washingtonpost.com
Cyber Crime 2.0
In 2007, Online Fraud Got More Targeted and Sophisticated

By Brian Krebs
washingtonpost.com Staff Writer
Thursday, December 20, 2007 1:00 PM

The year 2007 may go down in the annals of Internet crime as the year when organized cyber criminals finally got serious about their marketing strategies -- crafting cyber schemes that were significantly more sophisticated and stealthy.

Security experts say criminals are increasingly trying to ensnare Internet users by lurking on familiar Web sites and using purloined data to craft scam e-mails that are more believable, and thus more likely to entice an unsuspecting user.

"The attackers are now following the same path that businesses have, in trying to advertise themselves in their own special way on the more popular Web sites," said Tom Liston, an incident handler at the Bethesda, Md.-based SANS Internet Storm Center and a senior security consultant with Intelguardians, a Washington-based Internet security consulting group. "They're doing exactly what every business tries to do, which is to find innovative ways get themselves out in front of as many eyeballs as possible."

With more computer users than ever guarding their systems with anti-virus, firewall and other security software, Internet criminals have concentrated their efforts on tricking users into opening "backdoors" into their own systems. Most often this means convincing users to view malicious video or audio content on a Web site that takes advantage of security holes in the user's Web browser or media player, flaws which in turn give criminals the access they need to install software to control the user's machine remotely.

In wave after successful wave of attacks throughout 2007, virus writers found ways to stitch malicious videos and images into trusted, high-traffic sites like MySpace.com and YouTube.com. In several incidents, intruders slipped poisoned images into online banner advertisement networks used by a number of major Web sites, including Photobucket.com and social-networking site Bebo.com.

Attackers also excelled this year at timing attacks with holidays or major events. The day before Superbowl XLI, for example, hackers infiltrated the Web site for Dolphins Stadium, which hosted the big game. Visitors who surfed the site without the latest Web browser software security updates had spyware quietly installed onto their PCs.

On "Cyber Monday," the day following Thanksgiving weekend that is typically one of the largest online shopping days of the year, researchers at Clearwater, Fla.-based security firm Sunbelt Software discovered that more than 40,000 Web sites had been created and populated with fake search terms for the sole purpose of increasing their page ranking when Google users searched for any of the words listed in the bogus pages -- words that included a number of popular holiday gadget gifts. All of the sites tried to silently install invasive programs on any visitor's machine.

Sunbelt Chief Executive Alex Eckelberry said Google responded quickly by removing all of the offending sites from its directory, but he believes the perpetrators of that attack will strike again soon.

"I think these guys will keep trying to cheat Google," Eckelberry said. "It was amazing to see these results coming up so high in the Google search terms. We really have our work cut out for us as malware researchers next year."

Dan Hubbard, senior director of security and technology at Websense, a San Diego-based Web filtering software firm, worries that in 2008 cyber crooks will begin purchasing ads and keywords on search engines to increase their exposure and lure greater numbers of Web surfers to malicious sites.

The Spam Storm

When it comes to malware marketing savvy and timing, few cyber crime operations of 2007 can hold a candle to the individual or group behind the "Storm worm." The e-mail borne Trojan horse program earned the moniker after its debut in January; the worm came disguised as videos with footage of the destruction wrought by violent storms that were lashing the coast of Europe at the time.

Millions of curious e-mail users fell for the ruse, infecting their computers with programs that gave the Storm author(s) full control to use them to send even more spam and infect more computers. And with each passing week, messages containing the Storm worm featured updated lures frequently coinciding with a holiday or another big news event.

The Storm worm also pioneered the use of alternative file formats to evade anti-spam filters, with spam messages propagating the malware embedded in Adobe PDF files, Microsoft Excel documents and even MP3 music files.

Technologically speaking, Storm reached far beyond anything security researchers had encountered in the past. Where most "'botnets" -- large grouping of computers controlled by a hacker or organized crime group -- tend to be controlled from centralized locations through a hierarchical structure, each Storm-infected computer receives updates and instructions via a distributed peer-to-peer file sharing network, the kind typically used to trade music and movies.

The distributed nature of the Storm worm network makes it far more difficult for researchers and law enforcement to shut it down or accurately gauge its size. Estimates of the number of PCs infected by Storm this year ranged wildly from 1 million to 10 million worldwide.

Tom Gillis, vice president of marketing for IronPort, a San Bruno, Calif.-based e-mail security firm, said the Storm worm's success as a reusable platform for reliably delivering junk e-mail is almost certain to attract attention from copycats in 2008.

