ecrime Trends Report: First Quarter 2012

Transcription

1 ecrime Trends Report: First Quarter 2012 IID, Internet Identity and the IID logo are trademarks of Internet Identity. All other registered trademarks are property of their respective owners. Copyright 2011, Internet Identity. All rights reserved

2 HIGHLIGHTS DNSChanger infections down, but persistent in Q1 o 74 Fortune 500 companies and five government agencies remain infected o Extension granted to FBI s temporary servers for those infected Cyber attacks continue to abuse DNS o Coach and UFC suffer DNS hijackings o Employee mobile devices in the workplace threaten network security Phishing abusing providers increased 333% over Q o Overall phishing attacks down 2% year over year o. tk enjoys third straight quarter of decreased abuse activity Page 2

3 The first quarter of 2012 shaped up to be keenly focused on DNS vulnerabilities, thanks largely to the ongoing conversation about the massive DNSChanger infection worldwide. Experts from various security standpoints weighed in on questions about the evolving DNS threat landscape, how we might expect it to grow and change, and what the security industry and those we serve can do to improve our chances of thwarting cyber attacks before they inflict major damage. Increased cooperation amongst private and public sector entities may prove to be a step in that direction and experts, including FBI Director Robert Mueller, got behind the idea that cooperation and information sharing between the groups is necessary to stay ahead of cyber criminals 1. DNSChanger update As of the end of Q1 2012, IID found that 74 Fortune 500 companies and five major U.S. federal agencies had at least one machine on their network infected with DNSChanger. Created in 2006, the DNSChanger malware changed infected systems domain name system (DNS) resolution settings to use rogue servers that redirected legitimate searches and URLs to malicious websites. In November 2011, the FBI working in concert with NASA, the Estonian police, and several private sector firms and security researchers put a major dent in the DNSChanger operation with the arrest of six Estonian nationals who are accused of manipulating millions of infected computers via DNSChanger. Along with the arrests, a number of computer systems the FBI says were being used as rogue DNS servers were seized. But instead of just being shut down, they were temporarily replaced with legitimate servers for 120 days. Just days before the March 8th deadline, a federal judge issued an extension of the FBI s temporary servers that enabled millions of computers and routers infected with DNSChanger to reach their intended Internet destinations 2. Without this extension, the FBI s servers would have been taken down, stranding those infected machines without Internet connection. As the deadline loomed, scores of individual users, businesses and government agencies failed to get their computers cleaned up. At the peak of the infections, IID reported that fully half of Fortune 500 companies and major government agencies were infected 3. By late February, those numbers were down significantly, but enough infections still persisted to necessitate the extension of those temporary FBI servers through July 9, Granting the extension of the FBI surrogate servers was the right thing to do to allow victims to get their machines cleaned up, and diagnosing and treating remaining infected machines continues to be of the utmost importance. That s because DNSChanger disables Anti-Virus (A/V) and regular software updates, exposing victims to attacks from other virus families. Even if the deadline were to be extended a second time, leaving infected machines untreated in the meantime exposes individuals, companies and government agencies to a slew of possibly bigger problems than just having the Internet go dark Page 3

4 IID continues to offer its assistance to any organization that wishes to determine the impact DNSChanger has had on its network. IID is also assisting with notification and clean-up efforts as part of the DNS Changer Working Group. Further information on the malware, the collaborative clean-up effort, and tools for testing for infections can be found at the DNS Changer Working Group website 5. Importance of DNS security continues to grow for enterprises Implementation of a DNS firewall a DNS resolver that blocks connections to known malicious Internet locations remains urgently important for organizations in all sectors. Consensus among industry experts suggests that well over 80% of malware attacks already involve some degree of DNS abuse, and 5% relies exclusively on DNS for communications 6. Making this threat channel especially dangerous is the fact that few people are watching their DNS for signs of intrusion, making it easier for a hacker to get in and out undetected. Without a DNS firewall in place, employees may be unwittingly jeopardizing their companies with unwise clicks and connections to known malicious Internet locations. In fact, a recent study out of the UK reported that 40% of surveyed businesses there have been breached as the result of employees clicking on links in spam messages % of respondents to the survey reported that they received too much spam, a situation that might leave employees feeling overwhelmed and even incapable of determining which messages are legitimate. With so much floating around, no wonder employees are unsure about what s safe to click and what s not. Clicking a link in any one of those spam messages could potentially result in an infection by something like DNSChanger or any number of other pieces of malicious software. In addition to on-going employee education about the always changing cyber threats companies face, the implementation of a DNS firewall with up-to-date data about known malicious Internet locations could potentially save these organizations from disastrous mistakes. Spam, malicious links and malware aren t going away, but a DNS firewall that stands between the machine requesting the connection and the malicious location that would be all too happy to connect with that company computer can save users from themselves and organizations from their employees. With such a safeguard in place, many of the breaches noted in the UK study, as well as the ongoing breaches and infections around the world, may have been avoided altogether. Employee mobile devices put workplace network security at risk The security industry has tracked a rapid rise in malicious software targeting mobile devices in the last year, both with illegitimate apps, and with legitimate apps that have been compromised and repurposed as malicious ones. When malware is downloaded onto a phone, criminals can essentially take over that phone and gain access to any information that is shared on it from s and text messages to bank login information without the phone s owner even knowing it s happened. The presence of such malware is growing at a rate that is fast, but not surprising given the pervasiveness of personal mobile Page 4

