Cybercrime Solutions: Monitoring, Response, Compliance

Phishing first came to light more than a decade ago – and really took hold 2001 – 2003. After the world dealt with the Y2K mania – phishing was the new super bug.

We old folk at iZOOlogic remember bank’s taking out adverts in newspapers and other print media to warn their customers of phishing attacks. This scholarly endeavor was to try and educate their customer base to this new and emerging risk. Actually, last year in one our African markets – we saw the same strategy, a local bank warning their customers against phishing in print media.

We are not actually sold on the idea that educating the customer bases is a fool proof method of phishing protection. Bank’s these days would hardly every advertise the fact that they are the target of phishing in third party media.

Cybercriminals still use emails to launch the social engineering component of a phishing or malware attack. Email content uses a “call to action’ such as a security update, web payment or refund to lure victims into clicking on the embedded link. Users are routed to fake web content or to download malicious attachment and executables.

shutterstock_155857484Criminals can easily send such emails using a spoofed “from” address to mask the spamming source. The spoofed source address adds to the legitimacy of the sender’s credentials and garners the required trust to trick the victim to act upon the social subterfuge. Spear phishing attacks can disguise email requests such as executive staff or a trusted trading partner. If a user receives an email from a known trusted or senior source, the user is much more likely to take immediate action.

All business networks will have some gateway and endpoint email security such as spam filtering and anti-malware protection, however, such emails can often bypass such controls, especially if the spam run is discreet, smart or launching a zero-day attack. It is well known and documented that such anti-virus and anti-malware products struggle to combat emerging threats.

Other messaging platforms such as SMS and online messaging services such as Social networks, Instant Messaging, whatsapp, skype are also exploited to spread phishing attacks. Although other platforms are increasing in popularity, email still remains the primary vector to distribute phishing and malware content.

SMiShing attacks often leverage a trusted brand to route the victim to a phishing site. An alternative variant of SMiShing is where the spam message contains only a call back number. The message maybe as simple as “Please urgently call back xxxx xxxx xxxx to update your account details” and there is no mention of a brands name. This type of SMiShing can easily reach a broad audience. The number may direct to a human voice – where our friendly criminal will answer the call, or it may often lead to an automated system where the victim is prompted to enter in credentials.

istock_000019988830xsm-smish

This type of SMiShing, where a brand is not leveraged, is harder for the business to monitor and detect as their brand is not mentioned in the message or attack. However, the bank may still end up with their access credentials / credit card details compromised.

SMiShing is prevalent is some geographies especially where a new mobile phone number can be readily obtained, often with a lack of verification, or where mobile pay-as-go accounts are common. The use of fake IDs, credit card details can also be used by the criminal to obtain a mobile number. The portability of mobile numbers to alternative carriers may also assist the criminal in their efforts. In some countries, the telecommunication regulator mandates the ease of obtaining mobile accounts and the portability of those accounts which further assists the criminal in launching their attacks.

The source of SMiShing originates from the telco network but the outcome deeply effects the other industries such as banking and financials. Because the victim organization is a non-telco business often the motivation to help prevent this kind of SMiShing maybe a little disparate. Often the real solution may take a coordination between telco/bank industry with the involvement of the respective regulators.

Let us introduce the Top 4 Malware – Financial Trojans – Zeus, Carberp, Citadel and SpyEye. Later in this series of articles we will look into each malware (financial Trojan) in greater detail but allow us to make the formal introductions.

Zeus

Zeus is not only the Grecian God but also the mother of all financial Trojans. Zeus first came onto the radar in 2007 after it was used in a credential-theft attack targeting the United States Department of Transportation. Since then it has remained the king of malware. Other malware has evolved with increased sophistication, however, Zeus has been responsible for the highest infection rates and financial losses. Infected victims are in the tens of millions and total fraud impact makes this a billion dollar piece of software. The original Zeus creator left the “business” in the 2011 and the source code was published in 2011. Most other financial Trojans have some kind of Zeus function, method and even base code.

Zeus is also known for innovative usage of mobile “younger brother” called ZitMo to circumvent popular two-factor authentication schemes with security code being provided via text message. SpyEye and Carber developed their respective mobile counterparts as well.

Banking malware aside, the Zeus trojan is among the most notorious of all malware, second only perhaps to Stuxnet.

Carberp

Carberp was originally introduced as a typical financial Trojan. It was designed to steal users’ sensitive data such as online banking credentials, such as username/password pairs, authentication token etc. Carberp was maintained via the cyber-criminals via a command and control (C&C) server and sent stolen data back to the primary server or credential drop sites. Carberp was soon enhanced with a layer of sophistication via a complex rootkit functionality allowing the Trojan to hide on the victims device. Later generations of Carberp provided variants with added plug-ins. These add-ons provided further stealth that uninstalled or disable anti-virus software plus others that scanned and disabled competing malware. This is an arms race.

Citadel

The Citadel trojan is a variation of the king of financial malware, Zeus. Citadel started where Zeus finished. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel is like financial Trojan 2.0 – where the creators opened up the business models and the level of professionalism kicked up several gears. Cybercriminals could now purchase this financial malware under license. The source code was in the public domain where enhancements and function were constantly being revised and enhanced. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it.

SpyEye

The SpyEye trojan came out after Zeus and ran in parallel or competition to Zeus. Spyeye functioned in a similar to Zeus in terms of architecture and ran with large scale deployments and massive botnets and infection rates. We saw the back end infrastructure such as the Control and Command server become more complex, with multiple servers with built in redundancies making mitigation difficult. However, SpyEye peaked and then quickly became less popular as Zeus and Citadel Trojans evolved and became the Trojan of choice amongst the cyber criminal networks. At one point, parts of SpyEye botnet operation merged with Zeus’s into a meg-banking-botnet, but it would ultimately burn out without living up to the initial hype.

Financial Trojans evolve, always with increased stealth, impact to provide their creators, owners and masters a return on investment. Victim organisations must deploy strategic layers of defense – and in an evolving manner

Trademark and Copyright enforcement to protect digital assets. In an online world the digital assets of the business are open to a large range of fraud and abuse. Digital assets can be legally protected via Trademark and Copyright ownership claims. Examples of trademark and copyright infringement are fake websites and phishing sites, unauthorised social media accounts, rogue mobile apps, spoofed domain registrations, leaked private business documents and more.

When business trademark and copyright properties are available in the public domain the organization has the rights to enforce their property ownership.

Copyright vs Trademark

Two main type of protection the business can use are Trademark and Copyright claims.

Copyright is a form of protection provided to the authors of “original works of authorship”. Copyright includes works of art, photos, pictures, graphic designs, drawings and other forms of images.

A Trademark is a word, name, symbol or device which is used in trade with goods to indicate the source of the goods and to distinguish them from the goods of others. Trademark rights are used to prevent others from using a confusingly similar mark, but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark. Trademark protects a business name title, slogan, or other short word phrase. Copyright law does not protect a bare phrase, slogan, or trade name.

A company logo image design is protected either by trademark or copyright law depending on whether its use is intended to identify the source of goods or services. Usually a company logo design in protected by a Trademark claim.

In an evolving online world the business must take effort to protect it’s digital assets. Protection is usually made via either a trademark and copyright claim. First the business needs a proactive detection of such infringement. Second is to deploy the appropriate response in negotiating with third parties for the removal of the infringement via the appropriate legal channel.