ESET Threat Blog

While serving in the Marine Corps, one activity that I felt was effective in preparing both myself and my unit to be able to handle real-world scenarios, was getting as much experience as possible from military training exercises. In most cases multiple branches worked together or, as in the case with NATO exercises, multiple countries worked together. The goal was always to prepare us for various potential scenarios as well as learning to quickly adapt due to the impossible-to-calculate number of permutations of attacker, weapons, target, collateral damage, etc. 

Today the Bipartisan Policy Center (BPC) held a simulated cyber attack against the United States. The goal was to take a group of former high-ranking Cabinet and national security officials and successfully complete the mission of advising the president throughout the crisis. Their responses will be in real-time as will be  the intelligence and news feeds. The full list of participants is available from the PRNewsWire press release (http://www.prnewswire.com/news-releases/cyber-shockwave-hits-washington-83570087.html). 

The exercise began at 10 am EST and lasted for three hours. During that time, the attack escalated from cellular networks to electrical utilities. The exercise was designed by former CIA Director Michael Hayden in partnership with the BPC. 

To understand the scope and capabilities of the adversaries we are facing in today's connected world, I selected what I thought was a very applicable report: Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence. This report is from the congressional testimony on February 2, 2010, by US Director of National Intelligence, Dennis Blair. Below are samplings of his comments: 

"The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders. Criminals are developing new, difficult-to-counter tools."

"Criminals are collaborating globally and exchanging tools and expertise to circumvent defensive efforts, which makes it increasingly difficult for network defenders and law enforcement to detect and disrupt malicious activities."

The full testimony (PDF) is available here (http://www.dni.gov/testimonies/20100202_testimony.pdf)

This brings to mind the old adage, "fight fire with fire" – which is applicable when combating cybercrime and cyber attackers. Continually increasing global cooperation (for instance: laws, extradition agreements, criminal sentences) coupled with fast-paced innovation can have the direct impact of not only closing the gap, but also plain and simply putting them in a "hurt locker" (aka "world of hurt") since, in many cases, cybercriminals/attackers don't feel pain commensurate with the scale and scope of their crimes. 

I brought up cybercrime because a number of the tools and techniques are similar or identical between cybercriminals and those that would wage cyber warfare. In fact, if you were to follow the money trail of all cybercrime activity there is a very high probability that you will ultimately encounter an adversary that is planning, or conducting, cyber attacks against the United States.  

By now you can read about operation Cyber ShockWave from just about anywhere on the 'net. You can also go to the Bipartisan Policy Center's web site directly: http://www.bipartisanpolicy.org/events/cyber2010. This weekend CNN will be providing special coverage of Cyber ShockWave (Saturday February 20). 

Hopefully this exercise provided realistic attacks and the video coverage will show the decision-makers "making the call" in different scenarios. For obvious reasons, the "big gaping holes" shouldn't be exposed to the world, but at the very least, it does bring awareness to a problem that governments across the world face on a daily basis – how to handle the dynamic nature of threats as they continually evolve. 

Jeff Debrosse

Sr. Research Director

You may have gathered from some of the blogs published here last year that i'm not biggest fan of the BBC's "Click" programme. I regard the Beeb's forays into buying botnets and stolen credit card details and making active use of them as at best naive. I agree that people need to be aware of such issues, but I don't happen to think it's necessary for a public body that prides itself on its high standards to engage in near-criminal activity itself in order to raise awareness, still less to foster unequivocally criminal behaviour by making payments to real criminals. I don't happen to think that the end always justifies the means, especially if the "end" is self-serving self-publicity, which is certainly not an end that justifies any means.

Still, I found myself this morning looking at a "Click" item on Internet scams. There's information on both the item and the availability of the programme in an article called "Net scams profit from desperate jobseekers" by Marc Cieslak:  you can find it at http://news.bbc.co.uk/1/hi/programmes/click_online/8448966.stm.

Some of the detail is a bit misleading: there's nothing new about using "mules" for money laundering, a practice often called mule-driving, that's been around about as long as bank phishing, and there are plenty of job-related scams that have been around much longer (there's a sub-class of 419 that includes some of them). So it's not altogether correct to suggest that this has arisen in response to the recent/current (depending on where you live…) economic downturn and consequent increases in unemployment. Nonetheless, it wouldn't surprise me if such scams have, in fact, increased in volume (and successful deployment) as more people have become unemployed or at least concerned about the possibility of unemployment. If there's one thing I've learned from 20 years in security, it's that there is no romantic notion of honour and Robin Hood hustling among cybercriminals: anyone is considered fair game for a scammer, however badly off the victim may be already.

As I've said quite recently (see http://www.eset.com/threat-center/blog/2009/11/17/no-mules-fool), it's sometimes too easy for those of us who specialize in monitoring and fighting cybercrime to forget that criminal manipulation and social engineering that is old hat to us is nonetheless quite successfully duping innocent (if naive) individuals into engaging in criminal activity. So I'm happy, for once, to be able to recommend a "Click" item that hasn't, to the best of my knowledge, put a single penny into the pocket of a cybercriminal.

