* Crossposted to TECH


Online Financial Crime Headed From Bad to Worse

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, December 17, 2003; 12:00 AM

In the annals of cybersecurity, 2003 should go down as one of the worst
years ever, as hackers and spammers repeatedly demonstrated just how easy
it is to use the latest software security holes, worms and viruses to
attack businesses and trick unwitting Internet users into divulging their
personal and financial information.

And 2004 could be worse.

A hint of just how bad came this week when yet another flaw in Microsoft's
ubiquitous Internet Explorer surfaced. The flaw gives criminals the ability
to control what is displayed in the address bar in a victim's browser
window.

The implications are significant. A savvy criminal could use a cleverly
designed e-mail to trick a victim into visiting what looks like a trusted
Web site -- like a bank site or Amazon.com -- but which in fact is nothing
more than a page designed to fool a victim into entering credit card
numbers, passwords and other sensitive information.

"The main thing I'm really concerned about with these bogus e-mails is
that they're quickly becoming more and more complex and
sophisticated," said Johannes Ullrich, chief technical officer for the
SANS Internet Storm Center, which collects data on Internet attack trends.
"Even for experts like us, it's becoming harder to distinguish between
what's real and what's fake."

Microsoft said last week it is investigating a software patch to fix the
flaw. "Obviously this a concern of ours as people shop online for the
holidays, and we wanted to make sure consumers who are entering credit card
information are doing so at the appropriate site," spokesman Sean
Sundwall said. "We're at stage where we're evaluating whether patch is
at all necessary, and making sure that if we do issue a patch that it is
well tested and doesn't cause any additional harm."

If Microsoft issues a patch to fix the flaw, it would likely be the 20th
"critical" software patch to be released by the Redmond, Wash.,
firm this year. The company labels vulnerabilities "critical" if
they can be remotely exploited via an Internet worm, and Microsoft's
constant efforts to patrol its software demonstrate the increasingly
sophisticated nature of online crime.

"We're seeing a huge shift away from 'recreational' hacking to hacking
for profit. Mostly this involves hijacking end-user Windows systems for use
in spam, fraud or just direct marketing," said Joe Stewart, senior
security researcher for LURHQ, a security firm based in Myrtle Beach, S.C.

The evolution of the "Mimail" virus in 2003 shows how criminals
are increasingly focusing their work on financial scams. Mimail first
surfaced in August as a relatively harmless but fast-spreading bug. The
next four variants were apparently designed by spammers to attack a variety
of spam "blacklists" -- online databases of suspected spammers
that many Internet service providers and big corporations use to shield
recipients from junk mail.

But Mimail soon morphed into an e-mail virus that urged users of the online
payment service PayPal to update their credit card information via a Web
page that closely mimicked the design of the eBay subsidiary's member
services page.

Two weeks into November, the ninth version of Mimail took that ruse a step
further, attempting to take victims to second Web page that asked for a
Social Security number, date of birth and mother's maiden name -- three
pieces of data that financial companies rely on most to verify the
identities of their customers. The last two Mimail variants to hit the Web
also hijacked infected computers to attack anti-spam Web sites.

Ken Dunham, malicious code manager for iDefense, a security company in
Reston, Va., predicted more virus authors in 2004 will start honing their
creations to target specific groups of Internet users.

The most visible example of that activity came with the emergence in June
of "Bugbear.B," a worm that security experts called the first
Internet attack aimed directly at the financial services industry. Bugbear
contains a list of nearly 1,200 Internet addresses for some of the world's
biggest banks, including American Express, Bank of America and Citibank.

Bugbear was designed to tell if an infected computer belongs to a person
using an e-mail address from any of those financial institutions, and then
steal passwords to make it easier for attackers to hack into bank networks.
Bugbear remains among Symantec's Top Five list of most prevalent Internet
attacks. Remote Control

Another big trend in 2003 that experts believe will only get worse in the
new year is the growing number of malicious programs unleashed on the
Internet that can give criminals some form of control over an infected
computer, a problem fueled by the proliferation of unsecured broadband
connections that make it possible for hackers to gain access to thousands
of machines with the release of one cleverly written virus or worm.

