Tracking the Password Thieves

wiredog writes "From The Washington Post, yet another story about phishers, keyloggers, and viruses. The story is nothing new, but the author has a blog where he describes how he gathered the information that went into the story. Information including the locations of the victims, and the ISPs likeliest to be hit. Some of the victims included "an engineer for the Architect of the Capitol" and a man who "works in computer security for IBM." One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)" A compromised machine was also found in "the new accounts department at Bank of America" (Score!)"

Glad we picked the winner!

[phorest]

Comcast!

A list could be good

A list of vulnerable ISPs may help encourage those ISPs to help change.

Re:A list could be good

[Sunburnt]

A list of vulnerable ISPs may help encourage those ISPs to help change.

Not so much as a series of lawsuits.

Re:A list could be good

[geoffspear]

I doubt it's the ISPs' fault; looking at the list it seems plausible that the "most likely" to be hit are simply the largest ISPs, so you'd expect the largest numbers of affected users to be using those ISPs.

Besides, if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?

Re:A list could be good

[Balsamic+Moon]

"Likeliest to be hit" is a mislable. It should read "ISP's inept users" who allow themselves to become vunerable due to ignorance or carelessness.

This isn't some war between ISPs. The graph shows clearly what ISP had the most victims due to this virii. But even that isnt conclusive of anything because of the quantity of overall customers isnt revealed. Yeh sure we can say Comcast has the most, but they surely have more customers overall than say, oh Qwest.

Re:A list could be good

[Sunburnt]

if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?

I bet we'll get to find out if they get successfully sued over it. I'm not saying it's a good idea, BTW. Just saying that it would be a more likely motivator of action than the parent's suggestion of public naming. Hasn't the lesson of the 21st century thus far been: "public opinion's attention span regarding corporate negligence and malfeasance is too trivial for most companies to consider it a liability?" Hell, if the government we pay for every two weeks can get away with it, I'll bet Verizon, BofA and others feel pretty safe.

Besides, there is a way that ISPs can fight phishing: aggressive takedowns the of fake sites used by phishers to extract information from those folks who don't see the problem with giving their SSN to "paypall.com" and the like. I'm not informed about their current vigor in this regard, though, and would appreciate feedback from those in the know.

*Please note: I certainly believe that primary responsibility for avoiding phishing scams belongs to the consumer. I think, however, that a clever team of lawyers could convince a jury otherwise.

Re:A list could be good

Well you could blame the ISPs to an extent, if they know viruses and such are going on and wave the packets containing the viruses through thats just like letting an armed gunman walk into a nightclub.

Re:A list could be good

[danpsmith]

"Likeliest to be hit" is a mislable. It should read "ISP's inept users" who allow themselves to become vunerable due to ignorance or carelessness. This isn't some war between ISPs. The graph shows clearly what ISP had the most victims due to this virii. But even that isnt conclusive of anything because of the quantity of overall customers isnt revealed. Yeh sure we can say Comcast has the most, but they surely have more customers overall than say, oh Qwest.

I'm not so sure that what you are saying is true. I'll give you a little story. I run comcast cable at home and I setup a web server without any advertisement whatsoever. It was on port 80 so it was publicly accessible via a standard port 80 search or whatever, however, like I said, it was not advertised. I'd get either hackers or bots or whatever they were going through a list of common exploit commands on my server every single day when I'd look at the logs. Now, my web server was customized and for specific purposes, so none of these commands worked and eventually I customized it to deny access to these individuals and give them a "connection reset" return message, however, it shows what a target you are just for being on comcast's service.

People know the IP ranges. If it's zombie botnets, then there are a lot of computers on comcast that are already zombies looking to exploit you. So this puts you more at risk than being on any other ISP IMO, even if you do know what you are doing. I'd get a huge list on a daily basis of these people, they were most likely unique because some of them actually browsed the webpages when it was publicly accessible. 20-30 unique attempts a day to try to exploit a webserver that's completely advertised to the known public, I'd consider that pretty significant.

Also, email. I believe that spam networks and phishing networks target comcast users exclusively and continue to target them after getting a response back from the server that the mailbox is valid or whatever. A lot of email spam that I get isn't the result of signing up for anything, but instead a CC that also extends to a lot of other comcast subscribers. The list is usually hundreds of people long on each mailing. So somehow they are able to wholesale get the email addresses of comcast subscribers, whether it's through brute force or comcast hands them out I don't know and couldn't prove either way. But again, you are more of a target on comcast in this manner. An unsuspecting customer could easily be foiled by one of these phishing attempts and some of them look very official to the unknowing eye. Don't underestimate the guile and cunning of these snakes that lurk on the Internet to prey on their victims and don't cast the victims off as some unknowing bunch of nitwits who simply don't take basic security measures, the problem is bigger than it seems.

