|Security 2.0: Not just a new kettle of phish (February 08)|
Watch out, malware. Security 2.0 is coming.
Just when bankers are getting a feel for the benefits of Web 2.0 now comes Security 2.0, a radical new approach to foiling “malware,” malicious software whose target is the nitty gritty transaction details of online banking.
Much of the security software now used in banking is designed to protect users against identity theft and other frauds typically perpetrated via e-mail and generically known as phishing. Like security in any arena, phishing quickly turned into an arms race between offense and defense. While e-mail messages promising financial or physical enrichment were once staples for enticing users to give out their passwords or credit card numbers, that approach is losing its potency.
So the arms race escalated. Fraudsters devised cleverer come-on messages that e-mail users couldn’t see through and sent them out in such profusion that fraud fighters couldn’t keep up with them. The classic of this kind was Storm Worm, a spam e-mail attachment that broke out in January ’07 with subject lines such as “230 dead as storm batters Europe” (in a week when there actually was a deadly storm in Europe). One executive of an anti-virus firm detected tens of thousands of variants of this message.
At the beginning of 2007 anti-malware vendors detected about a quarter of a million incidents worldwide. At the end of the year the number of attacks had reached half a million, as reported in IT security threat summary by F-Secure, a pioneer in next-generation anti-malware services. This doubling of detected incidents means that the bad guys launched as many attacks in one year as they had in the previous 20, F-Secure reports. The sharp escalation in volume indicates that in 2007 malware authors were adapting, refining, and massively propagating variations of existing techniques rather than innovating new strategies.
Here are the main differences between phishing and emerging malware:
• Phishing expeditions cast wide global nets. It’s as easy to host multitudes of phishing sites as it is to host one. The new banking trojans attack one or a few banks that they know are rich targets.
• Phishing gets the victim to cooperate in attacking her bank’s server. Banking trojans rely on stealth to steal crucial software code at the browser.
• Anti-phishing strategies first detect new viruses in action worldwide and then devise countermeasures. Strategies against banking trojans constantly probe every site for suspicious behavior and try to disable it before it strikes.
F-Secure, the anti-malware vendor, has dubbed the new behavior-based strategy “Man in the browser.” This is a common scenario: The “man” (i.e. trojan) uses some ploy to create a facsimile of crucial elements of a legitimate online banking system. One way to start this chain of events is to intervene in the sign-on procedure by first rejecting the username and password and then copying the user’s second response onto the imposter system. Then the trojan lies in wait in some cozy corner of the browser, doing nothing but watching for useful coding strings, such as “Welcome to Citibank” that identify a rich target.
Once inside the banking software, it can execute a fake transaction, such as “Transfer $987.00 to the Guesswho account.” F-secure’s behavioral counterstrategy is to monitor every action on a user’s browser, looking for suspicious strings of code. The string could be an exact copy of the legitimate code, but its mere appearance and reappearance in unlikely places could be judged suspicious and countered before any malicious event occurs. Encrypted banking sessions occur within the browser, so that’s where anti-malware should be, F-Secure advises.
Speed is essential
To protect against attacks by either traditional phishing or stealth trojan strategies, fast reaction time and frequent anti-malware updates are essential. In an F-Secure analysis of a typical attack, 200 messages or machines can be infected within ten hours of discovery. That number jumps to 1,000 during the eleventh and twelfth hours. F-Secure has good credentials for speedy reaction and publishing, according to tests by the independent antivirus testing lab, AV-Test.org. In those tests, F-Secure’s average response times for the twelve major outbreaks in the first half of 2005 was 2 hours, 38 minutes, compared with 9:29 and 10:48 for its main competitors.
F-Secure, a Finnish company, has “hundreds” of banking clients worldwide, among then an undisclosed number of top 20 banks in the U.S. Beside malware as a hosted service through ISPs, F-Secure also offers its platform to enterprises and gateways, along with security services for mobile devices.
A personal case of mal-serendipity
Has contribor Bill Orr been hacked?
The finished draft of this article lay on my desk, ready to send to my editor. Before doing that, I tried contacting my online banking account on an unrelated matter. I entered my ID and password and got a message that one of those entries was invalid. So I reentered the data. Same message. Suddenly it dawned on me that I might be the victim of the very same “banking trojan” attack I’d just written about. I called the bank. Their online banking provider went over her list of possible cures, among them too many saved “cookies,” too high a setting on my privacy preference, and too many temp files. I fixed all those and tried again. Same result. The bank’s online provider terminated the discussion with: “There’s nothing wrong on our side.”
Then I did what any intelligent person does. I called on my son for help. After a few minutes of online sleuthing, he told me I hadn’t updated my anti-virus system for seven months. Impossible, I said. I update it every Friday. More sleuthing revealed that I was the victim of a trojan attack that had been detected a month earlier. It even had a name, New Malware.hi. An overview message explained that, “unlike viruses, trojans do not self replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation.”
I got online, examined my account history—nothing amiss there, thankfully. Post mortem: Although I had dutifully updated my anti-virus fixes every week, I had neglected to scan those updates into my hard drive. Once done, that cleared up the problem. So it had all been my fault—as the online banking service provider had so curtly implied. I’m still left with the nagging thought that although my bank wasn’t technically responsible, it ought to be concerned with my exposure to serious losses, even if that exposure was due to my error. —Bill Orr
The electronic version of this article available at: http://lb.ec2.nxtbook.com/nxtbooks/sb/ababj0208/index.php?startid=54
| TechTopics Plus