The Bad Guys Get Smarter

Attackers have raised their game markedly in the past three months, delivering salvos harder to

resist (and detect). Recent developments:

• Advanced phishing In the parry and thrust of phishing defenses and phishing attacks, one

  particular e-mail, sent to bank employees, represented a bold move for the bad guys in its level of

  social engineering sophistication: It pretended to be from a journalist researching a news story about a

  data leak at that bank, and addressed the recipient by first name.

“Dear ____,” the e-mail started. “I am a reporter for Finance News doing a follow-up story on the recent

leak of customer records from [the bank’s name]. I saw your name come up in the article from Central

News and would like to interview you for a follow-up piece.”

The e-mail then provided what appeared to be a link to the “Central News” story—a URL that

included the bank’s name in its characters. The message ended, “If you have time I would appreciate an

opportunity to further discuss the details of the above article. Regards, Gordon Reily.”

At one bank, hundreds of employees received the e-mail. The CSO at that bank (he would speak only

on the condition of anonymity) eventually determined that clicking on the link connected to a website in

China and installed a keylogger on the machine that accessed the link. Such a targeted attack would

seek to have a bank employee with data access unwittingly log passwords and account information,

which the bot would deliver to the attacker.

The e-mail was sophisticated; its grammar was impeccable, and it addressed recipients by name (which

means the attacker had access to the bank’s e-mail rolls and could avoid blasting the e-mail and

getting caught in spam filters). The guise of a journalist following a story was reasonable. And the e-

mail suggested that the recipient was cited in a previous story, which would pique the person’s interest.

• IM as distribution network Chris Boyd, director of malware research at FaceTime

  Communications, came across a botnet in development that enabled an attacker to insert a link into an

  IM conversation that, when clicked, installed a bot on that computer. It appeared that the compromised

  computer then would become part of a spam distribution botnet. But after analyzing the “ridiculously

  complex and bizarre” code, Boyd believes that the attackers were still developing the botnet’s

  capabilities to go far beyond that.

Mastering the use of IM as a malware distribution engine concerns Boyd and others, because once

attackers can insert their links, it’s hard to stop them. For example, even if the IM network blocks

certain IP addresses and link hosts from getting on its network, “it takes five minutes to change the

link,” Boyd says. That’s a lot of time for an IM network that has more than 80 million users.

• The specter of CSRF Cross-site request forgery, or CSRF, is when an attacker loads a URL for,

  say, online banking into a page he controls. If a user visited the bank site but didn’t log out and then

  went to the site the hacker controls, she would still be logged in to the banking session, a cookie would

  authenticate her, and the URL the hacker injected into the site would continue the banking session. A

  test example of CSRF was used to add movies to people’s NetFlix queues without their knowledge.

  li>