Identity Theft Smash & Grab, CEO Style
Tens of thousands of corporate executives were the target of a series of identity-theft scams this week, e-mail-borne schemes that appear to have netted close to 2,000 victims so far.
Early Monday morning, according to two security experts with firsthand knowledge of the attacks, nearly 20,000 executives received an e-mail purporting to be a subpoena ordering each recipient to appear in court for legal violations leveled against their company. The messages addressed each executive by name, and included their phone number and the name of their company.
Recipients who clicked the link were brought to a Web page that claimed they needed to install a Web browser add-on in order to view the subpoena. Those who agreed were shown an Adobe PDF document that referenced a lawsuit filed in a California district court.
The "add-on" in question was a component designed to steal usernames and passwords when the victim subsequently visited an online bank site or other page that requires those credentials (the malicious add-on only installed for users visiting the site with Microsoft's Internet Explorer Web browser). Approximately half of the recipients of the e-mail messages were executives at major financial institutions.
These types of targeted attacks are hardly uncommon, as cyber crime has grown more sophisticated and criminals more successful in stealing money from average home Internet users and businesses. But what distinguishes this week's attacks is that they have been hugely successful even though the methods employed by the cyber criminals directing them rank near the bottom of the scale in terms of sophistication and stealth.
According to Matt Richard, director of rapid response for iDefense (a unit of Verisign Inc. that works closely with financial institutions to limit losses from cyber fraud), the thieves behind this scam clearly hoped that victims would log into their bank accounts after infecting their systems with the malicious add-on. If they did, Richard said, the thieves would be able to snatch those banking credentials and quickly try to access the victim's bank account and siphon off as much money as possible.
Richard said the group responsible for this attack is based in Romania and is thought to have masterminded nearly two dozen similar attacks over the past year that netted the group millions of dollars. The same group is thought to be responsible for stealing $188,000 from a single victim in a similar attack featured as a case study in a confidential report from the Federal Deposit Security Corporation that Security Fix reported on in February.
These particular Romania-based scammers favor surprise over stealth, Richard said. The e-mail Trojan horse embedded in the fake federal case record consists of cut-and-paste type exploits that probably should be routinely detected by most anti-virus products, but for whatever reason in this case were not. Only eight of some 35 anti-virus products on the market today detected the code sent in the e-mails as malicious, and noticeably absent from the list of those who did detect it were the major anti-virus vendors -- including McAfee, Symantec and Trend Micro (Richard said Microsoft's anti-virus solution is almost alone in consistently detecting this group's malware).
"These guys figure their attack -- from infection to stealing the money -- has to happen quickly, all in one day," Richard said. "The code they're using is as simple as Windows Programming for Internet Explorer 101. They don't send the stolen money all to one place, but distribute it around and use different methods, different accounts, so [the transactions] can't be easily canceled out."
"All around, they do a good job of risk management and keeping costs low," he said. "So, you could could say these guys are more like business-degree malware guys than they are computer science malware guys, sort of your MBAs of the criminal hacking scene."
John Bambenek, an incident handler with the SANS Internet Storm Center, said in this case those who didn't click on the e-mailed link to the malicious Web site may have been saved by poor English and a lack of understanding about how most legal documents are served in the United States.
"In this case, we were saved by the fact that the attackers have a poor knowledge of the U.S. legal system and an even worse grasp of the English language. However, the targeting of CEOs specifically and the information they are trying to take should give us pause. The bad guys are continuing to attack the weakest link in the security chain -- the end-user. While we're busy talking about malware, signatures and intrusion detection, users keep doing stupid things to get themselves owned."
Beyond the ability to siphon funds from corporate executives, the crooks in these scams can recycle the data they've stolen, selling it to identity thieves who want to establish lines of credit in the victim executive's name, or to governments seeking to conduct economic espionage, Richard said.
"That's the real long term danger here, because in each attack they get between 200 and a thousand victims, and all of [the victims] have some level of access to corporate data," Richard said. "How the crooks are going to use it and what they're going to do with it is the big danger."
April 15, 2008; 10:44 PM ET
Categories: Fraud , From the Bunker , Latest Warnings , Safety Tips , U.S. Government
Save & Share: Previous: Online Security: A Closer Look at a Negative Example
Next: Security Updates for Firefox, Safari
The comments to this entry are closed.