Two of the biggest threats to individual Internet users are phishing and botnets. While many users understand the threat presented by phishing, few understand the economy behind it and the fact that phishing activity links to the less well understood botnet threat. During the 2008 Black Hat events in Las Vegas earlier this year, the elite of the computer security community focused their efforts on a better understanding of the economics and the technology behind these threats.
One of the joys of making the annual pilgrimage to the Black Hat conference is to attend sessions that present something completely new in security. That was definitely the case with “Bad Sushi: Beating Phishers at Their Own Game” by Nitesh Dhanjani, senior manager and leader of application security services, Ernst & Young LLP and Billy Rios, security engineer, Microsoft Corporation. For those of you not completely up on your computer security jargon, phishing is the process by which a hacker tries to get unsuspecting Internet users to divulge their personally indentifying information such as Social Security numbers, user names and passwords, or credit card information. Phishing is further broken down into several types:
• phishing: sending generic e-mails with malicious attachments or links to millions of Internet users to try and steal their PII;
• spear phishing: sending specifically crafted e-mails with malicious attachments or links to a targeted group of Internet users to try and steal their PII; and
• whaling: sending specifically crafted e-mails with malicious attachments or links to a targeted group of corporate or government executives to try and steal their PII.
Unlike most computer security discussions that focus on how bad the economic loss is to phishing victims (Gartner put the cost at $3.2 billion in 2007[FOOTNOTE 1]) or its pervasiveness (81,215 unique phishing Web sites in Q1 2008[FOOTNOTE 2]), Dhanjani and Rios discussed the business and economy behind phishing. They started their exploration by trying to figure out what it would take for someone to get involved in phishing as a money-making business. In effect, the market entrance.
Dhanjani and Ross found both an infrastructure and an economy behind phishing. By simply searching Google for phishing Web sites, they were able to collect nearly 60,000 Microsoft Live.com accounts and passwords along with links to other data collection Web sites. Being computer security experts, Dhanjani and Rios then decided to take a look at “phishing blacklists.”
Phishing blacklists are lists of e-mail addresses or Web sites that may be involved in phishing or distribution of malicious software. Phishing blacklists are commonly used behind-the-scenes by e-mail programs, Web browsers and network administrators to block or remove content from known or potentially dangerous sites. Unfortunately, phishing blacklists are often maintained by automated methods, with user and password information for various sites. Phishing blacklists can also be used to point hackers to computers that have already been compromised by other phishers and that are ripe for further abuse.
Dhanjani and Rios then took a unique phrase from the output of a common phishing software script and plugged it into Google. They found hundreds of public and unprotected Internet message boards trading stolen PII. Once they had established where to get information on becoming phishers, Dhanjani said that they discovered a “phishing ecosystem” where support was available from sophisticated computer programmers to check the validity of stolen credit card and bank account information. These more experienced phishers were also blatantly selling credit card information, PII and phishing Web site startup “kits.”
The pair found that phishers publicly posted peoples’ credit card information along with their full identities to support their “credibility” and provide examples of their merchandise. The security researchers also found that phishers maintain and trade lists of instant messaging and e-mail addresses of individuals suspected of being “untrustworthy” or members of law enforcement. This part of the presentation led to a very interesting topic that was dubbed “Phisher on Phisher Crime.” While reviewing the operation of several of the phishing kits that had been provided by experienced phishers, Dhanjani and Rios discovered that some of the kits actually contained Trojan software code to steal credit card information from other phishers who were using the kits. The pair concluded that there is definitely no honor amongst thieves in cyberspace.
As a wrap-up to the presentation, Dhanjani and Rios noted that “phishing isn’t the only thing going on in the Phishing Ecosystem.” They showed numerous examples of phishers trading information on the use of “ATM skimmers” used to steal financial information. An ATM skimmer is a small device that is placed over the magnetic card slot on a legitimate bank’s ATM to steal ATM card numbers and PINs.
While many phishing attacks are designed to steal credit card or PII information from a single individual there are also attacks designed to steal control of a user’s computer. One of the most pervasive and least publically understood threats on the Internet today are botnets. A botnet is computer security jargon for a collection of malicious autonomous software robots running on hundreds of thousands or even millions of computers, mostly using Microsoft Windows, without the owner’s knowledge. Once botnet software is on a computer, the botnet’s controller, or “bot herder,” can remotely use the victim’s computer. The bot herder then controlls the computer to:
• launch denial-of-service attacks;
• install adware or spyware to create a barrage of unwanted advertising;
• send out millions of phishing e-mails and further spread the botnet;
• create false Web “hits” or “click-throughs” to interfere with Web site advertisements and promotions; and
• become part of a very sophisticated Domain Name Service abuse known as “Fast Flux” that allows a bot herder to hide his phishing and malware Web sites behind a constantly changing list of victim IP addresses.
Noted phishing expert Aaron Higbee, Intrepidus Group, points out that while the larger percentage of phishing attacks are directed at stealing individual financial information or PII, there are some phishers involved with botnets that just want to control computers to further their crimes.
One of the best known and reviewed botnets in the computer security community is the “Storm” botnet. The Storm botnet’s authors and Storm’s complete size are unknown. Some computer security experts estimate that the Storm botnet may be made up of as many as 250,000 to 1 million infected computers. [FOOTNOTE 3] What is known about botnets like Storm is that they can be very dangerous and difficult to investigate or shut down. “Botnets are incredibly resilient, can mutate and are very survivable,” says Higbee. “Phishers employ multiple techniques to gain control of victim computers, [such as] domain squatting and using malicious e-mail attachments and even Trojaned copies of downloadable television programs.”
Malware and volatile memory forensics expert, Aaron Walters, Volatile Systems, noted that “the individuals building and maintaining botnet software are real professionals building sophisticated software for a criminal industry.” Walters went on to explain that some bot herders had been attacking virtual hosting service providers to Trojan hundreds of Web sites to further expand their bot networks. Walters made it clear that while most bot herders are simply users of publically available botnet “kits,” there is a small core of software developers actively building new and more sophisticated botnets.
When Higbee and Walters were asked what the average user could do to protect themselves from phishing and botnet threats they came up with this short list of recommendations:
• make sure that you receive Microsoft Update patches; Higbee noted that Microsoft sends out regular botnet security updates as part of its “Malicious Software Removal Tool”;
• keep your antivirus product of choice current;
• be suspicious of forwarded e-mails;
• note that several, reputable antivirus vendors provide free online scanning of your computer; and
• be wary of Web site popups asking for user information, credit card or other financial information.
Brian Dykstra is a senior partner at Jones Dykstra & Associates, a Maryland-based consulting firm. Jones Dykstra & Associates specializes in e-discovery, computer forensics, expert witness testimony and computer intrusion response services.
FN1 McCall, T., 2007, “Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks.”
FN2 APWG, 2008, “Phishing Activities Trends Report Q1/2008.”
FN3 Larkin, E., 2007, “Storm Worm’s virulence may change tactics.”