All Eyes on User Security as Cyber Criminals Up Their Game
October 9, 2012 Alex Woodie
In the cat and mouse game between security experts and cyber criminals, there is rarely a spare moment to catch one’s breath. Just as the good guys think they have all their bases covered, the hoodlums find another way to slither past defenses and into corporate networks. Keeping a watchful eye on end-user devices is especially critical today, in light of new forms of malware, like the RAT (remote access Trojans) and polymorphic viruses.
The FBI recently warned about an increase in blended attacks against banks in the United States. Perhaps you have received one of the phishing emails that look remarkably like legitimate emails sent by banking institutions. But you had best not click on those emails, because it is likely to install a RAT onto your computer. If you fall a little further into the criminal’s trap and are actually duped into entering your log-in information, then you could see your bank account wiped out.
Obviously, attacks on banks are nothing new. Banks will always attract thieves because “that’s where the money is,” as the notorious bank robber Willie Sutton put it.
But as the big banks shore up their defenses, cyber criminals are going down market and using their RAT-phishing attack against smaller regional banks and companies in other industries, says George Tubin, a senior security strategist for Trusteer, a security software firm based in Boston, Massachusetts.
Since it was founded six years ago, Trusteer has focused its efforts on helping protect banks. The company’s software is designed to prevent sophisticated malware from invading corporate IT systems. Its offerings complement traditional antivirus tools by closely watching the behavior of sensitive applications, as opposed to the traditional approach of looking for malware file signatures. Many of the largest U.S. banks use Trusteer’s protected-session technology to prevent unauthorized access to their applications, Tubin says.
But recently Trusteer began to focus on serving customers in other industries because that’s what the cyber criminals were doing. “The criminals were using very similar techniques and malware as they were using to go after bank customers to go after corporations, employees, and contractors for various companies,” Tubin says. “The criminals are using the same techniques, because they work. They’re in business to make money, and they’ve already got the low hanging fruit. So we’ve seen the cyber criminals moving from mega banks down to smaller banks” and to companies in other industries.
To hear Tubin, one gets the impression that the world’s e-commerce is a wide open field for cyber criminals, and that these opportunities are driving innovation in the computer crime industry.
Just as the legitimate IT industry has standardization, so too does the IT underworld. “A lot of these RATs are easy to get. You do a search on Google for ‘Poison Ivy,’ and you can download a RAT. Then all you have to do is get somebody to install it, which is usually easy enough to trick somebody into doing,” he says.
Cyber criminals are also struggling with “big data.” “We see in underground forums that criminals sell logs and parsing tools. They have loads and loads of data from people’s devices that are just sitting in log files that they just don’t have the bandwidth to deal with,” he says.
Polymorphic malware, in particular, is giving cyber criminals a powerful new tool to steal valuable data without triggering traditional defenses. “Polymorphic malware is designed to rewrite itself and morph into different file sizes, different file structures, and different file names, and to install itself in different places, so it’s very hard to identify using just signature-based technology,” Tubin says.
In August, Trusteer researchers discovered a new type of polymorphic malware that it named Tilon that has “great evasion capabilities. It injects itself into legitimate running processes, then erases the rest of its files so it’s only running in memory. And then before the system shuts down, it will sort of rewrite itself, rewrite the file that will execute [from disk] at startup so that it can come back to life again.”
The explosion of smartphones and tablets is only going to make the state of security even worse. Studies show that only a small fraction of users have any type of anti-malware software installed on their mobile devices, let alone advanced malware solutions like the kind offered by Trusteer. Businesses are under pressure to allow their employees to bring their devices to work. But security is compromised when those devices go home.
“It’s very easy for an employee, when off the network, to get some type of malware installed, have that malware capture credentials, then disappear,” Tubin says. “The traditional network security tools will never know that happened, and yet that employee’s credentials are now compromised.
“The problem is the network perimeter that we traditionally saw as the corporate network–the protection of the four walls–has changed. It’s no longer the network in that building. The network has now expanded out to the end points that are sitting outside the enterprise, so the more institutions are allowing employees to access the network remotely and access it from unmanned devices, whether it’s tablets or laptops or smart phones, the less the systems that are in place to protect the network can do their job.”
The Internet has never been a completely safe place, and it never will. Mobile devices are expected to outnumber PCs on the Web in the near future, and cyber criminals are practically salivating at the prospect. Unless companies and users take some kind of actions to keep their mobile devices safe in the face of changing threats, those fancy new iPhones will begin to resemble sitting ducks.