Re:A list could be good

Are you suggesting that their routers should be reading every packet and checking for virus signatures? Ever heard off https?

Re:A list could be good

I think brute force dictionary is the method they use on spam to Comcast users.

I had an email address like "johns AT comcast DOT net", and was deluged with spam. I killed that address and used "non-word DOT non-word AT comcast DOT net", and haven't gotten any spam on it yet in a couple of years time.

Re:A list could be good

[Synchis]

Besides, if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?
I went to school with people who proved that you can do a college course and PASS without ever learning a single darn thing. Having a diploma or a degree is not always the best measure of knowledge in a particular field.

Re:A list could be good

[dgatwood]

A large percentage of those phishing sites are hijacked computers, themselves. Aggressive takedowns means educating sysadmins about securing their (mostly Windows) servers against attack.

Want to know how to really stop phishing? Make it unprofitable. Since it would take a decent amount of time to set up a server to provide phishers with data, it's an invetment. Thus, unlike spam zombies, they can't move from machine to machine as quickly, and generally, the site is discovered and shut down long before they abandon it. Exploiting this weakness is the key to stopping phishing and the people who perpetrate it.

When you spot a phishing site, there should be a team of phishing investigators that go to the hacked server, examine it carefully (without disabling it) and add a traffic mangler that makes most of the information bogus, but leaves the credit card numbers intact, recording them as it does so. Contact the owners of the cards immediately and tell them that they must stop using the cards because their numbers have been stolen. Then, flag the cards as stolen. That way, when the phisher swipes a fake card with the stolen number, the register displays the words "Stolen card. Call Police."

If this were consistently the response to phishing compromise of servers, the people who do this would quickly find themselves behind bars, and phishing would drop significantly. In particular, it would decimate the U.S. phishing servers, which make up the bulk of the phishing servers at last survey. Some phishing would remain on overseas servers, but at least this would diminish the problem significantly.

Re:A list could be good

[russ1337]

You might still start to get spam, if someone on your list has a compromised address list or computer.

I've often thought of generating some kind of unique e-mail address for each of my friends, to detect if my e-mail address has been compromised by them (or their PC). e.g:

asdf2344ks@gmail.com for my emails to Tom
oieo116i2k@gmail.com for my emails to Liz

The idea is they reply to that address, and mail to these addresses would aggregate to my inbox. If one of those email addresses starts to get spammed, I'll have an idea of who's responsible, change the address for them and see if it continues. After it happening a couple of times I could inform them that they may have a compromised computer and help them out etc.

I just dont have the time to implement such a scheme and rely on Gmails spam filtering which i think is pretty good.

Re:A list could be good

[stephanruby]

"I've often thought of generating some kind of unique e-mail address for each of my friends, to detect if my e-mail address has been compromised by them (or their PC). e.g:
asdf2344ks@gmail.com for my emails to Tom oieo116i2k@gmail.com for my emails to Liz"

This service already exists. It's been around for a while. It's free. You only need to remember a chunk of your username, and make up the rest (instead of making up the rest of the name, I use the name of the actual site I leave my information with). I use it for every web site I'm forced to register with. It has a number of other domain names in case you don't like the spamgourmet name. Plus, it has a number of other cool features -- if you desire to delve more into it. And it's also open source, so you can easily install it on your own server and modify its functionality to your hearts content.

http://www.spamgourmet.com/

ISPs most likely to be hit

[DarkLegacy]

That chart simply looks like a demographic on the amount of users currently using those ISPs. As with spyware, it makes sense of course that the biggest population will be hit the hardest. That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

Re:ISPs most likely to be hit

[danpsmith]

That chart simply looks like a demographic on the amount of users currently using those ISPs. As with spyware, it makes sense of course that the biggest population will be hit the hardest. That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

That's true, and I understand this argument as it is a familiar one. However, some systems make inherently insecure choices and are slow or late to deliver patches (or in some cases, no patches are released at all). Look, everyone understands that all software security probably has holes in one way or another, but the fact of the matter is that the faster you patch those holes, the less chance you have of the ship as a whole sinking to the bottom of the ocean. And it also helps if you design the code based on security from the beginning instead of attempting to bolt-on security like it's another feature when it definitely isn't.

