After phishing crackdown, cyberattackers switch weapons
- By William Jackson
- Nov 02, 2011
Aggressive action by large IT infrastructure and platform providers helped drive down the volume of phishing attacks over the past summer, but new threats continue to emerge and grow, according to recent threat trend reports.
“It does feel like squeezing a balloon,” said Lars Harvey, CEO of Internet Identity. “The problem is really big and we don’t have that many resources fighting against it.”
But the trend by large stakeholders such as Microsoft and Google of going after bad actors is encouraging, Harvey said. “We’re trying to get control of our infrastructure.”
CyberEye: FBI shares lessons of Zeus botnet ring takedown
The top cyber threats of 2011, so far
Internet Identity’s report on cyber crime trends for the third quarter of 2011 showed phishing volume down by 8 percent from the second quarter and down 11 percent from the third quarter last year. The reductions are credited in part to Microsoft’s latest botnet takedown, which took about 41,000 infected computers in the Kelihos botnet out of action with restraining orders against Czech operators of the cz.cc second-level domain.
Google in July de-indexed the second-level domain co.cc in search results. Overall, the .cc top-level domain accounted for 2 percent of phishing in the third quarter, and co.cc second-level domain accounted for 43 percent of that. Phishing traffic appears to have since shifted to the cx.cc domain.
“Between killing spamming opportunities and hosting locations and eliminating search engine results for phishing sites, criminals may find that they have less incentive to create phish in the first place,” the report states. “Perhaps this fact is what has driven criminals to seek other means of defrauding Internet users in recent months.”
In the same period, there was an 89 percent spike in sites hosting malware during the quarter, with a large spike in malware targeting the IRS, National Automated Clearing House Association, Federal Deposit Insurance Corp. and Federal Reserve. The sites are hosted on multiple domains, resolve to dozens of fast-flux IP addresses and download Zeus malware.
"Internet users can’t rely on Google alone to eliminate such risk for them,” the report cautioned.
Attacks on or through the Domain Name System, which associates domain names with IP addresses to direct traffic, are becoming particularly worrisome. A recent survey by F5 Networks of executives in 1,000 large organizations put DNS attacks at the top of its list of threats when ranked according to frequency, difficulty in defending against and impact.
The DNS takeover of several high-profile companies in September resulted in the redirection of website traffic and e-mail and the potential interception of transactions. Several domains registered with Ascio.com and managed via NetNames, including ups.com, vodafone.com and theregister.co.uk, were hijacked at the registrar and pointed to a defacement page. The Turkish hacker group Turkguvenligi claimed responsibility
“There is a real risk there,” Harvey said of DNS and the Border Gateway Protocol, which underlies Internet routing decisions. “DNS and BGP are not locked down.”
The DNS Security Extensions that provide cryptographic assurance of the response to a DNS request are being deployed in domains but are not yet in universal use. Harvey called this a necessary but not sufficient step in securing DNS. Deploying DNSSEC will decrease the attack surface and allow more attention to be paid to protecting authoritative name servers and domain registries.
Attacks using advanced persistent threats also are becoming more common. In August the Shady RAT Remote Access Tool succeeded in breaching more than 70 companies and government organizations in an apparent campaign to steal intellectual property.
McAfee researchers characterized the breadth of the campaign by saying, “the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.”