5 devices today. The now-common practice of employees bringing their own devices to work (BYOD) should certainly concern employers, as those mobile phones, tablets and other devices connect to the company network, and act as an insecure portal into the network. Any of those BYOD devices could easily have been compromised with a piece of mobile malware, giving that malware access to company data via the network. There may be no keeping personal devices outside the company walls anymore. Personal computing and communication devices have permeated personal and professional life, and simply telling employees to leave them home just won t fly. While there may be little hope of keeping those devices out of the office, companies can install a line of defense against the malware that might sneak in on employees devices. Organizations must treat their networks as vulnerable to intrusion with or without the presence of employees own mobile devices in order to fully protect them. Bad guys might get in through any number of means; discovering their presence quickly can help to stop spreading infection and data leakage before it gets out of control. Having up-to-date, actionable information about potentially dangerous Internet locations and about networked computers attempting to connect with those locations could be invaluable to an enterprise. Such information might save a company from an employees unwitting visit to a known malicious Internet location, and by extension, save the company from a malware infection or resulting data leakage. NASA hits a snag with DNSSEC implementation In an example of the progress still left to be made in the Domain Name System Security Extension (DNSSEC) implementation process, NASA s website went dark in January when the DNSSEC configuration for nasa.gov was improperly signed by NASA. Many visitors to nasa.gov found the site inaccessible when the US s largest ISP, Comcast, automatically blocked the misconfigured domain name to all its users 8. Comcast has recently rolled out DNSSEC validation system-wide, and this glitch provided an important lesson in managing DNSSEC-signed domains. The DNSSEC configuration process is a sometimes complex procedure that leaves room for human error, which is what occurred when NASA failed to verify that the same signing key was used at two points in the signing process. The error brings to light areas in which the DNSSEC implementation process needs some additional scrutiny for companies starting or considering starting their own implementation of the security protocol. Statistical breakdown Overall phishing was down slightly, at a 2% decrease year over year, but not in all segments. Specifically, service providers felt the heat in Q1 as the rates by which they were abused rose by 333% quarter over quarter. This was likely due to the industry s recent disruption of spamming botnets, as well as improved authentication technology. These developments have forced those spammers to reinvent themselves by hijacking legitimate accounts. 8 Page 5

6 Overall spam volume was reportedly down 37% in Q compared to Q1 2011, with the decrease largely attributed to the takedown of the Rustock and other botnets 9. As a result, cyber criminals have moved to online services and need compromised credentials in order to send spam to potential victims. The growing use of authentication technologies has enabled mailbox hosting providers to more easily separate legitimate messages from fake ones. As these technologies improve, service providers are able to flag more suspicious messages before they make it to users inboxes. The significant increase in phishing for account credentials reflects criminals need for fresh crops of compromised accounts with unsullied reputations, as messages sent from those accounts are most likely to succeed in making it past spam filters, and the IP addresses used to send that cannot be blocked 10. IID is very happy to report that for the third straight quarter, phishing has declined on the.tk TLD, following their move to reduce the number of fraudulent registrations on their service. After partnering with IID, Facebook, the Anti-Phishing Alliance of China (APAC) and others to develop a trusted reporter relationship, fraud on the TLD dipped again in Q1, down 64% over the previous quarter. The sustained success the.tk registry has seen after implementing their anti-abuse program is encouraging, and IID is proud to be a continued part of this innovative effort Page 6