Re:ISPs most likely to be hit

[Stanistani]

>That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

Ya know, I'm glad that was modded insightful, 'cause I don't think anyone's ever made that point on /. ever before...

Naah, just kidding! You're all right.

Re:ISPs most likely to be hit

[Dancindan84]

Is there somewhere that numbers of users for those ISPs is available? I agree that it would be more interesting to see it as a percentage of their user base rather than raw numbers.

Re:ISPs most likely to be hit

[Sunburnt]

it also helps if you design the code based on security from the beginning instead of attempting to bolt-on security like it's another feature when it definitely isn't.

Or "letting the market handle it" by allowing your company's incompetence to effectively subsidize a third-party industry possessing only marginally more competence.

Re:ISPs most likely to be hit

[eMbry00s]

Like linux servers, then? No, wait - that just ruined your insinuation that the reason linux is secure is obscurity.

Anyways, with ISPs I would say the demographies are pretty equal (though I have no facts to back that up) - which means the amount of trojans per ISP would rise as the number of users increases.

Re:ISPs most likely to be hit

[samotano]

A simple incidence rate like (# attacks)/(total users) for each IP would have been much more informative.

Re:ISPs most likely to be hit

Of that list
Which of those ISP's force us to have the same machine IP address and internet IP address?
  Which charge you extra for a router and wont install through one you provide ?
Correct me if I'm wrong, but isn't having the same machine IP as the the internet IP is a HUGE security risk?
and the firewall log , fills with hits, add a router and the machine IP is different
these hits go away when we add a router configured with a local IP non- routeable
  address .
What reason would an ISP have to force their subscribers have the same machine and Internet IP address ?

Isn't an ISP who does the above putting us at huge Risk ?

Re:ISPs most likely to be hit

[pilgrim23]

So the gaping holes in Microsoft products, that any 16 year old with a few hours reading of a VB manual could exploit has nothing to do with it?
Submarine one: "We are sinking because we are the most popular submarine.
Submarine two: "uh, guy.. Try shutting your hatch"

Re:ISPs most likely to be hit

[maxume]

Has any other os been deployed so widely in a user-managed, hostile network environment? Windows may very well be shitty shitty shitty, but there isn't any reason to conclude that there is actually something out there that isn't shitty shitty shitty.

Re:ISPs most likely to be hit

[UbuntuDupe]

If you're referring to Linux, that's just not true. Certainly fewer home users have Linux, and those users are generally better-informed about security. However, the bulk of the security comes from a better design[1]. For one, regular users do not have the equivalent of Windows "admin" privileges. Also, the components are more de-coupled. Knowing how to crack the web browser does not automatically imply knowing how to exploit the word processor, or how to hijack all CPU cycles. Critical directory paths are not hard-coded. Even if 90% Linux penetration would divert hacker resources to Linux, it will still take longer for them to find flaws, and those flaws would be less severe.

[1] Yeah, yeah, yeah, yeah, I know, I've criticized Linux's design before and I know all the links you've compiled to my previous posts. No, I'm not contradicting myself. When I said the design was poor in the past, I was referring to a different aspect of it, that is, handling potential issues in installation. I stand by those claims. Linux's security aspect still has good design.

Re:ISPs most likely to be hit

[A_Non_Moose]

As with spyware, it makes sense of course that the biggest population will be hit the hardest.

Target rich environment, eh?

So goes the old addage "One million chinese people can't be wr^H^Hinfected, can they?

Or, "give a man a phish, and his accounts will be emptied, teach a man to phish and we'll hunt your dumb ass
down too!".

Re:ISPs most likely to be hit

[ericlondaits]

No, you're wrong.

Mapping from an external IP to an internal LAN IP is called NAT. NAT shouldn't be used as a substitute to a real firewall, though you'll find many people who think of NAT as a security measure.

Re:ISPs most likely to be hit

Yes it does indeed offer a level of security!.
  the cable company is indeed harming security,
'Nat transitional 101 '
It's not a firewall but its far better than not having one.

Re:ISPs most likely to be hit

[thrawn_aj]

Also, if hackers are geeks and geeks have an inherent tendency to go Linux, they would be idiots to mess up their own world by writing Linux virii :P. So, I would say (even though I'm a windows user), that the Mac seems to be the most secure =D as whatever Mac users are, "geeks" they ain't :P.

