Sunday, April 24, 2011
Stay one step ahead of cyber criminals
NZ Herald April 6
Listen to Tom Clare speak and you would be extremely concerned about where you go on the internet.
You'll not just consider updating your antivirus software, you might start asking questions about what your internet service provider is doing to protect you.
Clare is the principal author of the Blue Coat 2011 web security report.
Blue Coat sells a secure proxy gateway that sits between customers and the internet, rating 3 billion web requests a week from its 72 million users. In combination with the antivirus information it pulls in from partners such as Trend Micro, that sort of reach gives it a handle on the changing face of cyber-crime.
"The top categories for delivering malware used to be the traditional red light areas - hacking, gambling, personal lust," Clare says. But during the past year cyber criminals have moved their activities to known sites with good reputations.
Dynamic web links are used to load attack elements from a number of sites, rather than lurking on one dodgy server in downtown Taipei.
The criminals hack insecure sites or acquire access credentials, thus getting around reputation filters, the so-called white and black lists and commonly blocked web categories.
Death, drama and disaster are powerful lures to get people to jump on to the internet, and any news story can be used by criminals to create hooks to web links that lead to threats.
Social networking is creating new opportunities, through Facebook links or tiny URLs from Twitter. Simple keyword ratings prove ineffective against such attacks and defences need to understand wider patterns - why is this page from Boston going to Kiev to load an invisible element?
Last year opened with Operation Aurora, a sophisticated attack over the holiday period when IT shops were thinly staffed, which used flaws in Internet Explorer and Adobe's PDF technology to target more than 30 technology, finance and defence firms.
The attack seemed to be aimed at getting source code from companies such as Google and Adobe.
Once the IE vulnerability was exposed, cyber criminals were quick to launch "me too" attacks, by which time companies with updated antivirus software could expect to be protected. Clare said Aurora led to the creation of advanced PDF tools and active script analysers. "Eventually all attacks reach out to a remote host for more content or to deliver information. These dynamic links and requests are the key to effective web-defence filtering," he says.
Malvertising, or delivering malicious software through fake ads, takes patience. Clare said in one case a relatively new ad domain had existed for about six months, delivering cheap ads to web pages and passing any checks for malware.
One day in November some of the ads sent to selected targets were malicious javascript, sending the browser to an attack site. The domain then shut down.
Another attack which hit many Italian websites used Twitter search results to create domain names for each day of malware delivery.
A major Google study found fake antivirus software accounts for 15 per cent of malware found on the internet and half of the malware delivered through ads.
Users are told their system is infected so they click on the link to accept, install and pay for fake software. Scareware merges into ransomware, where payment is demanded for a tool to clean up the infected computer. Better to stick with antivirus software from major brands.
Then there's the fake update, which often links to searches for adult material but is now increasingly tied to social networking.
A cyber criminal breaks into a social networking account and sends a short message and link to all the user's friends asking, "Is this a picture of you?" Instead of leading to a picture, the dynamic link asks the users to make a software update before the picture or video can be viewed.
The 2010 Soccer World Cup created many opportunities for cyber criminals, especially for phishing attacks which outnumber malware attacks two to one. Fans looking to watch matches online would be directed to pages which would collect private information and payment credentials. Expect more of the same for this year's Rugby World Cup.
Some crime is moving to malware, which puts keyloggers on to the computer to collect logins and passwords.
Lazier criminals can buy fully developed phishing kits. They may be surprised the kits have a backdoor, so its creator can steal their catch. ¶ 11:43 am
Listen to Tom Clare speak and you would be extremely concerned about where you go on the internet.
You'll not just consider updating your antivirus software, you might start asking questions about what your internet service provider is doing to protect you.
Clare is the principal author of the Blue Coat 2011 web security report.
Blue Coat sells a secure proxy gateway that sits between customers and the internet, rating 3 billion web requests a week from its 72 million users. In combination with the antivirus information it pulls in from partners such as Trend Micro, that sort of reach gives it a handle on the changing face of cyber-crime.
"The top categories for delivering malware used to be the traditional red light areas - hacking, gambling, personal lust," Clare says. But during the past year cyber criminals have moved their activities to known sites with good reputations.
Dynamic web links are used to load attack elements from a number of sites, rather than lurking on one dodgy server in downtown Taipei.
The criminals hack insecure sites or acquire access credentials, thus getting around reputation filters, the so-called white and black lists and commonly blocked web categories.
Death, drama and disaster are powerful lures to get people to jump on to the internet, and any news story can be used by criminals to create hooks to web links that lead to threats.
Social networking is creating new opportunities, through Facebook links or tiny URLs from Twitter. Simple keyword ratings prove ineffective against such attacks and defences need to understand wider patterns - why is this page from Boston going to Kiev to load an invisible element?
Last year opened with Operation Aurora, a sophisticated attack over the holiday period when IT shops were thinly staffed, which used flaws in Internet Explorer and Adobe's PDF technology to target more than 30 technology, finance and defence firms.
The attack seemed to be aimed at getting source code from companies such as Google and Adobe.
Once the IE vulnerability was exposed, cyber criminals were quick to launch "me too" attacks, by which time companies with updated antivirus software could expect to be protected. Clare said Aurora led to the creation of advanced PDF tools and active script analysers. "Eventually all attacks reach out to a remote host for more content or to deliver information. These dynamic links and requests are the key to effective web-defence filtering," he says.
Malvertising, or delivering malicious software through fake ads, takes patience. Clare said in one case a relatively new ad domain had existed for about six months, delivering cheap ads to web pages and passing any checks for malware.
One day in November some of the ads sent to selected targets were malicious javascript, sending the browser to an attack site. The domain then shut down.
Another attack which hit many Italian websites used Twitter search results to create domain names for each day of malware delivery.
A major Google study found fake antivirus software accounts for 15 per cent of malware found on the internet and half of the malware delivered through ads.
Users are told their system is infected so they click on the link to accept, install and pay for fake software. Scareware merges into ransomware, where payment is demanded for a tool to clean up the infected computer. Better to stick with antivirus software from major brands.
Then there's the fake update, which often links to searches for adult material but is now increasingly tied to social networking.
A cyber criminal breaks into a social networking account and sends a short message and link to all the user's friends asking, "Is this a picture of you?" Instead of leading to a picture, the dynamic link asks the users to make a software update before the picture or video can be viewed.
The 2010 Soccer World Cup created many opportunities for cyber criminals, especially for phishing attacks which outnumber malware attacks two to one. Fans looking to watch matches online would be directed to pages which would collect private information and payment credentials. Expect more of the same for this year's Rugby World Cup.
Some crime is moving to malware, which puts keyloggers on to the computer to collect logins and passwords.
Lazier criminals can buy fully developed phishing kits. They may be surprised the kits have a backdoor, so its creator can steal their catch. ¶ 11:43 am
