What you don’t see can hurt you: Cybercriminals covering their tracks
Over the past few weeks, there have been several reports about the ways in which cybercriminals are making it harder to detect fraud by concealing what they’re doing. One is a new kind of man-in-the-middle attack on Facebook users reported by Trusteer. Using the Carberp trojan, fraudsters replace the Facebook page that a user navigates to with a fake page telling the user their account is locked. In additional to asking for the user’s login credentials, the page also asks for a 20 euro Ukash voucher number to verify the user identity. No such verification is performed. The user is just defrauded of this money, in a way that makes it harder to find the thief because of the relative anonymity of Ukash.
Even more extensive page replacement is done by certain banking Trojans. In late 2009 a fraudster operating in an underground cybercrime forum launched a new offering: a Trojan script that will empty your bank account in 10 seconds, and then manipulate the online statement to remove all traces of the money transfer. In other words, your money is gone, but the online statement shows everything is fine. The balance is intact, the list of transactions doesn’t show the one that emptied your account and even the name of the new beneficiary is scratched off in real time when you view the list online. The fraudster provided several promotional videos demonstrating the capability and asked for a mere $300 for this trace-cleaning function, which one could use in conjunction with the popular Zeus Trojan. The video was presented by a couple of RSA researchers in various conferences and recently the capability was also identified in the SpyEye kit. Additional page manipulation techniques are reported in the following blog by RSA FraudAction Research Labs, called Man-in-the-middle Standing Between You and Your Cash. But again, the really interesting part is the possibility to cover one’s tracks. In the past fraudsters also used other techniques such as flooding the user’s phone with bogus SMS messages in order to prevent them from looking at an alert sent by their bank about a money transfer. They also deleted email notifications that were sent to the user, which is why Trojans also harvest email accounts, and many Phishing scams now ask for the user name and password of your email.
Reading about these attacks reminded me of how frequently attacks using Advanced Persistent Threats include extensive actions by the attackers to cover their tracks. Evidence in log files will be deleted or altered in order to reduce the likelihood of the attacker’s presence being discovered and to make it much harder to assess the damage caused by the attack once it is discovered. The highly-targeted nature of advanced attacks make it worth the cybercriminals’ while to invest the effort to cover their track in order to remain invisible inside the target environment as long as possible. This is definitely a case where what you don’t see can hurt you!
The attention that attackers are paying to covering their tracks makes the need for a comprehensive security intelligence system clearer than ever. As The 451 Group describes in their report Can I get a Netwitness? I once was blind but now I see (everything) defenses against cybercrime need “to evolve to grow more eyes and ears to notice the whispers and echoes of these profit- and politically driven attackers.” Forensics is difficult enough when attackers aren’t trying to cover their tracks. When they are, an extensive and intensive security intelligence system is indispensable in ensuring that there are tracks that the attackers don’t erase and that we can use to detect their presence and understand that they are doing. As Uri Rivner put it in his great blog on IT Security in the Age of APTs, just like in physical surveillance systems we should be able to “immediately investigate any incident, see how many intruders are involved, their exact path, and their current whereabouts.” That’s the kind of security intelligence we need when cybercriminals are covering their tracks.