You may also find http://www.cyberfraud.org.uk/ worth a look. Its founder, Caroline Coats, apparently set it up after becoming a cybercrime victim herself. [Thanks to Lee for pointing out that that link doesn't work without the www!]

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/

After a few years in the security business, it's easy to get a bit too used to the background noise, and forget that not everyone is familiar with concepts like phishing (see Randy's recent blog at http://www.eset.com/threat-center/blog/2009/11/16/once-upon-a-cybercrime%e2%80%a6), or botnets ("whatever they are", as my brother said to me quite recently), or money mules. I've written about muledriving quite a few times in the past ten years, so it comes as a bit of a shock to realize that according to a survey by GetSafeOnline.org, nine out of ten people don't know what a money mule is. Well, less of a shock now that I've seen the CERC survey that Randy's blog cites.

According to the song by Johnny Burke and Jimmy Van Heusen, a mule is an animal with long funny ears, a brawny back, and a weak brain. In the twilight world of drugs, phishing and money-laundering, the term has more sinister connotations. 

A money mule may be a courier, like the mules we hear of in drug-trafficking, but in the phishing world, is likelier to be someone whose bank account is used to launder money. When a phisher steals money from an account in another country, it can be difficult for them to transfer it across international borders. It’s much easier for them to recruit “mules” in the same country (and even using the same bank) as the victim. The money is transferred to the mule’s account, and he in turn forwards the money overseas using a wire transfer service, having deducted his commission. Not only does this make the transfer easier, it can make it harder for police forces to trace the gangs. A mule may also receive goods ordered with a misappropriated credit card and sell them or forward them.

Muledrivers (the guys who recruit and direct money-mules) sometimes go to considerable trouble to make their recruitment emails and sites look genuine, and indeed sometimes go through genuine job-sites, so it's quite likely that some mules aren't aware that they're engaged in criminal activity. Unfortunately for them, when the police come knocking, it's more likely to be on a mule's door than the muledriver's.

None of this is particularly new – it's at least as old as phishing as we now understand it. But that doesn't mean it's not a major problem. According to Get Safe Online (The Blog), "At any given time, there are approximately 100 known mule recruitment sites targeting the UK, each of which may have lured in around 50 active mules. The risk is that by allowing their bank accounts to be used to receive and transfer illegal funds, mules are breaking the law – even if they don’t realise it."

I'm currently revisiting muledriving for a white paper. In the meantime, any recruiter who mails you apparently at random (the way that phishers do) is just using a spammer mailing list. Unpersonalized recruitment mails are bad karma. And anyone who's interested in recruiting you for your bank account is almost certainly a badhat. Impressive job titles like "finance manager" or "shipping manager" notwithstanding.

[1] "Stalkers on your desktop", in AVIEN Malware Defense Guide (ed. Harley, Syngress 2007): http://www.amazon.com/AVIEN-Malware-Defense-Guide-Enterprise/dp/1597491640

[2] "The Spam-ish Inquisition" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Spamish_Inquisition.pdf

[3] "A Pretty Kettle of Phish" (Harley & Lee, 2007): http://www.eset.com/download/whitepapers/Pretty_Kettle_of_Phish.pdf

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

We’re very interested in the whole Phishing problem, not just the malware/banking Trojans side of the issue. So while free publicity for job sites is not exactly the business we’re in, I thought you might find this item interesting. The PhishBucket site describes itself as a  nonprofit organization dedicated to protecting job seekers from fraudulent job offers. (Sounds good to me.) I’ve been aware of the site for some time, mostly through the Anti-Phishing Working Group, where the organization is represented: PhishBucket tracks and investigates fraudulent job offers such as money mule recruitment spam, job-related 419s, and pyramid schemes.

Today I came across a press release dealing with a new service PhishBucket is launching, called JobTank. Tabatha Marshall, the CEO, says of her joblisting service that it will apply a similar investigation/verification process to employers and recruiters who want to use it to advertise posts. Hopefully, all reputable job sites aspire to filter out scammers to the best of their ability, though PhishBucket’s experience with scammers should give them quite an edge. The twist, though, is that scammers who try to misuse the JobTank service are liable to find themselves added to the lists at PhishBucket, and the revenue earned from the JobTank listings will be used to underwrite PhishBucket’s operational costs. At a time when jobs are getting scarcer and scammers are taking advantage of that fact to promote job-related scams, this sounds to me like a resource worth investigating. If anyone out there tries it out, let us know how you get on. Even if you aren’t offering or looking for jobs, you might find the site worth looking at for the other scam-related resources it offers.

There’s a link to the whole press release here.

David Harley CISSP FBCS CITP
Director of Malware Intelligence