Posted on | October 28, 2009 | 3 comments
How quaint seem the days when naïve hacker wannabes phished PayPal logons, then posted them on IRC chat channels, to try to make a few bucks — but mostly for bragging rights. That was circa 2002-2003.
Fast forward to the present. At this moment, Facebook is being blanketed by two high-volume email phishing campaigns.
These are serious, money-making drives that leverage PCs infected in previous attacks. While the perpetrators get rich, they also lay groundwork assuring future attacks.
This new breed of multi-purpose, continually-expanding phishing campaign is also inundating Twitter – nearly to atrophy. Twitter is at a loss as to how to effectively deal with hordes of hacked Twitter account holders stampeding to change their passwords.
Meanwhile, Hotmail, Gmail, YahooMail and AOL mail are under seige, as well. Phishing attacks to trick legit users into giving up their log-on credentials have become so routine that newbie hackers can pull them off with ease, using free tool kits; some of these newbie phishers are so fresh-faced that they feel compelled to brag about their new-found skills to the British press.
But make no mistake: phishing has evolved into a very serious, lucrative criminal industry. After a lull earlier this year, phishing levels spiked 200 % between May and September, according to IBM X-Force.
Phishing for financial account log-ons, common for nearly a decade, continues. By now, most Web users know enough to avoid them. However, in the ever-evolving calculus of the cybercrime, the username and password to your non-financial Web accounts — especially Hotmail, Facebook, Twitter, Gmail, YahooMail and AOL mail — have emerged as white hot commodities.
“These log-ons can be used to accomplish a number of tasks,” says Sam Masiello, threat researcher at McAfee’s MXLogic messaging security section. “A user’s login information could potentially lead to a gold mine.”
Unstoppable campaigns
The ongoing Facebook attacks vividly illustrate what’s going on at the cutting edge. Two top botnet gangs are bombarding Facebook members with targeted phishing emails to get control of their Facebook accounts.
There is nothing Facebook can do directly — beyond warning its members — to slow down these attacks. “This virus has been spreading over email, not on Facebook,” says Facebook spokesman Simon Axten. “We’re educating users on how to detect this through the Facebook Security Page.”
In this ongoing attack, the bad guys are directing an army of computers they’ve previously infected to systematically send out trageted email messages, like the one shown below, to millions of Facebook members.
The messages advise recipients to click “here” to activate a “new login system that will affect all Facebook users.” This takes the victim to a mocked-up Facebook log-in page, shown below, with the victim’s email address already filled in, but the password blank. Typing your password, of course, gives up full access to your Facebook account to the crooks.
But they aren’t done yet.
Another prompt, shown below, then appears advising you to download an “update tool,” which actually installs the ZeuS banking Trojan, (insert usat ZeuS, link) which lurks on your harddrive waiting for a chance to steal your online banking log-ons, the next time you type them.
As of this morning, messaging security firm AppRiver had counted 41 different Web domains sending out 600 of these targeted phishing emails per minute. “We have seen around 6 million pieces of email so far this morning,” says Fred Touchette, senior analyst at messaging security firm AppRiver.
At its peak yesterday, about 1,000 viral emails per minute were being pushed out, he says. “This was a two-pronged attack,” says Touchette. “The first purpose was to phish Facebook accounts, and the second was to attempt to deliver a Trojan onto the victim’s machine.”
The Trojan installed was none other that ZeuS, the uber popular Banking Trojan that can be customized to do everything from stealing account log-ons to specific banks, to automating man-in-the-middle attacks that stealthily extract funds while the real account user is logged on. See LastWatchdog’s investigative report on A-Z, the rich young creator of ZeuS, who presumably continues to earn royalties for his masterpiece.
This same group of phishers has tried variations of this type of phishing attack — with lures purporting to come from the IRS, the HMRC and a banking consolidation service in the UK called One Account. The phishers’ main goal is to “intercept financial account information,” says Touchette.
Bredolab wormhole
The other big, ongoing Facebook phishing campaign began on Monday, 26OCT2009, around noon Pacific time, says Jamie Tomasello, abuse operations manager for messaging security firm Cloudmark.
These emails purport to come from support@facebook.com, and contain a zip file said to hold the recipient’s new password, recently changed for security reasons by Facebook.