Re:ISPs most likely to be hit

[Kadin2048]

I'd say that Linux-based webservers have withstood at least the same (or worse) adversaries and attacks that are plaguing Windows systems, and fared a whole lot better.

Although there are probably more home PCs than servers, the servers are much bigger targets. Until very recently, it wasn't that common to find a home PC that was sitting on a really fat pipe 24/7. Servers, practically by definition, have loads of bandwidth available. If you think that somebody's crappy Windows box getting turned into a spam zombie on their home DSL line is bad, imagine what it would be like to turn a significant fraction of a colo farm into zombies: you wouldn't just have a botnet, you'd practically have a supercomputer.

As anyone who's ever set up a machine running sshd on the default port, facing the internet, malicious persons are constantly looking for machines other than Windows ones to compromise. I get hundreds of attempts per day on my home server (which do nothing, except to get the originating IP added to hosts.deny) and I'm sure a commercial server that wasn't properly secured would get owned pretty quickly.

But the fact that the same malicious users who assumedly send out Windows trojans have to resort of brute-forcing the passwords on my SSH gateway, says something about the security models of each. To draw a physical-world analogy, they're actually picking the locks of the Windows machines; with my Linux box, they're merely rattling the knob and seeing if I've been dumb enough to leave it basically unlocked.

Now, it's true that a desktop/server comparison isn't totally fair: it's hard to trojan a server, because you don't have people sitting at its console, downloading and executing email attachments and other garbage. However, even on a Linux desktop, you'd have a harder time dropping a trojan, because it's harder to disguise an executable as a document and get a user to run it. (On most Linux systems, files are saved with the execute bit unset, so that someone would really have to try in order to "execute" that PPT file instead of opening it.)

Is it possible that there could be buffer overflows and arbitrary code-execution bugs in Linux software? Sure --- it's not immune, by any means. But particularly on externally-facing services, like sshd/apache/imapd/etc., the code is in use by and vetted by so many people, that I suspect the number of serious, exploitable bugs is fairly low, and they get fixed pretty quickly. With Microsoft, you just don't know. First, you have to wait for somebody to find a vulnerability, usually through some form of trial-and-error, because they don't have the code to review, and then you have to hope that they notify Microsoft instead of selling it to the Russian mafia, and then you have to wait for Microsoft to find a convenient time in their schedule to fix it (using whatever method they find expedient, which may or may not create other holes elsewhere; remember, you don't know what they're actually doing) and then release an update.

There are definitely Linux apps that have not had to withstand much in the way of scrutiny or life in a hostile environment, and that I wouldn't bet on the security of. But much of the underlying OS, and many of the most heavily-used applications, have a decades-long track record as some of the biggest targets on the Internet.

Re:ISPs most likely to be hit

[maxume]

Servers generally have 'competent' admins. Or a firewall policy. Everything you say about the resources available is true, but the weak link on home systems is generally weaker.

Re:ISPs most likely to be hit

Right- no one uses Linux or Macs, which is why they aren't viable targets for a 'bad person' to use as honeypots.

I know most of the people reading this site like to think that Linux is bulletproof, but if things were reversed, and 90% of computer users were running a certain flavor of Linux, there would still be 'bad people' exploiting whatever they could to do bad things.

Not to mention that there would be a lot more useful applications for Linux if that was the case....

Oh, and why the hell do I have to use two (p) tags for the first paragraph every time I post something? Using only one paragraph tag gets treated like a Line Break (br).

Re:ISPs most likely to be hit

[PrinceOfStorms]

Except that Submarine One got to be the most popular submarine by giving people what they wanted, namely a convertable submarine that allows all the sunshine in and saves all that hatch opening/closing time. If Submarine Two wants to be the most popular submarine, they're going to have to offer the same "feature".

Re:ISPs most likely to be hit

[HomelessInLaJolla]

Submarine One got to be the most popular submarine by giving people what they wanted Editorial suggestion: "Submarine One became the most popular submarine by advertising that everyone should want a submarine at a time when most people didn't know what a submarine was. The advertising was paid for using taxpayer money which was allocated in the form of research grants, business subsidies, and government backed low interest technology sector loans."

In short... a scam.

Re:ISPs most likely to be hit

[Random832]

Try using actual well-formed HTML - a

tag at the START of your first paragraph, followed by a

at the end and a

at the start of the second one, etc.

Or you could just do the easy way and type two line breaks with the enter key, if you're using "plain old text".

Looking at the Distribution Map

[Gryle]

It would appear that nobody in South Dakota has an identity worth stealing. That's gotta hurt your pride.

