designed for Three Goals• Commandeering ever larger arrays of Internet
infrastructure for animating phishing attacks– Sending worms and viruses via email, IM, P2P, etc. to
commandeer yet more new zombies and;– Drive attacks on consumers’ PC to deliver phish mails and
plant Trojan Horse systems • Capture Login and Password data to report out to
phishers for use in frauds on accounts– A number of principal schemes emerging, all based on
pre-existing technologies• For using the stolen credentials and completing
transactions in which the phisher makes money
Criminal Data Aggregation• Consumer data itself has become a currency in
the eCrime economy• Data aggregators/brokers combine data from
many different sources to create full profiles of consumers to drive crimes:– ID theft– Enrollment in online banking – Extortion
• Data farmers, small-time phishers, can find a market for harvests of phishing campaigns
The Robot Thief ArrivesAutomated Phishing Superseding Social Engineering Phishing Schemes
Phishing Mode Is Shifting• The vast majority of attacks that are reported to the APWG
today are social engineering attacks based on deceit– Trick the consumer into believing he is communicating with a
trusted commercial organization so that he gives up his personalfinancial credentials
• New modes of phishing are moving beyond from social engineering schemes and toward technical subterfuge schemes that can automatically retrieve the customer’s personal financial data from his personal computer
• We are in the midst of a transition from social engineering attacks to advanced technical subterfugeattacks requiring, in some instances, no participation by the consumer
Principal Desktop Crimeware Tech
– Keyloggers– Redirectors (pharming)
• Local• Remote (corruption of DNS)
– Session hijackers– Screen scrapers– All technologies existed long before phishing
became a large-scale criminal enterprise
Crimeware Growth
Media for Crimeware Infection • Email
– Fake messages used to lure consumers to websites that drop crimeware or bootstrap code that downloads crimeware
• False consumer Websites• Compromised consumer Websites• Websites planted in online communities – Orkut,
Myspace, etc.• Instant messenger SPIM with links to crimeware• ‘Freeware’ doped with crimeware
Keyloggers
• Wait until you try to log into a bank or e-commerce site or intranet
• Watch your keyboard strokes and sends them to a hacker’s data collection server
• Example: Bankash.D spys on 279 different sites– Moving toward genericized keylogging systems
“Pharming” – DNS Poisoning• Takes you to fake sites, even if you type in
www.bankofelbonia.com
• 3 types of navigational-corruption crimewarediscovered so far:– Edit your hosts file– Change your DNS settings– Install web proxy server
• Also possible via attacks on DNS servers
Session Hijacking Trojan
• Secretly perform transactions after you log in
Win32.Grams waits for a user to log into an e-Gold account, then creates a hidden browser session in the background which uses OLE automation to transfer the money from their account directly to another e-Gold account
End Game: Complete Automation• Technical Subterfuge Attacks have the
advantage of automation – A single Trojan Horse system can mine data for a
number of financial institutions – instead of one– A single Trojan Horse delivered or bootstrapped
through worms and viruses can infect thousands of machines without the owners knowing about it
• Next frontier: Widespread use of systems to automate the use of the credentials to complete transactions
Technical Subterfuge Phishing Already Embraced By Organized Crime
• March, 2005 Brazilian police arrested a gang leader allegedly responsible for at least $37 million in phishing-related losses to consumers, using Trojan systems
• October, 2004, 53 were arrested in raids as Brazil cracks down on phishing gang based in Brazil’s northern states allegedly responsible for $88,000,000 in losses to consumers
• Scale of losses apparently far higher using technical subterfugeschemes like Trojan horse attacks
• At Christmastime 2004, several banks in the UK were hit with navigational attack that directed consumers to bank websites through proxies controlled by phishers – where login and password data were intercepted– First recorded instance of a massively deployed man-in-the-middle
attack
Can Robot Thief Be Neutralized?Probably, but not completely by existing technologies
Crimeware Veiling Tactics• Polymorphics/Metamorphics
– Essentially rewrites the code with every new iteration of software to render a new signature – unknown to the anti-virus vendors
• Polypacking– Compressing the executable into a self-installing system or
packing it within another apparently benign executable unknown to anti-virus signature files
• Binary crimeware– Boot-strapping software whose purpose is to provide a socket for
crimeware - or to reach out and download crimeware once it is established on a suitable host
Detection Rates Disturbingly LowAntivirus Vendor Malware Detected
• A 1006 samples 88.00% • B 1006 samples 88.00% • C 1558 samples 81.41% • D 1980 samples 76.37% • E 2809 samples 66.48% • F 3115 samples 62.83% • G 3143 samples 62.49% • H 3268 samples 61.00% • I 3466 samples 58.64% • J 3628 samples 56.71% • K 3869 samples 53.83% • L 4506 samples 46.23% • M 4599 samples 45.12% • N 5210 samples 37.83% • O 5572 samples 33.51% • P 5579 samples 33.42% • Q 6186 samples 26.18% • S 6211 samples 25.88% • T 6411 samples 23.50% • U 6680 samples 20.29% • V 6960 samples 16.95% • W 7491 samples 10.61% • X 7513 samples 10.35% • Y 7829 samples 6.58%
Brazil CERT Found that detection rates for commercial anti-virus products had highly variable rates of detection – running from under 7% to 88.00%
Crimeware such a principal tool that Brazil CERT made a research and service focus of researching crimeware and reporting out new samples directly to AV vendors
Crimeware Changes Probability of Success in Favor of Phishers
• Conventional phishing schemes fight long odds– Phish mails have to land into mail boxes of customers of the targeted
institution– Numbers of targets for each crimeware issue advancing toward generic
potency• Panda Labs reported this month a Trojan system with a target base of 2700
URLs– Techniques already developed for interception of data from Web form login pages
– Broad targeting capability and ability to cloak itself makes probabilities of success much more likely with crimeware
– Goal changes: get one piece of code onto the PC that can intelligently and successfully respond to opportunitSies for any number of targeted institutions
Counter-Phishing Tech• The phisher and counter-phisher are engaged
in a war of escalating technologies and counter-technologies
• Unfortunately, advancements in counter-phishing technologies are countered by advancements in crimeware technologies
• Example: screen-scraping systems used to capture login data from graphical keyboards that were designed to neutralize keyloggers
Counter-Counter-Phishing Tech• Screen scraper used against Brazilian Bank
Counter-Phishing Tech is an Evolutionary Force
• Appearance of Screen Scraper technology to counter anti-keylogging systems illustrates the fact that these systems actually provide an evolutionary force provoking the increasing sophistication of phishing technology
• Thinking ahead to likely counters to anti-phishtechnology a requisite
The Role of National CERTS In Counter-Phishing Activities
Directed at Crimeware-based Phishing
Evolving Role for CERTs?
