Friday, January 16, 2009

Gaza Cease Fire Trojan Shows No Sites Are Safe From Attack


On Monday, in a post entitled "Gaza Strip(s) PC of Financial Data" I talked about a new(s) attack. "Using mainstream news headlines regarding recent events in Gaza, it lures people to a site that appears to be CNN.   The bad news is, it isn't CNN...it's a clone, and there is nothing which clearly indicates that you've been duped."  It then downloads a trojan which sweeps your hard drive looking for data relating to financial institutions.

In a post, earlier this month, (E-Commerce and Browsers Don't Mix)  I talked about browser weaknesses.  With the emergence of these two "new attacks" (the other one being "in-session phishing"...see "Phishing 2.0 - PAN Fried,  not even 15 days into the New Year, it's becoming clearer that financial transactions  need to be done outside the browser space.

Last night, I noticed that Gartner's Avivah Litan did an analysis on the Gaza Cease-Fire Trojan.  Based on the title  of her post, (and her bullet point, both of which I outlined in yellow) it's safe to assume that she feels along the same lines as we do, regarding the weaknesses inherent in web browsers. 

Here's her analysis...
 
 


Avivah Litan
VP Distinguished Analyst
Potomac, MD USA
 
Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, identity theft, fraud detection and prevention applications and other areas of information security and risk. She also covers payment systems and financial flows in the business-to-consumer and business-to-business markets.

A new trojan attack shows that seemingly "safe" Web sites can be used in financially targeted attacks. Enterprises need to take a layered approach to these attack vectors, which mostly lie outside their control.

Event 
On 7 January 2009, the RSA FraudAction Research Lab discovered a trojan attack, identified as the Cease-Fire Trojan Attack, that used phishing e-mail supposedly offering Al Jazeera video on CNN of the war in Gaza to divert recipients to an imposter news Web site. Recipients who clicked on a "video" link were told they need to update their media players to run the video. When they tried to do so, a "Secure Sockets Layer (SSL) stealer" trojan was downloaded to their desktops.

"The trojan resides in the end user's Web browser, waking up when SSL encryption is invoked via the HTTPS protocol typically used for online financial transactions such as payments and banking. The trojan then tracks the user's keystrokes to steal transaction information."


RSA reports that it shut down the attack, which was staged at a registrar in China, and that it discovered and took down a second wave of attacks — staged on five other domains on 9 January — within four hours. 

Analysis
 

Trojans delivered via phishing attacks are certainly not a new phenomenon, and security providers report that the frequency of these attacks is increasing rapidly. This particular attack is significant because it offers a clear demonstration of:
  • A comparatively new type of combined phishing/trojan attack that uses social engineering to prey on sympathies and interests (in this case, promising graphic images of war)
  • An attack using brands (for example, those of news organizations) that attackers rightly believe are less likely to be the targets of phishing attacks than financial service providers and therefore less likely to take proactive action against them
  • Criminals' ability to place programs inside browsers, making it possible to bypass the security protections offered by SSL encryption and by strong authentication techniques going through a user's browser
It is important to note that RSA shut down this attack as a public service, and that there is no guarantee that security providers will perform such services in the future. Enterprises must take action to protect themselves and their customers, clients, partners and other stakeholders against attacks of this type.

Recommendations


Enterprises that store customer information, financial accounts, transaction information or other sensitive data:
  • Recognize that customer account credentials can be compromised and that many criminal attack vectors are outside your domain and your control.
  • Deploy a layered security strategy that includes fraud detection, stronger user authentication and out-of-band transaction verification for high-risk transactions.
  • Deploy browser-based "on demand" desktop security services to your customers, because these can, when used in conjunction with better local browser rules and recognition of high- assurance certificates, help to protect customers accessing your Web sites.

Internet infrastructure and security providers:
  • Consider pooling your resources and launching a joint phishing/malware detection and site-takedown service that can be offered on a pro bono or as-needed basis. This approach would make it possible to quickly block attacks against real or fictitious brands that are detected in the course of normal "cybersurveillance" services, even if no specific financial incentive to do so exists.





Reblog this post [with Zemanta]

Disqus for ePayment News