recent posts

Web Fraud 2.0: Distributing Your Malware
Opera Update Plugs Multiple Security Holes
Web Fraud 2.0: Digital Forgeries
Web Fraud 2.0: Validating Your Stolen Goods
Web Fraud 2.0: Cloaking Connections

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Real World Impact of IE Flaw

It is easy to write about the latest security flaw in Microsoft's Windows operating system as if it were some abstract threat that hackers may or may not get around to exploiting at some point. But when you have evidence that a single phishing group is using the vulnerability to steal online banking and e-commerce credentials from thousands of victims each day, the threat suddenly becomes a great deal more personal and real.

Take, for instance, the data being collected by San Diego-based Secure Science Corp., a company that offers stolen-data retrieval services for financial institutions. Most of the criminal groups the company monitors filch data by spamming out e-mails with links to Web sites that use a variety of known Internet Explorer and Windows weaknesses to install malicious code.

Once installed, that malware steals stored user names and passwords and records what the victim types when he or she visits targeted financial sites. Secure Science can intercept that data by finding the location of "dead drops" -- e-mail inboxes or Web site databases set up by the attackers to receive information stolen from infected machines.

In the first half of March -- prior to the release of code showing attackers exactly how to exploit a previously unknown (and currently unpatched) flaw in IE -- Secure Science tracked a single hacker group stealing between 1.5 and 2 megabytes of text data from victims each day (a small novel might take up about 1 megabyte of text data). The company found that a data cache of that size usually contains a mix of roughly 1,000 credit card numbers or login credentials for Web mail and online banking sites.

Ever since the third week in March, when the latest IE exploit surfaced, Secure Science has watched that same phishing group's daily catch increase exponentially. Lance James, the company's chief scientist, said the group's dead drops are now choking on 80 to 115 megabytes of stolen data each day.

James looked through the company's database for the particulars of this group's haul from March 31, when the drop box received 108 megabytes worth of data stolen from infected machines. On that day alone, the phishers gleaned personal and financial information on 13,677 accounts, including 3,536 credit card account numbers, 255 Paypal accounts, 1,038 eBay accounts; 93 user names and passwords for Bank of America online accounts; and login credentials for some 2,609 Hotmail e-mail accounts.

(It may be tempting to discount the sensitivity of compromised e-mail accounts, but many computer users sign up with dozens of online merchants and financial institutions using the same e-mail account, and if that account is compromised the attackers can use it to reset the victim's credentials on all of the merchant sites tied to that e-mail address.)

I interviewed James because I just finished reading his book "Phishing Exposed," in which he profiles the stealthy attacks used by phishing groups and highlights some pervasive security problems with many banking sites. James said it's important to understand that "phishing groups" aren't limited to criminals who use e-mails to dupe people. Rather, he said, most of the individuals profiting from phishing sites also are creating and distributing malicious code that steals the same information.

According to James, many of these groups are based in Russia and in countries that lack either extradition agreements with the United States or explicit laws against phishing activity. For many phishing gangs, the chance of being brought to justice is slim, while the potential payoff is high. "There is a lot of play in this game," James said. "The average phishing group can pull in around $300,000 a month, or between $2.5 million and $3.5 million a year."

Secure Science's data from just one phishing group appears to offer yet another contradiction to Microsoft's claim that this latest IE flaw isn't being widely exploited. In a blog post I wrote last week, I found hundreds of people whose computers had been seeded with password-stealing programs after visiting hacked Web sites designed to take advantage of the new IE flaw (that post also was picked up by "news-for-nerds" site Slashdot). I had the opportunity to peek into one of these dead drop databases, and was alarmed to discover that the scammers hit about one new victim every minute.

By Brian Krebs |  April 3, 2006; 4:19 PM ET Latest Warnings
Previous: RealNetworks Fixes Critical Media-Player Flaws | Next: Another Round of Mac Fixes

Comments

Please email us to report offensive comments.



Brian,

Thankyou!

