Q3 2008 Threat Summary
Challenge of bringing cyber criminals to justice
- As courts and law enforcement struggle to stem the mounting Internet crime wave,
- F-Secure's Chief Research Officer Mikko Hypponen calls for the establishment of "Internetpol" to bring online criminals to justice
- Phishers exploiting international banking crisis
- US presidential election spam
- Return of the malicious attachment
During the last quarter there have been several interesting legal cases involving Internet crime, which highlight the challenges of bringing cyber criminals to justice.
In the United States, a prolific spammer who had received a long prison sentence saw his conviction overturned by the Virginia Supreme Court in September. Jeremy Jaynes was the first person to be tried and sentenced under an anti-spam law enacted in 2003. Following an appeal, Virginia Supreme Court decided that the state Anti-Spam Law violated the First Amendment to the United States Constitution concerning the right to free and anonymous speech.
The Court documents show that there was no question about Jaynes' guilt. He used several computers, routers and servers to send over 10,000 e-mails within a 24-hour period to subscribers of America Online, Inc. (AOL) on three separate occasions. He intentionally falsified the header information and sender domain names before transmitting the e-mails.
While searching Jaynes' home, police discovered CDs containing over 176 million full e-mail addresses and 1.3 billion e-mail user names. They also confiscated storage discs which contained private account information for millions of AOL subscribers. The AOL user information had been stolen from AOL by a former employee and was in Jaynes' possession.
Just six months ago, the same court upheld the Anti-Spam Law and determined that there is no First Amendment right to spam. The latest reversal has provoked many questions from Internet security commentators.
Teenage Kiwi botmaster has bright future
In New Zealand, Owen Thor Walker, 18, known online as "AKILL" and dubbed as the "Kiwi botmaster king" in the international media, escaped a jail sentence in July despite pleading guilty to developing banking trojans that earned an estimated USD 15.4 million to a criminal gang.
The court ordered the teenager to pay damages and costs of about USD 10,800, with the judge describing him as a young man with a "potentially outstanding future" after he cooperated with the police. The judge stated that Walker, who suffers from Asperger's Syndrome, a mild form of autism, was hacking from curiosity rather than criminal intent.
Walker was arrested after an 18 month investigation by New Zealand, Dutch and American authorities. According to TVNZ, Walker collaborated with an American student to infect 1.3 million computers, costing the victims around USD 20 million. Walker is now reportedly being wooed by major computer companies overseas. Local police also said that Walker's "talents" could come in handy.
Lawsuits against scareware merchants
The Attorney General's Office in Washington, United States, and Microsoft recently announced that they are filing new lawsuits targeting scareware purveyors. One of the cases is against James Reed McCreary IV, who is accused with sending incessant pop-ups resembling system warnings to consumers' personal computers. The messages read "CRITICAL ERROR MESSAGE! - REGISTRY DAMAGED AND CORRUPTED," and instructed users to visit a Web site to download Registry Cleaner XP.
"Consumers who visited the Web site were offered a free scan to check their computer - but the program found 'critical' errors every time," said Senior Counsel Paula Selis, who leads the Attorney General's Consumer Protection High-Tech Unit. "Users were then told to pay USD 39.95 to repair these dubious problems." Microsoft has said that 50 percent of its customer support calls related to computer crashes can be blamed on spyware.
F-Secure notes that Registry Cleaner XP is just one of the increasing number of rogue security applications which also include Antivirus 2009, Malwarecore, WinDefender, WinSpywareProtect and XPDefender.
Call for establishment of "Internetpol"
While applauding efforts by the courts and police forces of different countries in challenging cyber crime, Mikko Hypponen, F-Secure's Chief Research Officer, believes that there should be an international agency with the enforcement power to get a grip on the organized online crime.
"The Internet has no borders and online crime is almost always international, yet local police authorities often have limited resources for investigations. Even if the locations of online criminals are discovered, the investigations rarely uncover the full scope of the crime. The victims, police, prosecutors and judges cannot see the full picture and therefore don't know the true costs of the crime," says Hypponen.
"Antivirus and security companies are not law enforcement, nor should they be. They are protecting their customers' computers but little can be done directly by non-governmental organizations to fight the criminals at the heart of the matter. We should consider the creation of an online version of Interpol - 'Internetpol' - that is specifically tasked with targeting and investigating the top of the crimeware food chain," says Hypponen.
Hypponen recognizes that such an organization would clearly face a number of legal and other challenges. For example, malicious code is often created from countries where it is not illegal or not prosecuted. "But if we do not act now to fight the source of crimeware, it will continue to grow stronger and threatens to destroy the current model of Internet business, banking and commerce," he says.
US Federal Trade Commission warns about "Phisher-man's special"
As the international banking crisis shakes up the world economy, leaving consumer's confused as to which bank might be holding their savings account or mortgage this week, phishers are taking advantage of the situation to obtain personal information such as bank account details or credit card numbers.
The US Federal Trade Commission issued an alert last week urging Internet users to be on guard against e-mails that look as if they come from a financial institution that has recently acquired a consumer's bank, mortgage lender or savings and loan association.
"Currently there only seem to be e-mails related to Wachovia Corporation's sale to Citibank being used as bait. The phish is attempting to get the recipient to download a new 'certificate' from a Wachovia phishing site. However, instead of collecting information, this attack will also install a banking Trojan," explains F-Secure Security Advisor Sean Sullivan.
Presidential election spam
As the presidential election in the United States nears its climax, criminals are busy devising sensational headlines related to the candidates in order to persuade people to click on spam e-mails. A recent spam run has already set the tone by claiming to reveal a sex scandal involving Senator Barack Obama, the Democratic candidate. The e-mail with the fake news contains an attachment that links to a pornographic video.
In order to conceal the primary intent of the e-mail - which is to infect computers with a trojan that collects information about bank transactions - the video starts playing when the malicious file is downloaded and executed. Consequently, every time Internet Explorer is launched and the user connects to certain banking sites, especially well-known banks in Germany, the trojan collects the information and posts it to the website of a fictional "Medved Hotel" in Finland. The layout of the website looks convincing to unsuspecting users because it has been stolen from a real Finnish hotel.
We expect much more spam with a presidential election theme in the run-up to polling day.
Return of the malicious attachment
During the third quarter of 2008 we saw a sharp increase in malware being delivered as e-mail attachments. This was surprising as malicious attachments in e-mails are usually not successful in reaching the recipient because they are automatically removed by the Internet Service Provider or by the e-mail client. As a result, malware authors stopped using this approach and moved on to using links in e-mails or automatic downloads via exploits from websites.
The recent attachments were inside an archive, typically a ZIP file which unfortunately isn't filtered by most security solutions. Some of the archives even required a password, making it more difficult for anti-virus solutions to scan them.
The different themes that were used to trick the user into running the file included bills or receipts from a variety of companies like JetBlue and UPS and greeting cards. This approach is not unlike phishing scams where the risk of losing money is used to trick the user into running the file and getting infected.