"Storm brought the first implementation of spam that linked to YouTube to deliver its message and payload," Gillis said. "Within months, the creative Storm used for its site became much more refined, including football Web sites timed to coincide with [the start of] the NFL season, and then scary screensavers around Halloween. Someone behind that gang is a marketer who understands the mass market and the consumer."

Overall, Storm contributed mightily to the flood of spam e-mail sent in 2007, which increased 100 percent over 2006, according to IronPort. That's roughly 120 billion spam messages daily, or about 20 spam e-mails per day for every person on the planet.

'Spear Phishing' and Targeted Attacks

The past year was also the first in which a good percentage of spam included the recipient's full name in the subject line. For the most part, that personalized touch was included as a means of enticing people to open junk e-mail messages touting knock-off prescription drugs or designer watches.

But nowhere was the personalization trend more evident than in this year's bumper crop of "phishing" attacks -- scams in which fraudsters use spam messages to trick people into entering their personal and financial data at fake e-commerce and banking sites. U.S. consumers lost roughly $3.2 billion to phishing scams in 2007, according to a survey by Stamford, Conn.-based research firm Gartner Inc.

In an alarming number of cases this year, phishing e-mails contained personal details about the recipients in both the salutation and body of the messages.

Such was the case with nearly a dozen separate incidents throughout 2007 in e-mails that appeared to have been sent by the Better Business Bureau, the FBI, the Federal Trade Commission, the IRS and the Treasury Department. The approach of each attack was nearly identical: Recipients were addressed by their full name in an e-mail that claimed that a complaint had been filed against the recipient and his or her employer. Recipients were asked to review the complaint by opening an attached document, which silently installed a password-stealing program when opened.

Mark Sunner, chief technology officer of MessageLabs, an e-mail security company based in New York City, said some of the attacks exclusively targeted executives at many of America's largest corporations. Sunner believes that next year scammers will actively mine social networking sites like FaceBook, LinkedIn and MySpace for even more details about recipients that they can later use in phishing and malware-related attacks.

"These attacks have become much more tailored, and phishing is becoming much more laser-focused," Sunner said. "This is the where the slightly more sinister side of social networking sites start to play a part."

Not all authors of phishing scams are after financial data. Some of this year's most insidious phishing attacks targeted companies that hold huge repositories of professional contact information, data that can be recycled and resold for use in future phishing attacks. In mid-August, Monster.com said phishers gained access to the names, e-mail addresses and resumes of more than 1.6 million job seekers. Many of those Monster.com users subsequently received targeted malware attacks via e-mail that addressed them by name and claimed to come from Monster.com.

In November, software-as-a-service giant Salesforce.com acknowledged that phishers had made off with the contact information of its customers. Scammers later used that information to send personalized malware-laden e-mails to more than 40,000 customers of SunTrust bank, among several other financial institutions.

Dean Turner, director at Symantec Security Response, said he expects that phishers soon will begin turning their attention to spoofing the Web sites and e-mail communications of political candidates as the 2008 presidential election cycle swings into high gear.

In the 2004 presidential race, online criminals spoofed the fundraising page of Sen. John Edwards. In a separate string of incidents, credit card thieves made thousands of tiny 5-cent donations at Democratic presidential hopeful John Kerry's site to test whether stolen cards were still active.

"The opportunity for fraud is pretty rampant with [political fundraising] sites, and I think we can expect to see more scams and frauds taking advantage of that," Turner said.

Mac Attacks

Several security experts said they expect to see malware authors pursuing Mac and iPhone users in 2008, in part because of the growing popularity of the Apple product line makes it a potentially more attractive and lucrative target. In a survey published this month by research firm ChangeWave, 29 percent of consumers polled said they planned to buy a Mac over the next 90 days. Apple currently holds about seven percent of the U.S. consumer computer market, according to research firm IDC.

In September, security experts warned that a new piece of malware which previously only targeted Windows users had been redesigned to infect Mac systems as well. Disguised as a "video codec" supposedly needed to view copy-protected online media, "Trojan.DNSChanger" silently alters the computer's settings in such a way that if the victim types "www.paypal.com," the attackers could route the victim to a fake PayPal Web site set up to steal their personal and financial data.

Researchers from Sunbelt Software and anti-virus maker McAfee have tracked multiple Web site attacks that employed the Trojan, which is thought to be written by the same group behind the "Zlob" Trojan, one of 2007 most prolific families of malicious software.

"The interesting thing is that this DNSChanger for Mac was produced by people who really know how to write malware," said Dave Marcus, security research and communications manager for McAfee AVERT Labs. "This takes us to a level of professionalization that we haven't yet seen in the Mac world."

View all comments that have been posted about this article.

© 2007 Washingtonpost.Newsweek Interactive