Real World Impact of IE Flaw
It is easy to write about the latest security flaw in Microsoft's Windows operating system as if it were some abstract threat that hackers may or may not get around to exploiting at some point. But when you have evidence that a single phishing group is using the vulnerability to steal online banking and e-commerce credentials from thousands of victims each day, the threat suddenly becomes a great deal more personal and real.
Take, for instance, the data being collected by San Diego-based Secure Science Corp., a company that offers stolen-data retrieval services for financial institutions. Most of the criminal groups the company monitors filch data by spamming out e-mails with links to Web sites that use a variety of known Internet Explorer and Windows weaknesses to install malicious code.
Once installed, that malware steals stored user names and passwords and records what the victim types when he or she visits targeted financial sites. Secure Science can intercept that data by finding the location of "dead drops" -- e-mail inboxes or Web site databases set up by the attackers to receive information stolen from infected machines.
In the first half of March -- prior to the release of code showing attackers exactly how to exploit a previously unknown (and currently unpatched) flaw in IE -- Secure Science tracked a single hacker group stealing between 1.5 and 2 megabytes of text data from victims each day (a small novel might take up about 1 megabyte of text data). The company found that a data cache of that size usually contains a mix of roughly 1,000 credit card numbers or login credentials for Web mail and online banking sites.
Ever since the third week in March, when the latest IE exploit surfaced, Secure Science has watched that same phishing group's daily catch increase exponentially. Lance James, the company's chief scientist, said the group's dead drops are now choking on 80 to 115 megabytes of stolen data each day.
James looked through the company's database for the particulars of this group's haul from March 31, when the drop box received 108 megabytes worth of data stolen from infected machines. On that day alone, the phishers gleaned personal and financial information on 13,677 accounts, including 3,536 credit card account numbers, 255 Paypal accounts, 1,038 eBay accounts; 93 user names and passwords for Bank of America online accounts; and login credentials for some 2,609 Hotmail e-mail accounts.
(It may be tempting to discount the sensitivity of compromised e-mail accounts, but many computer users sign up with dozens of online merchants and financial institutions using the same e-mail account, and if that account is compromised the attackers can use it to reset the victim's credentials on all of the merchant sites tied to that e-mail address.)
I interviewed James because I just finished reading his book "Phishing Exposed," in which he profiles the stealthy attacks used by phishing groups and highlights some pervasive security problems with many banking sites. James said it's important to understand that "phishing groups" aren't limited to criminals who use e-mails to dupe people. Rather, he said, most of the individuals profiting from phishing sites also are creating and distributing malicious code that steals the same information.
According to James, many of these groups are based in Russia and in countries that lack either extradition agreements with the United States or explicit laws against phishing activity. For many phishing gangs, the chance of being brought to justice is slim, while the potential payoff is high. "There is a lot of play in this game," James said. "The average phishing group can pull in around $300,000 a month, or between $2.5 million and $3.5 million a year."
Secure Science's data from just one phishing group appears to offer yet another contradiction to Microsoft's claim that this latest IE flaw isn't being widely exploited. In a blog post I wrote last week, I found hundreds of people whose computers had been seeded with password-stealing programs after visiting hacked Web sites designed to take advantage of the new IE flaw (that post also was picked up by "news-for-nerds" site Slashdot). I had the opportunity to peek into one of these dead drop databases, and was alarmed to discover that the scammers hit about one new victim every minute.
The comments to this entry are closed.