In-Depth

Security Crackers Keep the Pressure On

With World Cup-oriented attacks and a brazen tech-support-by-phone scam, it's business as usual for the ever-creative information security crackers.

Give security crackers credit: they're an enterprising lot.

Some aren't afraid to spending money in order to extort money: they've taken to cold calling people to convince them that their computers are infected. Others have invested a good deal of time developing new and creative spam, malware, phishing, or other attacks designed to cash in on World Cup mania.

In other words, it's business as usual on the information security front.

The most startling new hacking tactic makes use of a tool -- social engineering -- that has long been a cracker's stock-in-trade.

A new Symantec Corp. report examines a new technical support phone scam. "In recent weeks we started hearing chatter about what sounded like a new misleading application," writes Symantec security researcher Orla Cox, on her company blog. "The usual scare tactics were employed," Cox continues, noting that -- instead of pushing bogus applications (e.g., security "scanners" or malware "cleansing" tools) -- "this particular group was phoning users directly to tell them that they had a virus on their computer -- but thankfully help was at hand."

Help, of course, came in the form of a Windows Remote Assistance connection: for a mere 129 euros, the scammer -- Online PC Doctors -- promises to connect to and cleanse an infected computer. That same fee also entitles a user to a year's worth of security "maintenance."

Alas, the company is an unalloyed scammer, Cox confirms.

"[The agent] walked me through opening up the Event Viewer and asked if I saw any errors or warnings in there. Naturally, I did. [The agent] then told me that these were indications of a virus infection," she writes.

This particular scam is a consumer- or, at most, an SMB-oriented con. Even more worrisome, however, is the sheer amount of information the scammer was able to extract: Online PC Doctors wanted Cox to send her full name, address, phone number, e-mail address, and -- of course -- complete credit card information.

World Cup Chaos

Crafting credible (or targeted) spam, phishing, or malware attacks can be a time-consuming enterprise. Security pros concede as much.

In many cases -- especially for major holidays (Halloween, Thanksgiving, Christmas, New Years, Valentine's Day) -- this means a write-once-and-reuse kind of investment.

The World Cup is slightly different. It occurs every four years. It rotates host countries. It always involves different qualifiers.

At the same time, the World Cup is the world's most popular sporting event. It's a no-brainer target for cyber-criminals. Although cooking up credible or targeted attacks can be time-consuming, crackers have never shied away from less-than-credible efforts. "Newsworthy events, including celebrity deaths and natural disasters as well as major sporting activities are also popular themes, and the FIFA World Cup is no exception," writes security researcher MessageLabs -- a subsidiary of Symantec Hosted Services -- in its June "Intelligence" report.

World Cup-related spam shot from being basically non-existent in February to pesky in March and early April. By late April, however, it had become a clear nuisance, accounting for almost 20 percent of spamming activity. (Caveat: Symantec's measurements include spam messages that merely reference the World Cup.) By the middle of May, one-quarter of all e-mail spam traffic contained one or more references to the World Cup.

What this means is that spammers are retrofitting tried-and-true message genres -- such as pharmaceutical spam, which accounts for four-fifths of all spam -- with World Cup (or "football") themes. In many cases, MessageLabs points out, they're simply -- and inelegantly -- inserting the word "football" into subject or message text. "Subject: Hallo, xrk. Get 70% off, when buying today. football use Mexico weight the" is typical of such efforts.

Crackers are likewise incorporating references to the World Cup (along with other benign events) into the message bodies of conventional spam; this approach -- which Symantec and other researchers dub a "poison text" tactic -- helps outwit spam detection systems.

Freshly Frustrating

More alarming is a rise in credible or targeted spam. Symantec calls such spam "freshly minted."

"In this case spammers go out of their way to create a new campaign from scratch, which is wholly related to the event, rather than just mentioning an event as above. This is often a popular approach with advance-fee fraud scams," the researcher notes, citing -- for example -- a spam message from "The Nelson Mandela Foundation" as one representative entry.

"This approach is much more difficult to produce, so spammers usually go for the simpler, highly automated … approaches of the previous two techniques," MessageLabs points out. "It is very easy for spammers to set-up automated scripts to take news text and news headlines from various websites and include them in their latest spam campaigns. However, because newly minted spam is crafted manually, they can often be the most difficult to recognize."

World Cup Malware

Crackers have also engineered World Cup-oriented malware attacks. One such effort targeted Brazilian chemical, manufacturing, and financial services companies. It used both an infected PDF file and a malicious link embedded in the e-mail message. (The link was likewise embedded in a clickable image -- that of a FIFA soccer ball.) This is a potentially clever approach, write MessageLabs researchers. "The inclusion of two methods of attack means that even if the PDF is removed as suspicious by an anti-virus gateway, the malicious link remains in the body of the e-mail and may still be delivered to the recipient. This is because many e-mail filtering systems are configured to simply remove or clean viral attachments, and will often allow the 'cleaned' e-mail to be delivered to the recipient, in this case with the malicious link still intact."

Other World Cup-related attacks have surfaced that use Javascript to conceal destination Web sites, according to MessageLabs.

Must Read Articles