Malvertisers Use Digital Fingerprints to Avoid Detection
Mar 4, 2016 10:14 AM PT
In the world of computer security, fingerprints are found in more places than where the tips of hands touch.
That's because the term is applied to any data set that can be used to make a unique identification.
For example, antifraud programs used by online retailers can identify customers by the structure of the files on their computers.
In fact, that technique works so well, malicious actors have started using it to poison computers with malware.
When studying malvertising on the Net, Malwarebytes discovered malefactors using fingerprinting techniques. Malvertising is website advertising that delivers malware to a visitor to a site, often without the knowledge of the visitor or the operator of the website.
"We found a vulnerability being exploited in Internet Explorer that allows you to look at the local file system," noted Jerome Segura, a senior security researcher at Malwarebytes.
"There are certain folder names and file names that threat actors are looking for that indicate the presence of antivirus software, a virtual machine and other things," he told TechNewsWorld.
Based on the file and folder fingerprint of a machine, the malware will decide to ignore the machine or download additional malware to further exploit it.
Online outlaws have used fingerprinting before, but what's new is that malvertisers are deploying it. "That's a completely novel thing," Segura said.
"Malvertising is pretty simple in how it operates," he noted. "Its single purpose is to redirect a person to a malicious website."
The new breed of fingerprinting malvertising departs from that simplicity.
"Rather than redirecting you to a malware site, the ad fingerprints your machine to verify if you're a legitimate user or a security researcher or honeypot that should be avoided," Segura said.
"That's the main reason behind it," he added. "It's not to infect more people. It's to avoid being discovered and to have malicious campaigns last longer."
The most common malware pushed by malvertising is ransomware. Ransomware scrambles data and system files on a machine and won't descramble them unless a ransom is paid.
Although security experts and law enforcement authorities don't recommend paying ransoms, Segura said most of the time the extortionists make good on their promises to unscramble machines.
"It's not a scam. Once you pay, you get a key and that key does decrypt your files, and you do get your files back," he maintained.
"It's in their interest to provide you with a legitimate key because they want to make their illegal activity a viable and long-term business," Segura said.
"As a security professional," he continued, "I would not recommend you pay the ransom because you're just fueling this underground economy to push more ransomware out there."
However, some businesses and self-employed people may have no choice but to accede to the demands of the extortionists. "If you have to choose between losing your business and paying the ransom," Segura said, "the decision is not too hard to make."
Tangled in the Dark Web
Have you ever wondered what happens when fresh meat in the form of someone's stolen credentials appears on the dark Web? Bitglass has, and it decided to satisfy its curiosity.
The company created credentials for a sockpuppet, leaked them in the dark Web, then sat back and enjoyed the show.
It made the credentials hard to resist by attaching them to a phony bank employee with access to a bank portal, also bogus, and a Google Drive account. Among Bitglass's discoveries are the following:
- More than 1,400 visits were made to the credentials and the bank portal.
- Nearly all the Net marauders (94 percent) who accessed the Google Drive uncovered the sockpuppet's other online accounts.
- More than one in 10 (12 percent) of the data thieves who accessed the Google Drive attempted to download files with sensitive content; some of them cracked the encryption on the files after downloading them.
- More than two-thirds (68 percent) of all the logins with the fake credentials came from Tor-anonymized IP addresses.
The company performed the experiment to get some hard data on what happens to compromised credentials, said Rich Campagna, vice president for products and marketing at Bitglass.
"With the huge amount of identities and credentials that have been stolen in the last year, it's really interesting to get some data versus pure speculation about who gets their hands on those credentials and what do they do with them," he told TechNewsWorld.
Campagna didn't expect the velocity at which denizens of the digital underworld exploited the phony credentials.
"A lot of these sites where we posted these credentials are fly-by-night operations that depend on word of mouth, so the sheer volume of people who were able to get their hands on these credentials quickly and start using them was really surprising," he said.
Identity thieves appear to be getting craftier in covering their tracks on the Net by using Tor, an open source technology designed to anonymize a person's identity on the Internet.
"Roughly two-thirds of attackers used Tor to hide their location," Campagna said. "When we did a similar experiment a year ago to bait some of these folks on the dark Web, very few used Tor to cover their tracks."
Data breaches are a curse that keeps on costing.
Studies of data breaches typically look at the front-end costs of an attack, but SANS and Identity Finder wanted to look at costs after a breach had been remediated.
They found that 31 percent of the companies they surveyed racked up costs between US$1,000 and $100,000, and 23 percent suffered costs from $100,000 to $500,000.
More than a quarter (27 percent) cited costs between $500,000 and $50 million, while 8 percent claimed costs greater than $100 million.
Publicity Stokes Costs
How hefty post-breach costs can become depends on how much sensitive data is lost, noted Johannes Hoech, CMO of Identity Finder.
"There is a correlation between the larger amount of sensitive data lost and larger damages," he told TechNewsWorld.
"When the amount of sensitive data goes up and the press gets a hold on a breach event, an external vigilance starts that starts adding costs," Hoech said.
