Speaking of Security – The RSA Blog and Podcast

To me, online dating these days is not much different than online fraud. I speak from personal experience on both – as someone who has experienced the thrills of online dating sites (NOTE sarcasm here) and has the privilege of witnessing the latest online scams that fraudsters pull on a daily basis. I live in both worlds – and trust me, they are not much different.

As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel’s features, bug fixes and added modules (each priced separately), have long gone beyond what Zeus ever offered as Slavik’s zeal for developing the malware died down when law enforcement got too close for the Trojan creator’s comfort.

The fallout from the news of the Global Payments breach may be just subsiding, but one thing can already be said – this probably isn’t the last processor that will be breached.

When the House Republican Cybersecurity Task Force released its recommendations last October, U.S. Representative Mac Thornberry (R-TX), the Chairman of the Task Force said that the time had come for the U.S. Congress to act on cyber security legislation. In a blog post on October 11th, 2011, he stated: “We simply cannot allow legislative gridlock to continue on this issue. And we cannot let the quest for the perfect cyber bill prevent a good one from passing.”

Discussion and buzz about the burgeoning Fraud-as-a-Service (FaaS) trend in the cybercrime economy is as constant and as progressive as it gets. New FaaS offerings are only limited to the imagination of the dubious actors who offer them, and as such, are often creative and interesting in the ways by which they can make perpetrating fraud easier and more accessible to a growing number of criminals.

In a previous blog I introduced the idea that SOC analysts need to be the IT security “eyes and ears” for their entire enterprise, no matter how large or global the enterprise. Implied in this is the assumption that the analysts can actually use their digital “eyes and ears” to the maximum extent technically possible to protect their organization’s IT assets and users, wherever those assets or users may be. This should be no problem because we are all part of one global Internet-enabled global village, aren’t we?

Phishers, botmasters and underground vendors are increasingly adapting business models and tools for their nefarious ventures. Botmasters are creating and selling blacklists to ward off research and shutdown attempts by infosec experts and law enforcement. Underground vendors transact with buyers using in-house or publicly available escrow services, and crimeware coders offer user manuals and responsive, multi-lingual customer support. Offering Trojans as FaaS, Citadel’s coders are likely the first to sell monthly subscription plans to guarantee their customer base periodic builder updates and bug fixes, and supposedly ensure ongoing, seamless development and improvement of their Trojan kit.

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature the developers have apparently implemented: DNS Redirection. Per the feature list, the developer claims that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

They say history repeats itself, or perhaps this is the story of a community recovering from a catastrophe. Either way, the underground is returning to its former glory, and not just in how much business is being conducted – but how it is conducted.

The FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.