It is so rare that we ever see real world
numbers on computer crime. Instead it is
either hushed up by the victimized
companies or propagated as FUD by those
with an agenda or a commercial interest.
And rarely are the original reports of thefts followed up with final damage
counts.

This coupled with the release of the
Justice Department survey finally begins
to put up a "horror ceiling" is deeply
appreciated by this IT professional.

Should also be interesting to see how
the recent changes in electronic banking
laws are going to affect bank crime.
Particularly since so much risk appears to
have been dumped upon the bank account
holder.

Again Thanks!

C Katz

Posted by: C Katz | April 3, 2006 6:00 PM

bk is my hero

Posted by: X | April 3, 2006 7:06 PM

I guess Microsoft don't want to do anything before the normal monthly update because that would be to admit there was a problem! people speculate that IE is onlt targetted because it has a large market share. Even if it had the smallest share I wonder if it might not be the most targetted for exploits. Why? Because Microsoft take too long to address serious issues; they leave many vulnerability unpatched; the majority of users who stick with IE are probably those who know less about computer security and the threat it poses. Microsoft's response appears always about creating a good image at the expense of facts.

Posted by: Anonymous | April 4, 2006 1:26 AM

Thank God for the 'George Bailey' types in the world. Without them to challege the 'Potter' types it would not be such a 'Wonderful World'. Surprising how so many people are heading for 'Pottersville' rather than 'Bedford Falls'. People nned to wise up and start listening to Bailey types and not Potter types if they want 'Wonderful World'. Who want Gatesville?

Posted by: Anon | April 4, 2006 2:18 AM

Is there a list of the 200 affected sites? So we know not to visit them.

Posted by: Mike | April 4, 2006 12:25 PM

What's the deal with reporting on how big the databases of phishing criminals are? Why isn't Secure Science Corp (the one finding these phishing data stores) DELETING ALL OF THE THINGS it's finding? Do we have someone protecting americans' interests, someone who's actually intercepting or deleting these data stores? What's being done to fix hacked sites? What's our government doing to bring down these slimebag commies from Russia? Don't tell me how effective they are at exploiting software vunerabilities and pretend that Microsoft is the problem here. Who's publishing the exploit code, and why don't we shut them down? Isn't it enough to tell IE users that there is a new security fix you need to get? Don't tell me about the exploits, nor how the bad guy is using the exploits, just tell me when you CATCH THEM, or FIX THE EXPLOIT.

Posted by: Nick | April 4, 2006 1:33 PM

Secure Science does do all of the above, and captures the data in real time, to give back to the financial institutions so that the data is as good as dead when the phishers have it.

Posted by: SSC | April 4, 2006 2:05 PM

Nick, sounds like you've got some issues there, buddy. If you don't want to hear about the real numbers, don't click the link to the story, and bury your head in the sand. Information that has already been stolen via this exploit is like piss in a swimming pool. Once its in the pool its nearly impossible to remove without draining the pool... all we can do is dilute it, rob it of its value. Increasing public awareness of the problem is the only way to treat the root of the weeds instead of just chopping off the leaves.

Posted by: Some guy | April 4, 2006 3:05 PM

I've posted the link this fine article on my blog as well as notify all my clients that I am off IE as of today.
http://digiblade.blogspot.com/

Posted by: Matt | April 4, 2006 3:48 PM

It is even more frustrating to know that there is a solution to on-line banking fraud, but the banks seem just too slothful to consider it. All we need is for the banks to get together to define a standard for a challenge-reply ID verification protocol to be embedded into a USB stick. No ammount of snooping or phishing will stand a realistic chance of being of any use at all.

Posted by: Adrian Tawse | April 11, 2006 6:07 AM

Re: Adrian's comment:

I may need more info, but what about session riding? Malware/Trojans also perform this technique, and I could see if you apply the challenge-reply within money transfers as well, this would be very successful, but not perfect.

Posted by: SSC | April 11, 2006 1:33 PM

The comments to this entry are closed.

 
 

©  The Washington Post Company