7 Phishing by TLD - Q1 2012! Other (161) 29%.com 42%.ru 2%.tk 2%.uk 2%!IP Based 3%.br 4%.pl 4%.org 4%.net 8% Major brands suffer intrusions by criminals and hacktivists Sony was back in the news in Q1 following reports of yet another breach of their servers. This time it wasn t user data that was stolen, but Sony s own property the 50,000-track catalog of Michael Jackson s music, which Sony purchased for $250 million in Two men have been arrested in the UK following the theft, which was perpetrated shortly after the widely publicized breaches of Sony s systems in the spring of Those breaches lead to the compromise of user data for over 77 million of Sony s customers and resulted in a complete shutdown of parts of their services for nearly a month 12. As yet, there have been no reports of the music, which includes unreleased tracks, hitting the Internet. Regardless of whether the music eventually makes it to the public and it seems likely that it would the breach of a $250 million property makes this one more in a string of very pricy intrusions for Sony. Intrusions into the domain management accounts for brands UFC and Coach resulted DNS hijackings and redirection of their websites 13. In January, the domain name UFC.com was hijacked by a hacktivist group that apparently didn t like the mixed-martial arts fighting organization s support of the SOPA/PIPA bills. Later, that same group, called UGNazi, hijacked two domain names, coach.com and coachfactory.com, belonging to luxury goods maker Coach Inc. for the same reason. Thankfully, both DNS hijack attacks were defeated within a few hours and none of the websites were hacked or compromised as many online reports suggested at the time. Both Coach and UFC got lucky that the hacktivist criminals were apparently inexperienced in the matter of DNS hijackings, which made it relatively easy to mitigate the attacks Page 7

8 Many companies pay little if any attention to securing their domain registrations, and most do not continuously monitor their DNS to make sure it is resolving properly around the world, so they are both vulnerable to attacks and blind to them when they happen. Both Coach and UFC had their domains registered at Network Solutions and the criminals hijacked the domains by accessing the companies domain management accounts at the registrar. It s currently unclear how they did so, but in such cases the cause is usually weak or compromised user passwords or a website vulnerability at the registrar. Since very few registrars use multi-factor authentication, this makes taking over domain names almost trivially easy for any hacker. Given how easy it may be for hackers to take over a domain, companies must always monitor their DNS for proper resolution. It s smart to try to keep the criminals out, but it s even smarter to have a strategy for knowing as soon as they get in. Frontline Report: South Sound Technology Conference & cybersecurity by Chris Richardson, Manager of Federal Programs On March 9, 2012, IID was pleased to once again take part in the annual technology gathering that brings together leading voices from academia, government, a variety of business sectors, and the community at-large from around the Puget Sound area. The University of Washington Tacoma Institute of Technology hosts the event every year, and there was standing room only with over 300 attendees. A chief reason for the capacity crowd was the keynote speech delivered by White House Cybersecurity Coordinator Howard Schmidt following the morning session s focus on the worldwide explosion in mobile applications. Information sharing for collective defense was a hot topic both in Mr. Schmidt s speech and in the keynote panel, moderated by IID s President and CTO Rod Rasmussen. Mr. Schmidt emphasized the need for public-private sector cyber threat information sharing, and the need for cyber incident prevention, especially in cases where various members of the community can easily come together and prevent them. One question from the floor prompted further discussion around this topic: Why don t we share more as an industry? Mr. Schmidt pointed out the perceived competitive counterpressures private sector companies have in sharing, as well as the lack of a common lexicon, which leads to a Tower of Babel state of affairs, despite best intentions. Other panel questions highlighted the real challenge presented by a dearth of sufficiently qualified cybersecurity operators, especially in the public sector. The Cavalry is Coming UW Professor Barbara Endicott-Popovsky, spoke to this particular concern by pointing out all the relatively new cyber programs in higher education and that more students are now enrolled in this field than ever before. A common theme across the conference was that cybercrime in general was a fast and ever-moving target, thus the demands placed on the community of defenders continue to change. This theme was also reiterated in some of the breakout sessions. Active participation is the necessary-but-not-sufficient ingredient for true collective intelligence across the cybersecurity spectrum. IID was proud to help plan, sponsor, and send a large contingency of staff to support collaboration and cooperation across the region. We invite our local clients and partners to actively engage the broader community and share knowledge. Page 8