Re:Looking at the Distribution Map

[LilGuy]

That's because I moved to Iowa.

AOL is at the bottom of the list

[Frosty+Piss]

Interesting how AOL is at the bottom of the list of ISPs likeliest to be hit. Who would have thought.

Re:AOL is at the bottom of the list

[gEvil+(beta)]

Either their customers are still busy trying to get onto the internet in the first place, or those spyware/adware tools that they've been shoveling are actually doing some good...

Re:AOL is at the bottom of the list

[vertinox]

What so surprising about not targeting a group that can't even figure out how to connect to the internet much less figure out they even have online banking?

Re:AOL is at the bottom of the list

AOL users being mostly dialup users likely has something to do with it. It's much easier for the phishing spyware to work when it has an active internet connection with which to report back. Even your most clueless AOL user would likely realize something is up if their computer "randomly" connected to the net all by itself.

Even if their thing only works when the user is already online, you need to get it to the person to begin with. Sending the payload over dialup may not be feasible.

Re:AOL is at the bottom of the list

[networkBoy]

Besides they're all pwned as open relays and proxies.
-nB

Re:AOL is at the bottom of the list

[clickclickdrone]

Probably because AOL have almost no customers anymore and those they do have can't find the on/off switch so the scammers know they're not going to get anything useful.

Re:AOL is at the bottom of the list

Probably because AOL have almost no customers anymore...

Well now, say what you want about AOL quality, but that's just bullshit.

Re:AOL is at the bottom of the list

[clickclickdrone]

Well now, say what you want about AOL quality, but that's just bullshit.

Ya don't say?

It's the Russian mafia! Ahhh!

[PsEvo]

Charts are nice and all, but I would life to see more work done to prevent this. Or perhaps, don't let idiots use the computer (computer license). It's the only way! The biggest security hole in computers isn't the computer, but the user. :(

Re:It's the Russian mafia! Ahhh!

[geoffspear]

The problem is that you apparently need to make the requirements to get a "computer license" more stringent than those required to get a job in network security at IBM or a degree in information security. Good luck legislating that when you're going to have to take away the computers of everyone in Congress and all of their staff.

Re:It's the Russian mafia! Ahhh!

[LighterShadeOfBlack]

Charts are nice and all, but I would life to see more work done to prevent this. Agreed.

Or perhaps, don't let idiots use the computer (computer license). It's the only way! The biggest security hole in computers isn't the computer, but the user. :( And mugging and theft are up in my neighbourhood. It's all these old people. There should be a licence for walking the street! The biggest reason for crime is people who can't put up a fight. Euthanasia at 60 is the only way! :(

Seriously though, users should definitely be educated on computer security wherever and whenever possible (ie. as a fundamental part of job training and IT education in schools). But any talk of computer licences is ridiculous.

Re:It's the Russian mafia! Ahhh!

Not quite.

I've been tracking a similar group since October of 2006. Here are some facts from that case:

1) To get infected you simply need to surf to the right web site.
2) How you get infected is to not have the latest patches on your machine.
3) Almost no anti-virus protects you 100% from this, according to Virus Total, 90% don't even detect it now after 5 months of submission to Virus Total.
4) They are averaging 40,000 PCs a month. Do the math, that's 480,000 PCs a year, small change?
5) Given $10 per ID stolen, and there's one per PC, lets do some more math: $4,800,000.00.
6) Read the FBI's response: It's not our job.

I've got a much bigger data set than Brian has, around 30,000 PCs. It's insane the amount of data collected, including logins to .MIL sites. Think of pretty much everything you surf to, including SSL, or with Digital Certificates, etc. being logged in real time.

Oh, and to the guy who left me the note: i snova obranto. I'm still following you.

Re:It's the Russian mafia! Ahhh!

[protected_static]

But any talk of computer licences is ridiculous.

I would have thought so as well, had I not seen how Britain's TV tax unfolded a few years ago. I know the two situations aren't entirely comparable, but still... Many countries charge license fees for television access - how much of a leap would that be to internet access?

Re:It's the Russian mafia! Ahhh!

[geoffspear]

I'm fairly certain that the British don't need to prove they're not too stupid to watch TV to get a TV license, though, so what you're talking about has nothing whatsoever to do with that OP is suggesting.

Re:It's the Russian mafia! Ahhh!

[Pollardito]

The problem is that you apparently need to make the requirements to get a "computer license" more stringent than those required to get a job in network security at IBM or a degree in information security. Good luck legislating that when you're going to have to take away the computers of everyone in Congress and all of their staff. take away their computers, are you mad? but how will they get the internets that their assistants send them through the tubes?