Nothing demonstrated the growing threat this year better than
"Sobig," a worm that spawned six different incarnations since
January. Sobig and its cousins were the fastest-spreading and most
infectious worms ever, according to MessageLabs Inc., a New York-based
e-mail security firm.

In June, anti-virus experts discovered that computers infected with Sobig
were seeded with a tiny program that turned them into remotely controllable
spamming machines. MessageLabs found that nearly two-thirds of all spam on
the Internet today is being relayed through computers running software
relays of the sort left behind by the latest version of Sobig -- evidence
to support a suspicion among many security experts that spammers and virus
writers are increasingly working together.

The success of Sobig and other similar viruses has spawned a whole new
illegal marketplace, as criminals pay hard cash for lists of infected
computers.

"We have ample evidence to suggest that there is an increase in hard
currency being traded for [vulnerable] machines," said Kevin Houle, a
senior member of the technical staff for the CERT Coordination Center, a
government-funded security watchdog group at Carnegie Mellon University in
Pittsburgh.

"It has always been the case that there's been this underground barter
system, where people will say 'I'll give you one stolen credit card number
for X number of compromised machines,'" Houle said. "What we're
seeing more of is 'I will pay you X number of dollars for these same
resources."

While attackers are using viruses and worms to pave the way for spammers,
virus authors also are also starting to use infected computers to release
their wares and cover their tracks, said Craig Schmugar, virus research
engineer for Network Associates, an anti-virus company based in Santa
Clara, Calif.

"The line between spam and viruses will become even blurrier in the
months ahead," Schmugar said. Too Many Patches

Internet security officials regularly urge consumers to practice safe
computing, such as making sure they regularly update anti-virus software
and deploy the latest security fixes from software firms like Microsoft.

But even the savviest computer users can't always keep up with the large
number of security patches issued every year. Most Internet worms spread by
exploiting unpatched security holes in software and operating systems. This
year, as in the past, the big target has been Microsoft, whose Windows
operating system powers more than 90 percent of the desktop PCs on the
planet.

The "Slammer" worm kicked off the virus season in January,
spreading with such unprecedented speed -- it infected more than 300,000
vulnerable Microsoft servers in less than 15 minutes -- that it clogged
networks worldwide, crashing bank ATMs and delaying airline flights.

The "Blaster" worm made headlines in August by crashing or
infecting more than a half-million PCs worldwide, attempting to hijack them
for a coordinated attack on Microsoft's security Web site.

That attack ultimately proved unsuccessful, but security experts soon had
to deal with the "Welchia" worm, a so-called good worm that was
intended to patch the security hole exploited by Blaster. Welchia spread so
quickly that it disabled many corporate networks for days on end. Welchia
and Blaster remain among the Top Five most prevalent worms to date,
according to Symantec Security Response. Christmas Virus Season

Even as criminals can exploit a whole list of newly discovered
vulnerabilities, SANS's Ullrich said he expects a bumper crop of new
computers to be infected with old worms and viruses still circulating on
the Internet as millions of consumers plug in shiny new computers they
receive over the holidays.

"The trouble is, even if your intention is take the new PC out of the
box, plug it into the Internet and download the patches, it doesn't take
but a few minutes for one of these worms to find you, and then 'bam,'
you're infected," Ullrich said. "Most won't survive the first day
without getting hit with something."

CERT's Houle agreed, and urged consumers to learn more about how to protect
their computers and install the latest security patches. Alternatively, he
said, consumers should enable the software-based firewall that's included
in the latest Microsoft systems before connecting their computers to the
Internet.

(c) 2003 TechNews.com


http://www.washingtonpost.com/wp-dyn/articles/A5934-2003Dec16.html