This simple ruse is fooling many smart, computer-savvy people. Cloudmark has found evidence of Facebook members actually going into their junk mail folders to retrieve these viral messages, then clicking on the infectious zip file. This installs a the Bredolab Trojan downloader, a versatile little program that works like a wormhole into the PC’s harddrive.
The thought of a tech-savvy Facebook user grabbing a viral email out of a junk mail folder and clicking on an viral zip file must have the attackers joyous.
“People are very addicted to their Facebook accounts. They are so accustomed to communicating frequently and rapidly all the time,” says Tomasello. “They are aware of all the attacks, and are concerned about them. Yet many of them believe this is a legitimate security message from Facebook that got inadvertently sent to their junk mail folder.”
Unlike the attackers spreading ZeuS infections, the Bredolab campaigners do not try to first get the recipient to type in his or her password. As shown below, this criminal gang cut right to the quick and asks you to download a zip file that installs the Bredolab wormhole, according to security firm M86.
One of the first programs the attackers download through the wormhole is a botnet management program that enlists the PC into the infamous PushDo botnet, one of the most prolific distributors of pharm spam, says Bradley Anstis, Vice President of
Technical Strategy at M86 Security.
By installing the wormhole and botnet agent up front, the attackers quickly gain the option to come back later and download a keystroke logger to grab the any Web mail, social network or financial account log-ons.
In fact, researchers at VeriSign iDefense found evidence the bad guys followed up rather quickly to do just that. “The Bredolab downloader installed two additional Trojans — in this case, ZeuS and Glacial Dracon,” says Ryan Olson, Rapid Response Director at VeriSign iDefense.
“Both of these Trojans are designed to steal information as well as credentials for online banking Web sites,” Olson continues. ” In the end, the goal of these attacks is usually financially motivated - and the market for online banking credentials is relatively lucrative.”
Virgin accounts
In the evolving cyberunderground, valid Web mail and social network accounts are considered highly valuable “virgin” assets, useful for sending out viral e-mail messages likely to go unblocked by spam filters, Sophos researcher Beth Jones says.
Virgin Web mail or social network accounts can sell for as much as $2 - more than double what a stolen credit card account number fetches, says Fred Rica, principal at PricewaterhouseCoopers’ security practice.
Besides botting you and stealing all of your account log-ons, the bad guys can now also use your Web mail and social networks accounts to carry out a matrix of lucrative online capers, made all the easier if you use just one or a handful of the same passwords.
They can send out e-mails that appear to come from you to everyone in your address book to try to get them to divulge passwords. And they can scour your e-mail folders for clues to the social networks and online banks you use, then crack into those accounts - and change the passwords so only they can access them.
Part of this is because many online services require an e-mail address to set up a Web account. Meanwhile, replacement passwords are typically sent to that e-mail address - a perfect setup for a crook who is in control of the e-mail account, says Amichi Shulman, chief technical officer of security firm Imperva.
Entry-level cybercrime
The harvesting of virgin Web mail accounts has become a cornerstone of the cyberunderground, so much so that it has evolved into an entry-level cybercrime, says AppRiver analyst Touchette. Starter kits, complete with slick, ready-made faked log-on pages for each of the top Web mail services and social networks, are readily available - for free. A newbie phisher has only to supply a website on which to host the faked page and collect the stolen passwords.
This has become a widespread activity, one that is keeping the cyberunderground supplied with a new generation of scammers getting in on the ground floor. The crooks supplying the free tool kits have a stake in flushing out as many virgin accounts as possible. “Each account presents new opportunities to make money,” Touchette says.
Other attacks
The demand for virgin Web mail accounts has, in fact, become so robust that top-tier cybercrime gangs are going after them with other kinds of attacks as well. Some specialize in tainting legitimate Web pages, or corrupting search results, with imperceptible infections.
Clicking on the tainted Web page or corrupted search result can open a backdoor on the user’s PC, through which the attacker can install a program to steal keystrokes - especially those typed into a Web mail log-on form.
Another popular attack involves hacking into the databases of employment sites, shopping sites or any site that collects sensitive information, including valid e-mail addresses.
ScanSafe researcher Mary Landesman says she regularly finds caches of thousands of stolen Web mail log-ons stashed away in nooks and crannies of the Internet, often organized in a way that makes it clear an infection or database hack was used to harvest the data.