Re:It's the Russian mafia! Ahhh!

[protected_static]

Nothing whatsoever? No, there's no user test for TV, hence my saying that they "aren't entirely comparable." But where I think you're missing the point is that it would be relatively trivial for a government to impose a licensing scheme upon users, therefore making the idea not quite so 'ridiculous.'

I mean really, what would the test consist of? How about a series of check boxes attached to your tax/license form stating that the user understands that they need to install anti-virus software/not click on random attachments/not respond to spam/not share files illegally along with another checkbox stating that the user understands that they may be held criminally liable should they fail to follow these or other 'safe computing' practices, oh, and by the way, if we find that you're engaging in any of these things, your ISP will be required to shut you off.

Boom. Done. Pay your fee please, you've just been licensed.

Re:It's the Russian mafia! Ahhh!

[Moofie]

"it would be relatively trivial for a government to impose"

That phrase gives me the screaming wiggins. ANY government imposition is, by definition, not trivial.

Re:It's the Russian mafia! Ahhh!

[protected_static]

I didn't say that I was in favor of such a scheme; just that it would be fairly easy for a government entity to implement...

Re:It's the Russian mafia! Ahhh!

Or make it a requirement for anyone working as a professional in the computer industry to get a "license".

Re:It's the Russian mafia! Ahhh!

[pipingguy]

Why are there not computer/internet security PSAs on television?

What exactly were they doing or not doing?

[ect5150]

While the above information in the article and above links is interesting, and you can sure feel for the victims, I'd be more interested in knowing what the individuals were or were not doing that allowed the viruses/hackers/keyloggers on the systems. Do these individuals/corporations not run behind a firewall? port blocker? run anti-virus software? run anti-spyware?

I'm not the end-all-be-all security expert, but when I help individuals set up a 'net connection, I make sure all firewalls are on (or the router they are using only allows the necessary ports needed for operations to be forwarded into the network). I setup free anti-virus and free anti-spyware as well. Are these places doing the same? Or do most of you guys [read: slashdot-readers] find that in general they don't?

Re:What exactly were they doing or not doing?

I'd think that the two most likely attack vectors are actual manual execution of untrusted binaries(arranged by social engineering - even at a primitive "click here for nude pictures" level) and browser/mail reader bugs, neither of which can be stopped by simple port-based firewalls or naïve scan-based anti-virus. A more comprehensive anti-virus solution(one that scans code as it's downloaded) would help, but of course, no signature-based scan can detect new viruses and no heuristic-based scan is perfect(keeping in mind that new viruses could be written with not being detected by common heuristics as an explicit goal), so in the end, the only robust solutions are user education, or very limited user accounts(basically, not allowing users to run their own binaries at all).

Simply limiting users to read and write their own files is not good enough, because those files are
  valuable and secret in themselves. Keeping backups is a good practice and can help greatly against file destruction(as well as file destruction by more mundane causes such as disk failure), but it's obviously worthless against the threat of disclosure. Encryption of local disk data can also help, but in the end, nothing in your account is secure if you allow untrusted binaries to run.

Re:What exactly were they doing or not doing?

Do these individuals/corporations not run behind a firewall? port blocker? run anti-virus software? run anti-spyware?

The summary says that a machine was compromised at the Bank of America, though from my reading it seemed to just say at a bank. I happen to have some insight into Bank of America specifically. They run firewalls and configure IP access limitations on machines and run and expensive intrusion protection system that searches for this type of thing on their network. None of those, however, will stop a user from bringing an infected MP3 player into work, or in some cases installing software on their workstation. The real question is, did all of these people lose data and how quickly was it detected and shut down? Did the compromise spread?

Aside from that, implementing measures to make sure hosts aren't compromised in the first place is a good idea, but realistically these people are running Windows and the OS simply does not have the security needed to prevent malware from hitting the box and taking over in the first place.

Re:What exactly were they doing or not doing?

The trojan that I've been tracking does the following:

1) Outbound HTTP calls (port 80)
2) Outbound FTP calls (port 21)
3) 90% of all Anti Virus does not detect it
4) Logs data in near real time to a remote site

You do the math. You think the average person can even know about something like this on their PC, much less a more advanced user?

The big thing is that the average /. person will have the latest patches on their machine and that stops many of these trojans from infecting you.

Re:What exactly were they doing or not doing?