"Then, heaven forbid, if an organization is out of compliance and a media storm erupts, you start seeing loss of revenue, people stop frequenting your site, and [you experience] a temporary loss in stock value," he continued.
"That's when the numbers can get pretty large," Hoech added.
Those numbers can be managed if an organization takes extra care to identify and protect its sensitive data.
"It's helpful to know where your sensitive data is so that the thing that the hackers [want] can be protected with extra measures," Hoech said.
"It's virtually impossible to prevent a breach," he added, "but it is possible to prevent the damages from the breach."
- Feb. 22. Security researcher Chris Vickery reports a configuration error in an online database at uKnowKids for months exposed sensitive information about 1,700 children, 6.8 million private text messages and 1.8 million images, including many of children.
- Feb. 22. Donna Seymour, CIO for the U.S. Office of Personal Management, resigns. She was scheduled to testify before Congress that week about theft of personal information of some 21.5 million current, former and prospective federal employees in October.
- Feb. 22. Danny Harris, CIO for the U.S. Department of Education, announces he will be leaving his post at the end of the month. The Office of the Inspector General and the House Oversight and Government Reform Committee recently began scrutinizing his job performance.
- Feb. 22. Lex Group announces it has received permission to pursue a class-action lawsuit against DaimlerChrysler Financial Services Canada for a data breach resulting from lost data tape in 2008. The tape contained personal information of some 239,277 customers.
- Feb. 22. St. Joseph's Healthcare System in New Jersey begins notifying more than 5,000 employees that their personal information is at risk after an employee emailed their data to a unauthorized third party in response to a phishing message.
- Feb. 23. Anonymous Anon Verdict, a hactivist group, posts to Internet the personal information on 52 Cincinnati Police Department employees in response to the officer-involved shooting of Paul Gaston on Feb. 17.
- Feb. 23. EWTN Global Catholic Network announces a data breach has exposed tax information of some 425 employees. It says an employee was social engineered into emailing the information to an unauthorized third party.
- Feb. 24. York Hospital in Maine reports cybercriminals have stolen personal information of 1,400 employees at its four campuses. The data breach has been turned over to the FBI for investigation, it says.
- Feb. 25. St. Paul's Lutheran Church in Sioux City, Iowa, reports it's been locked out of its computer system by ransomware. Church officials say they have not paid the ransom and are taking measures to rebuild their system.
- Feb. 26. IRS revises the number of people affected by a data breach last year from 100,000 to 700,000.
- Feb. 26. University of California, Berkeley, announces an unauthorized third party accessed personal information of 80,000 students, former students, and current and former employees. Although there were no signs of data theft, the university says it wants those affected to keep an eye out for any misuse of their personal information.
- Feb. 26. Level 3 Threat Labs reports Linux Mint website was compromised for three days, Feb. 19-21. During that period, links to installation disk images redirected users to a malicious website with a version of the OS containing a backdoor for a distributed denial-of-service bot.
- Feb. 26. Jeremiah Hughley files second lawsuit against University of Central Florida over a data breach announced by the school on Feb. 4 in which 63,000 Social Security numbers were stolen. The former manager of UCF's men's basketball team says his bank account was drained following the incident.
- Feb. 26. RoboSavvy reveals 4,000 customers from its rival Cool Components were mass subscribed to its newsletter. Cool Components says it can find no evidence of a data breach.
Upcoming Security Events
- March 8. FFIEC & Anomaly Detection Done Right. Noon ET. Webinar sponsored by Praesidio. Free with registration.
- March 10. FFIEC & Anomaly Detection Done Right. 2 p.m. ET. Webinar sponsored by Praesidio. Free with registration.
- March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
- March 12-13. B-Sides Orlando. University of Central Florida, Main Campus, Orlando, Florida. Registration: $20; students, free.
- March 14-15. Gartner Identity and Access Management Summit. London. Registration: 2,550 euros plus VAT; public sector, $1,950 plus VAT.
- March 17-18. PHI Protection Network Conference. Sonesta Philadelphia, 1800 Market St., Philadelphia. Registration: $199.
- March 22. Reconceptualizing the Right to Be Forgotten to Enable Transatlantic Data. Noon ET. Harvard Law School campus, Wasserstein Hall, Milstein East C, Room 2036 (second floor). RVSP required.
- March 24. Massachusetts Attorney General's Office Forum on Data Privacy. Ray and Maria Stata Center, Kirsch Auditorium, Room 32-123, 32 Vassar St., Cambridge, Massachusetts. RSVP required.
- March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- March 31-April 1. B-Sides Austin. Wingate Round Rock, 1209 N. IH 35 North (Exit 253 at Highway 79), Round Rock, Texas. Free.
- April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
- April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
- April 12. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
- April 13. A Better Way to Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
- April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
- April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
- April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference Pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
- April 26. 3 Key Considerations for Securing your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
- May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
- May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston, Texas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits & open sessions, $30.
- May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
- June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
- June 29. UK Cyber View Summit 2016 -- SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.