Online fraud is a non-stop threat to banks around the globe, and cyber
criminals have no intention of slowing down the pace. In fact, they continue to
improve their technology, launch increasingly sophisticated attacks, and use
advanced social engineering techniques to dupe financial institutions and online
banking customers into falling for scams. Global conditions such as the receding
economy and vulnerabilities in the financial markets are likely to have an
impact on the evolution of cybercrime. This is the first in a two-part series of
predictions for online fraud trends over the next 12—18 months.
Trojan functionality and infrastructure will improve
The advanced stealth technology and other features of financial Trojans
already exist. Trojans can now steal a wide variety of online credentials and
assets and remain undetected for a considerable amount of time — as evidenced by
the repository of credentials stolen by the Sinowal Trojan discovered in October
2008. The Sinowal Trojan maintained one of the most advanced and reliable
communication infrastructures which allowed it to gather and transmit
information for almost three years. More than 500,000 compromised credentials
were retrieved belonging to banks and individuals spanning almost 40 countries
across the world.
Direct Hit! |
Applies To: CIOs |
There shall be rapid improvement in Trojan functions and infrastructures in
the coming year. In terms of functions, fraud analysts have already started to
see various Trojan plug-ins available for sale in the underground. An example of
such a plug-in is the “balance grabber,” named as such because it automatically
grabs the balance of an account and delivers that information along with
compromised credentials, saving online criminals time in having to login to an
account to check account balances and credit limits.
While functions will improve, we believe a primary focus over the next 12
months will be on improving the Trojan infrastructure. Similar to phishing
websites, most Trojan hosting servers can still be easily detected and shut
down, but this is changing. We expect the Trojan hosting infrastructure to
evolve as online criminals will use both fast-flux networks for infection, drop
domains and other alternatives such as the private networks similar to that used
by the Sinowal Trojan.
Finally, in 2008, several software toolkits were sold within the fraud
underground that enabled online criminals to create new Trojan variants within
seconds. With slight modifications, a new binary file can be created each time
an infection campaign is launched. This makes the Trojan appear as a new file
when scanned by anti-virus engines, providing some "breathing space" before
detection. The ability to create new files within the click-of-a-mouse makes
these Trojans undetectable for a longer period of time as no new variant is
similar to its predecessor. As the development and propagation of such software
toolkits continue to increase over the next year, expect to see the number of
unique Trojan variants soar and challenge the rate of detection by anti-virus
providers.
Use of fast-flux botnets will increase
In 2008, RSA's Anti-Fraud Command Center witnessed the development of
several "bullet-proof" fast-flux network hosting services which were both
deployed and provided for a fee for use by other online criminals. Fast-flux is
an advanced Denial of Service (DNS) technique that utilizes a network of
compromised computers, known as botnets, to host and deliver phishing and
malware websites.
And within those fast-flux networks, online criminals were using them to
launch both phishing and Trojan attacks and other malicious content such as
money mule recruitment websites. The compromised computers act as a proxy, or
middleman, between the victim and the website. It is hard to expose and shut
down fast-flux networks as the content servers that deliver the phishing and
malware sites are hidden behind a cloud of compromised machines whose addresses
change very quickly in order to avoid detection. Fast-flux networks are
becoming increasingly popular in the online fraud community for three main
reasons:
Scalability: An attack using a fast-flux botnet is easy to set up.
Service providers in the fraud community provide the infrastructure to launch
the attack (i.e., fraudsters can rent a botnet and a content server for a
nominal monthly fee). An online criminal just needs to establish a new domain
and start spamming.
Stability: Fast-flux networks are long-lasting and can be easily
reusable. The core infrastructure is considered very stable since the content
servers are "hidden" behind the proxies and are theoretically harder to detect.
Attack longevity: While it is easy to point at and take down an IP
address or a server, a fast-flux botnet uses an entire domain. It is sometimes
more difficult and takes longer to shut down, therefore, it offers more
longevity and better results for launching attacks.
In 2008, 44 percent of the phishing attacks detected by the RSA Anti-Fraud
Command Center were hosted on fast-flux networks or similar botnets. Over the
next 12 months, expect to see a steady increase in the use of these hosting
services for phishing attacks and other malicious content such as Trojan
infection and drop points, and money mule recruitment sites.
Fraud-as-a-Service
One of my colleagues wrote an article for Internet Banking Commentary
regarding Fraud-as-a-Service (FaaS), a term he coined last fall. FaaS is the
advanced supply chain that offers goods and services for sale to online
criminals to aid them in committing fraud. In 2008, there was an increase in the
amount of services offered for hire in the underground — everything from hosting
services, to Trojan infection kits, to cashout services. We expect these FaaS
services to evolve even further over the next 12 months in order to support the
development of the fraud economy. Online criminals will turn to “one-stop”
service providers who offer centralized fraud services. These services are
provided for a flat fee or on a subscription basis, depending on the nature of
the service, and help facilitate some tasks which the common criminal may find
to be too complicated to accomplish themselves. These services will grow, based
on a review of both the present and the future of the criminal underground, and
they include:
Centralized Trojan infection: This service will allow various criminal
groups to infect users' computers worldwide through a centralized infection
service and is already being used by criminals who pay a per-infection fee to a
service provider.
"All-in-one" Trojan packages: Trojan servers with command and control (“C&C”)
panels are available for sale in the underground, along with corresponding
botnets of infected computers. Criminals that purchase these services receive
control over a Trojan and over hundreds or thousands of computers already
infected with it.
Ready-made HTML injection kits: These kits will be crafted by service
providers and sold within the underground. HTML injections are very common as
part of almost any Trojan attack. The resulting bogus web pages — designed to
look exactly like legitimate online banking web pages but inserted with new
forms to capture credentials from unsuspecting consumers — will be developed by
subject matter experts and sold within centralized repositories, very much like
today's phishing kits.
Professional call center services: online criminals will use these services
in order to commit phone channel fraud and also facilitate fraud in other
channels. Such services already exist and provide online criminals with the
capability to conduct phone channel fraud to any destination and in any
language.
In the next part of this series, we will share predications in areas of money
muling, adaptation to authentication, consolidation of traditional malware and
phishing attacks, enterprise phishing, and techniques to help prevent advanced
online threats.