[LilGuy]

I do this as well, not for their benefit but for mine. I don't want calls at 2 in the morning complaining that the computer is a slow piece of crap and I need to come fix it. I set them up with the tools, let them know what they're for, and tell them that any additional support will cost them money.

Seems to work out well.

Re:What exactly were they doing or not doing?

[borkus]

It sounds like people opened one bad attachment and that was it. It's easy to blame them for that, but people get personal e-mail with legitimate attachments all the time. All it takes is one mistake to infect your PC. Also, the malware these days often does some devious things -

*Often, the software uses your copy of outlook to hit other people in your address book. Consequently, the infected messages often come from a trusted source - bypassing spam filters as well as the recipients normal level of suspicion.

*The messages often mirror a terse business communication ie, "Please review and respond" along with a safe looking file name. These are no longer the "click here for nude pictures" e-mails, but good impersonations of day-to-day business correspondance.

I think of a friend of mine who kept birds. Her boyfriend got her a cat (she was a big animal fan) and she figured she could keep both in her apartment as long as the birds were in a room with a door to it. Her plan was to close the door every day before she went to work so the cat couldn't get in there when she was out. Of course, she had several things she had to do every morning before going to work and the cat had only one thing to pay attention to - did she leave the door open today? Eventually, she was in a rush one morning and came home to find the door open to the bird's room but no bird.

And yep, having Windows and MS Office was the canary to the hacker's cat.

Re:What exactly were they doing or not doing?

Wow! Someone here actually knows how to correctly spell the word "lose".

Re:What exactly were they doing or not doing?

[jerkychew]

Read the article; The virus that he back-tracked was sent via email. You can have all the firewalls in the world and your mail servers can be locked down tighter than my mom, but all it takes is one user with IE and a Hotmail account.

Re:What exactly were they doing or not doing?

The real question is, did all of these people lose data and how quickly was it detected and shut down?

Wow! Someone here actually knows how to correctly spell the word "lose".

Funny thing is: In that sentence and context loose would work as well.

Re:What exactly were they doing or not doing?

[cyberbob2351]

The botnet problem is a little worse than you may think....And it is these botnets that are allowing such rampant system compromise.

First of all, recognize that botnet malware evolves at a pace in which it is rather difficult for the antivirus vendors to keep up with. All it takes is a download of phatbot, a little code hacking to ensure it is just perfect for your uses, and then you run it through a packer. You won't preserve the same md5sum of course once your binary is customized, so the only other way that the sample can be detected is some more advanced techniques. (API hooking, entropy scanners, or looking for certain assembly sequence patterns). I'm not sure what the default scanning behavior of most AV scanners is, but they might not utilize such hardcore tests on every file in your system.

Secondly, most botnets run over port 6667, so even if you were running a firewall, you would need to have one that blocked the default IRC port by default. If this is unlikely for the majority of firewalls out there, also recognize that many newer IRC bots are relying more heavily on http command and control mechanisms. That is, they no longer communicate over IRC, and instead resort to making web posts to communicate with the hacker. Being port 80 based, suddenly its not so detectable amongst the stream of internet web traffic.

As for infection trajectories, also recognize that many infections today are indeed user error, whether it be an email attachment or downloading some videogame crack off of some site. The zero day exploits contribute to the problem as well.

Re:What exactly were they doing or not doing?

The last 3 key logger that I removed were right in the face of fully updated major anti virus solutions

on threedifferent computers and with 2 major players fully updated

What does that tell me anout the effectiveness of this solutions .
Hers how I found the keyloggers

Turned on external router outgoing log, left computer idle for a few hours and Aha !

  15 connections that where reverse DNSd to China
then used netstat command to discover the names of the infected programs
In all three cases however users executed unwanted active-X controls
and explicitly selected allow and install.
But the anti virus stuff fully updated was useless
Final Fix?
re-install Os and reformat
I don't doubt these solutions will find major outbreaks, but I doubt by experience that these anti-virus solutions can find stuff that has low distribution .
. I'm no hacker but if I was, I would cook my malware and malevolent stuff on a machine with major antivious programs runnung and fully updated
Hackers probably do just that!
So what good is this stuff ?
Findings ?
stupid computer users cannot always be helped by automatically updated anti virus programs
again, if there is a major outbreak, I don't doubt that they will be nearly 100% effective but in the case above they were 100 % useless

Re:What exactly were they doing or not doing?

