Written By: Stuart Okin
Published By: Microsoft Security Newsletter, December 2009
We have heard for some time that hackers have moved from script kiddies, trying to raise their profile, to the seedy and dark world of organised crime. The indictment of the hacker ring in Atlanta in early November for the $9.4 million RBS Worldpay ATM theft, is just one more example of the evolution in organised cybercrime and its sophistication in carrying out complex operations in short timeframes. This ring managed to coordinate an attack on more than 2,000 ATMs within a 12-hour period. Following less than a week of reconnaissance on existing vulnerabilities in RBS Worldpay security, the hackers began taking advantage of the vulnerabilities to acquire encrypted PINs through reverse engineering. This isn’t the first large scale instance of stolen encrypted PINs, which first emerged in the well publicised TJ Maxx theft, involving 11 hackers, and the stolen details of 40 million credit cards. It is believed in both cases that these criminals didn’t actually manage to crack the encryption, but rather bypassed security controls and elevated privileges, in order to function as super-users in the different systems - enabling these heists.
Organised cybercrime rings are beginning to resemble commercial entities, even with a range of pricing models, enabling more efficient attacks, which bring with them bigger returns. On some sites cybercrime is offered as a service today (perhaps we can coin the phrase CaaS!), where they offer a variety of services, such as crimeware - malware which automates cybercrime. Fill in a simple checklist; the operating system, type of attack (botnet, malware), and then the criminal ‘client’ (i.e. attacker) receives the capability of utilising infected computers to attack their target, with the ability to track progress through an online web portal. Cybercrime made easy at the click of a button! This is what we are now up against.
According to some pundits, cybercrime may have even surpassed drug trafficking in some countries as the most profitable illegal business. Furthermore, in the past cybercrime was more about the propagation of widespread, highly visible incidents, solely for the purpose of causing disruption and commotion, however, today these are being replaced by targeted, stealth attacks, often characterised by their invisibility to their victims.
The current method employed by cybercriminals today is the combined attack. Take as an example a recent attempted attack on a client of ours, a major international bank, where an internet port was targeted to divert attention from the more critical attack taking place simultaneously on a database, with sensitive account credentials. Vigilance is a critical factor in catching cyber attacks in real-time, however the ability to analyse the event in the context of the bigger picture is imperative in preventing these diversionary tactics.
Vulnerabilities which once upon a time could have been relegated to important but not necessarily critical, are posing much more serious risks. As an example, we have been working with another leading financial institution, where we identified a potential race condition in their Forex portal. The company’s Forex portal enables a client to purchase foreign currency in the amount their bank account holds, however, the portal vulnerability raised the possibility of valid simultaneous user sessions and as a result a malicious user could in essence open 100 or 1000 sessions at the same time, and purchase foreign currency that far exceeded their bank account limitation. The purchasing of an exorbitant amount of a foreign currency artificially elevates the currency’s exchange rate, and if the malicious user simultaneously purchases and sells large amounts of that currency, they will make a great deal of money.
Supporting these targeted attacks, especially in the area of blackmail, extortion and identity theft, are the increasing number of PCs which have been taken over by organised crime, forming the backbone of botnet armies. It’s estimated by the FBI that more than one million computers are “hijacked” annually by malicious botnets. While it is often perceived that hackers are utilising special methods and cutting-edge techniques, this often is far from the case; their power lies in the large amount of known attack methods and the associate high probability that applications are not protected against all of these. This is reflected in the continued massive rise in Phishing emails and linked spam (it is estimated that nearly 90% of emails today are spam), malware, malicious botnets (more than doubling in number from January to June 2009), worms, Trojans, SQL Injection attacks and site defacement attacks, which are some of the most common methods of attack utilised by cybercriminals – that still succeed many times over.
What makes the landscape increasingly challenging, is that the confidence in our current security controls and countermeasures is often undermined, from the bypassing of SSL at the Black Hat convention in July, through to the GSM A5/1 and DNS Kaminsky vulnerabilities; attacks previously believed as only “academically possible”. While it’s virtually impossible to hermetically secure software today, seeing the incredible lengths criminals will go to obtain valuable financial information, we cannot underestimate the existing weapons in our arsenal to combat cybercriminals – education and awareness.
How it is that people still circulate the emails that state that Microsoft and AOL will give 20p for every person the email is sent to? Poor training and awareness.
How is it that employees manage to download malware and Trojans to their workstations from social networking sites? An improper enforcement of security policies and lack of awareness of these new threats.
How are cybercriminals succeeding in simple attacks like SQL injection? An inability to align coding with security best practices in strong authentication and encryption and a lack of security training for software architects and developers.
How is it that we still see site defacement? Poor network monitoring practices and a lack of awareness of the risk.
Every simple attack method has a simple security countermeasure which was evidently improperly implemented, overlooked or taken too lightly. Cybercriminals aren’t carrying out simple attack scenarios because they’re incapable of more complex attacks, it’s because they don’t need to.