• Automated eCrime Systems forces upon CERTs an augmented role as forward scout
• Phishing campaigns using crimeware don’t announce themselves like conventional phishing attacks
• CERTs need to search for clues and probe the Web for potential crimeware-spreading websites and media
• The model: Brazil CERT
CERTs as Forward Scouts• Brazilian model is pro-active in detecting and tracking crimeware
– Sift through all spam• Retail promotions• Reality shows• Celebrity videos• Internet Greeting cards
– Suspect URLs Identified– Automated system contact suspect URLs– System downloads crimeware, if deployed– Suspected crimeware analyzed– Notifications send out
• Send the crimeware to all Anti-virus Vendors that have not identified it• Notify owners of all sites hosting the crimeware-related URL
• Result: Cleaner networks and updated signature files for the anti-virus vendors.
APWG Roles and Resources
Data Resources for an eCrime“Centers for Disease Control”
Data Resources and Efforts• Aggregation of phishing attack data since
2003; reports collected in a Repository – Repository holds some est. 200,000 + records– More contributors appearing every month
• Large ecommerce companies• Spamtraps (filtering for phish mail)• National CERTs
• Promotion of common global reporting format developed specifically for international eCrime
• Alerting/Communications systems
APWG Repository & Data Sharing• [email protected] has been taking phishing
reports since Fall 2003• Over 35,000 phish emails reported every month• Over 13,000 unique phishing attacks reported each month• Adding new channels and resources to populate the database
– eCommerce companies, CERTs, etc.– Working on data sharing agreements
• Japan (METI)• Korea CERT• Australia CERT• Several global ecommerce companies
– Parsing and formatting issues
eCrime Data Clearinghouse and Data Aggregation Services
Some 30 Companies and Agencies currently subscribing to the Repository with a growing queue. Many become contributors. End game: Repository becoming confederating nexus for compounding eCrime data
APWG IODEF Extensions for eCrime• Goal: Define common report format for eCrime incidents
– Started with phishing; added spam, fraud, e-crime– Make it easy to send in activity reports– Support other reporting mechanisms, maybe– Provide some tools to create/read reports
• APWG picked the IETF INCH IODEF XML format as the base because:– Flexible (simple through ultra-detailed) – Easy to read– XML– Some people are concerned about its complexity– It is in limited use by CERTs already
• No ramp up needed, we could just go…
• Submitted as an IETF draft• APWG’s IODEF going into ‘Last Call’ within a few weeks• Contact: Pat Cain – [email protected]
Current State of IETF Draft• IETF draft(s) have been submitted
– draft-ietf-inch-phishingextns-##.txt• Some tools have been created
– www.coopercain.com/incidents– Expanding to include the rest of INCH data items
• Some pilots are starting up– Some informal use has occurred– Use by CERTS in INCH pilots moving ahead– APWG repository should accept them soon– FI ISAC pilot being formed
APWG Data Resources V2
Phish Mail Reporting
Crimeware Reporting
Crimeware Site Reporting
Crimeware Site Reporting
Blinded Abuse Contact System
• Usability Requirements– Cross-industry utility
• Brand owners, ISPs, CERTS and Registrars– Private– Disclosure at the contact’s discretion– Federation with other databases and contacting
systems
Implementation • APWG Portal• Over 2000 Contacts
– CERTS– Brandholders– Law enforcement– Private policing agencies working with
brandholders• Blind request systems• Available only to APWG members
APWG Central Operations Server
Contact Directory• Today
– [email protected]– [email protected]– [email protected]– Correspondents personal books– Discussion on private mail lists
• Great, for what it does, but it’s all a variation on a fire drill
• Hard for stakeholders unknown to each other to contact each other and work together
Brandholder Contact Database
Company Contact Database
Company Contact
Company Contact (Con’t)
Peter CassidySecretary General – APWG
+1 617 669 1123 (United States)
+86 10 13522 697989 (China)
