Phishing, Bot Herding, and Other Emerging Cyber Terms Sophos: “Sharp increase in web-based malware this year” The number of websites Sophos was blocking jumped from about 5,000 per day a year ago to 29,700 by this Spring SC Magazine, July 26, 2007 2 The annual loss due to computer crime was estimated to be $67.2 Billion for U.S. organizations, with the majority of that ($49.3 billion) being related to Identity Theft, and $1 billion associated specifically with phishing. U.S. GAO Report to Congressional Requesters (GAO-07-705), titled “CYBERCRIME: Public and Private Entities Face Challenges in Addressing Cyber Threats” - June 2007 3 Agenda Phishing Spear Phishing Whaling Pharming Botnets Bot Herding 4 What is “Phishing”? Phishing is nothing more than social engineering. Definitions: – Social Engineering: the practice of obtaining confidential information by manipulating users. – Phishing: spoofed email messages and websites designed to fool recipients into divulging personal financial information Phishing is set apart by the broad scale and low cost afforded by the Internet and its on-line anonymity. 5 How to Spot a Phish Language that is informal or uncharacteristically unprofessional for the size of the apparent institution – Look for misspellings and typos – Look for missing words and unpolished grammar Urgent instructions to take specified action – “Click on the link or your account will be closed” – “Supply requested details to remove this charge from your credit card …” – “You will not be able to access your <your bank name> account without <your bank name> Online Banking Tool after …” 6 How to Spot a Phish (cont’d) Generic greeting – Messages beginning with “Dear Member” or “Valued Customer” are likely phish attempts. – Legitimate business emails are far more likely to address you by name. Request leaves you feeling something is not right – Most financial institutions and service providers will NEVER contact you by telephone or email to ask you for your sensitive account details – You don’t even have an account with the company the email appears to have come from 7 How to Spot a Phish (cont’d) Overt offer to download software – Banks will virtually never ask you to download and install software. – NEVER respond to a solicitation to download and install software without first independently validating the source. “Mouse over” any hyperlink in your email – While not foolproof, a mismatch between the hyperlink text and the address shown in the status bar is a give-away. 8 How to Spot a Phish (cont’d) Phishing attacks ultimately want to draw you to a web page – Web page may install malicious software on your PC, without your knowledge or any action on your part. – Web page may request you provide sensitive information on web forms. What signs suggest a web page may not be what it seems? – Browser padlock icon is not “locked” and/or web page address begins “http” instead of https” – Web site suggests that a displayed, 3rd party icon proves security. TRUSTe, for example, is just a service to certify privacy practices … nothing more. 9 Spear Phishing Works much like phishing, but source is well-known, trusted, and intent is to gather information about corporate systems accounts. – Example: Email received from the CIO, saying IT is conducting an account audit, and you must cooperate per instructions or face disciplinary action. – “Spear phishing is a pinpoint attack against some subset of people (users of a website or product, employees of a company, members of an organization) to attempt to undermine that company or organization.” [1] 1 Spear Phishing, May 9th, 2007, By Stephen Northcutt (http://www.sans.edu/resources/securitylab/spear_phish.php) 10 Whaling If spear phishing is a specifically targeted phishing attack, then “whaling” is a very narrowly focused spear phishing attack. – Focuses upon a very small group of senior personnel within an organization and tries to steal their credentials. – Example: A CD, delivered via normal postal mail systems, supposedly containing evaluation software from a known supplier to the CIO, but containing a hidden malware installer. Description and example from “Spear Phishing and Whaling,” June 28, 2007, Posted by Gunter Ollmann (http://blogs.iss.net/archive/SpearPhishing.html) 11 Pharming Pharming is an attack intended to trick a web user into landing on a false copy of a desirable web site. – Internet routing instructions are altered either at the user’s PC or at their Internet Service Provider. – Even by manually typing a web address you know to be accurate, you might be misrouted to a close or exact copy of what you expected to see. Newer web browsers have features to help identify suspicious web sites. Beware of any changes to the logon screen. If you are asked for anything out of the ordinary, do not enter ANY information. 12 Pharming (cont’d) The ‘hosts’ file -- C:\WINDOWS\system32\drivers\etc 13 Test Yourself . . . 14 Test Yourself . . . 15 16 17 18 19 20 21 What Can We Do? Do not provide personal information or information about your organization to unknown persons. Do not reveal personal or financial information in E- mail. Don't send sensitive information over the Internet before checking a Website's security. If you are unsure whether an E-mail request is legitimate, try to verify it by contacting the company directly, calling the number on your financial statements or on the back of your credit card. 22 Other Resources U.S. Federal Trade Commission's "How Not to Get Hooked by a ‘Phishing’ Scam": http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.shtm U.S. Computer Emergency Readiness Team's Cyber Security Tip, "Avoiding Social Engineering and Phishing Attacks": http://www.us-cert.gov/cas/tips/ST04-014.html 23 Botnets “Generally used to refer to a collection of compromised computers (called zombie computers) running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.” [1] Common Botnet uses: – – – – 1 Distributed Denial of Service (DDoS) Email spam Adware/spyware Click fraud Botnet definition, Wikipedia.org (http://en.wikipedia.org/wiki/Botnet) 24 Anatomy of a Botnet Introducing the cast members: Bot-herder or Bot-master: amasses thousands, or hundreds of thousands of bots/zombies for hire Trojan software: used to compromise and control victim PCs Victim: owner/user of a computer that is compromised with Trojan code and turned into a zombie Cyber-criminal: pays bot-herders large sums of $$ for the nefarious use of their botnets 25 26 What Can We Do? Protect your PC – Apply operating system and other software patches. – Install antivirus and antispyware software (and maintain subscriptions to updated definition files). – Install (or enable) personal PC firewall software. – Be cautious when opening email attachments (open only expected attachments). – Be cautious when clicking on hyperlinks in emails and web pages. – Use a “phish aware” web browser. 27 FBI’s “Operation Bot Roast” “More than 1 million computers - possibly yours, too - are used by hackers as remote-controlled robots …” “What was viewed seven years ago as a kind of prank to boot people off-line has evolved into schemes to defraud people by stealing credit card and Social Security data, by crashing retail Web sites and through "pump-and-dump" online stock deals.” Recent busts of botnet hackers, as part of the FBI's "Operation Bot Roast" sting: – James C. Brewer, of Arlington, Texas … indicted … on charges of infecting more than 10,000 computers globally. – Robert Alan Soloway of Seattle … for allegedly using botnets to send out millions upon millions of junk e-mails since 2003. – Jason Michael Downey, of Covington, Ky … accused … of flooding his botnet-linked computers with spam for an 11-week period in 2004. 28 Questions? 29