 The notorious Rock Phish gang is pushing the envelope again, adding a sophisticated crimeware Trojan to its identity theft arsenal.
The Russian group, which is responsible for about half of all phishing attacks, is now doing browser-based drive-by attacks to load a variant of Zeus, a Trojan toolkit that sells online for $700.
"This is more than double the trouble," says RSA Security senior researcher Uriel Maimon.
Details of the latest Rock Phish twist:
"The victim is duped into visiting a phishing site. However, whether or not the victim surrenders his/her credentials into the site is irrelevant (many people click on phishing links but do not fill in meaningful information): with this new attack-twist, the victim will still be infected with a Trojan horse.
This is done via a technique called "drive-by infection," wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).
This particular case of drive-by infection was masked particularly well. The code that attempted to infect the machine was hosted on a domain named in such a way that it blatantly infringed on Google's trademark, but with the end-result that it made advanced users or heuristic security software more likely to allow content from the domain. The URL itself was also dynamically generated so blacklisting it or adding it to a trivial pattern match would fail.
* Photo credit: ToastyKen (Creative Commons 2.0)
|
Comments (1)
We need to start looking at the Security Question from the stand point of the attacker: how do attackers steal data?
generally it is by using malware: some kind of trojan that they "inject" into the victim
Malware must be stopped and the way to begin is by putting a complete 100% stop to un-authorized programming.
Any OS that is to be used in a commercial system should permit only one (1) means by which to update programming. The Official Version of Setup.exe might serve well for this for MS/Windows for example
Updates then would have to be downloaded and then then applied by the user and of course digital signatures of the PGP type would be used on all the programming
The necessary public keys could be distributed with new computers when shipped starting as this change is implemented; existing systems would have to be upgraded to the new O/S level in order to get this kind of protection.
Only registered programs would be allowed to execute and the only way to register a program would be by using the official version of setup.exe
the registry would serve as an inventory of programming, listing the programs that should be available to the system to use together with the digital signature for each one. this would enable the RESPONSE aspect of security by allowing users to check their machines to make sure they are not loaded with any un-authorized programming
the improved security would make it possible to establish some product liability on software vendors to take care not to include malware in their distributions.
Note that computer security benefits from hardware support. Every commercial system should have a supervisor state and a problem state. all critical work being done in the supervisor state and olnly by the use of supervisor owned programs. Just like MVS/RACF
the idea that a hacker could initiate a system update from a defect in a flash-viewer just boggles my mind. the best he should get is a rather abrupt ABEND
Posted by Mike Acker | April 21, 2008 4:05 PM