“Most disturbingly, we came across a cache of stolen credentials quite by accident posted in plain view on a now defunct website,” she says. “Presumably others could have found it as well.”
Twitter users can no longer change passwords
Yet the phishing ruses are arguably the quickest, cleanest way to steal log-ons to non-financial Web accounts.
Twitter is being swamped with simple email phishing ruses. The bad guys are also creating new Twitter accounts and steal existing ones, then using them to send out viral microblogs — Tweets carrying infected Web links. Because these links are shortened, it’s impossible to spot a good vs. malicious one. And Tweets move in real time pushed out from multiple sources around the globe, viewable by anyone using the service at that moment. This characteristic imparts a veil of trustworthiness ripe for cyber criminals to take advantage of.
Many Twitter users whose accounts have been compromised via phishing attacks and malicious URLs circulating in Tweets change their passwords to maintain their existing accounts. But so many are doing that that Twitter can’t handle the avalanche of password change requests. Twitter has begun locking out password changes, and now advises users not to change their usernames and passwords.
Tomorrow, 29OCT2009, antivirus company Kaspersky plans to publicly unveil something called Krab Krawler, a tool it has been developing that’s designed to troll Twitter microblogs for malicious URLs and then add them to Kaspersky’s blacklist of malicious programs.
Meanwhile, variations of the phishing email attacks slamming Facebook messages are being aimed at other high-profile targets. Phishing ruses purporting to come from the IRS, FedEx, UPS and Her Majesty’s Revenue & Customs, to name a few. One that’s now in circulation, shown below, purports to come from the FDIC, and is also spreading the Bredolab wormhole.
M86’s forensic work reveals that the FDIC phishing attack is also the handiwork of the same the Pushdo botnet gang behind the Facebook Bredolab phishing scam. Not at all surprising.
By Byron Acohido
Category: Imminent threats, Top Stories
Comments
from: http://lastwatchdog.com/unstoppable-phishing-attacks-blanket-facebook-twitter/
. This thing is apparently spreading quick.
Just an update - Over night we saw a retort of sorts from the Bredo botnet with their simple text, Facebook themed malware. This one once again uses the “password changed” ruse, and contains a malicious .Zip attachment.
Zues on the other hand, is still chugging along today utilizing now 57 domains on which they host their malware. We have seen rates on some of these domains jump up to 1600/minute, on average across all domains. We are seeing roughly 50,000 of these messages every minute with over 7 million total piled up in our filters.
Comment by Fred Touchette — 10/29/2009 @ 10:38 am
Hi Byron, you might appreciate Tony Greenberg’s thoughts about trust in the IT world… at http://www.onlytimebuystrust.com/2009/10/24/only-time-buys-trust/
Greetings from SF, X
Comment by xeniar — 11/4/2009 @ 12:52 pm
In reporting this story, some analysts refered to Bredolab as a “banking Trojan,” while Ryan Olson, of VeriSign iDefense, was insistent that Bredolab is, in fact, a “downloader Trojan.” I asked Ryan to reconcile. Here’s the exchange:
LastWatchdog: What exactly is Bredolab?
Olson: Bredolab is a Downloader Trojan. It’s primarily a gateway for other malware. The process occurs when an attacker installs a downloader Trojan to get a foothold on a system. Once the downloader is there, it contacts a command and control (C&C) server which tells it what additional malware it should download and install. This might be a banking Trojan like Zeus, a spam bot like Waledac, or maybe a Rogue anti-virus program. The key is, once a downloader is on the system. the attacker can install anything they choose! Most of the time, that is often multiple Trojans, not just one, which obviously leads to more issues.
LastWatchdog: I could not find anything about the Glacial Dracon banking trojan. Can you send me some info on that one? Is it widespread or obscure? Is it similar to Zbot/ZeuS? What’s distinctive about it?
Olson: As far as we can tell Glacial Dracon (GD) is not very widespread. The variants we’ve analyzed have primarily been targeting Spanish banks. It doesn’t really do anything special compared to other banking Trojans. GD steals POST requests and is capable of HTML injection, but that’s getting to be pretty standard. We’ve seen some C&C servers that both a GD Trojan and a ZeuS Trojan will report to, indicating that some attackers use both Trojans at once, or at least try them both out.
Comment by bacohido — 11/4/2009 @ 2:26 pm