Attackers have raised their game markedly in the past three months, delivering salvos harder to resist (and detect). Recent developments:
Advanced phishing. In the parry and thrust of phishing defenses and phishing attacks, one particular e-mail, sent to bank employees, represented a bold move for the bad guys in its level of social engineering sophistication: It pretended to be from a journalist researching a news story about a data leak at that bank, and addressed the recipient by first name.
"Dear ____," the e-mail started. "I am a reporter for Finance News doing a follow-up story on the recent leak of customer records from [the bank's name]. I saw your name come up in the article from Central News and would like to interview you for a follow-up piece."
The e-mail then provided what appeared to be a link to the "Central News" story--a URL that included the bank's name in its characters. The message ended, "If you have time I would appreciate an opportunity to further discuss the details of the above article. Regards, Gordon Reily."
- At one bank, hundreds of employees received the e-mail. The CSO at that bank (he would speak only on the condition of anonymity) eventually determined that clicking on the link connected to a website in China and installed a keylogger on the machine that accessed the link. Such a targeted attack would seek to have a bank employee with data access unwittingly log passwords and account information, which the bot would deliver to the attacker.
The e-mail was sophisticated; its grammar was impeccable, and it addressed recipients by name (which means the attacker had access to the bank's e-mail rolls and could avoid blasting the e-mail and getting caught in spam filters). The guise of a journalist following a story was reasonable. And the e-mail suggested that the recipient was cited in a previous story, which would pique the person's interest.
IM as distribution network. Chris Boyd, director of malware research at FaceTime Communications, came across a botnet in development that enabled an attacker to insert a link into an IM conversation that, when clicked, installed a bot on that computer. It appeared that the compromised computer then would become part of a spam distribution botnet. But after analyzing the "ridiculously complex and bizarre" code, Boyd believes that the attackers were still developing the botnet's capabilities to go far beyond that.
Mastering the use of IM as a malware distribution engine concerns Boyd and others, because once attackers can insert their links, it's hard to stop them. For example, even if the IM network blocks certain IP addresses and link hosts from getting on its network, "it takes five minutes to change the link," Boyd says. That's a lot of time for an IM network that has more than 80 million users.
- The specter of CSRF. Cross-site request forgery, or CSRF, is when an attacker loads a URL for, say, online banking into a page he controls. If a user visited the bank site but didn't log out and then went to the site the hacker controls, she would still be logged in to the banking session, a cookie would authenticate her, and the URL the hacker injected into the site would continue the banking session. A test example of CSRF was used to add movies to people's NetFlix queues without their knowledge.