[evought]

According to 2005 FBI Internet Crime Report, almost all surveyed companies used antivirus, antispyware, firewalls and antispam software. The article also says that many victims in this case were as well. I have also had a Win2K box compromised that was very well protected; malware detectors and updates do not work against new exploits. I generally run Linux and Mac systems, and, although there are many fewer threats, I have them protected to the nines. In this case, as others mention, it is the human element: innocent looking attachments are sent from trusted individuals. This is a very good case for PGP and other systems, not to mention rampant paranoia when receiving any attachment.

Re:What exactly were they doing or not doing?

They were surfing. Outbound HTTP and browser vulnerabilities is what's doing most of it.

"Likeliest"

[mwvdlee]

"Likeliest" is a perfectly cromulent word.

Re:"Likeliest"

I don't understand the point of this post, or why it was tagged "Funny." "Likeliest" is not some strange made-up word like "embiggen"--it's a perfectly ordinary word, in common use for several centuries.

Re:"Likeliest"

[soliptic]

I don't get it. If you're trying to imply "likeliest" is not a perfectly cromulent word, I'm afraid you're wrong, it definitely is a real word. If there's no sarcasm / tongue in cheek and you do literally wish to point out the word does exist, I don't understand why you'd pick on "likeliest" instead of any of the other words they used which do exist :)

"Impenetrable?"

[Rob+T+Firefly]

That's effectively why alternative operating systems are impenetrable

I don't think that word means what you think it means.

Good school for "Information Security" ??

[moeinvt]

I suggested that one of my relatives look into computer security as a career.

Any recommendations from /.ers on a good school for studying this?

Re:Good school for "Information Security" ??

[gEvil+(beta)]

Any recommendations from /.ers on a good school for studying this?

DeVry

Re:Good school for "Information Security" ??

[east+coast]

Hey don't put down DeVry. When I went there it was a great school... oh, wait....

Did you major in arrogance?

[Digital+Vomit]

One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)"

Because college creates people who are perfectly skilled at a certain field...

Re:Did you major in arrogance?

[Sunburnt]

Because college creates people who are perfectly skilled at a certain field...

It damn well better, for $120,000+ in some cases. After all, isn't that the assumption made by a thousand idiot HR folks every day? /sarcasm

Re:Did you major in arrogance?

No, it doesn't. That's the problem. People can go to college all day long, not learn a damn thing, and still graduate with a degree if they pull the right strings.

Inability to protect your own computer from simple phishing scams, either due to your inaction in properly protecting your PC, or your own action in doing something stupid - puts you at high risk and questions your ability to protect someone else's network, when you're unable to protect your own.

He should go back to school, because he still doesn't know shit.

Re:Did you major in arrogance?

[Jimbitz]

To bad that person ain't that skilled in Information Security..
I wonder if microsoft would hire him. [/sarcasm]

Re:Did you major in arrogance?

You forgot to open your sarcasm tag, asswipe.

Re:Did you major in arrogance?

[Jimbitz]

Go and report it to your nearest police station Anonymous Coward.

Poison their lists

[Martin+Spamer]

The corps that are targeted for login credentials should poison the phishers lists while they are waiting for the phishers ISP to take them down.

When the poison credentials are used by the phisher the targeted corp should use their source ip and browser fingerprints help identify other compromised accounts logged in from the same source. Places like banks and pay-pal could also this information to freeze compromised accounts more quickly.

I'm wondering...

[wiredog]

Who the one guy in Southwest Utah is. My Dad lives there...

Ouch...

[wiredog]

But "which are most likely" seems a bit stilted. For a /. write-up, that approaches the "and then there's Albania" style of writing.

Trojan != Virus

[tyler.willard]

"...a hidden software virus that recorded his every keystroke."

Yeah I know, everybody files all malware under 'virus'; but since the article comes off as somewhat technical it would be nice if this detail was correct. Keyloggers are almost always* trojans, not a viruses.


*The only reason I say "almost always" is because it would technically be possible to put keylogging functionality in a virus.

Re:Trojan != Virus

Well, since the malware that the article reports on is an email virus, I would sat the word "virus" is appropriate. Did you RTFA?

Re:Trojan != Virus

[tyler.willard]

Yeah I RTFA...and the email virus was just a vector for keylogging trojan it dropped.

Re:Trojan != Virus

[tyler.willard]

Actually, the FA doesn't mention an email.

Re:Trojan != Virus

From the Blog post:

"Also, it appears that most victims of this virus infected their machines after opening a poisoned e-mail attachment (although the bad guys may well have distributed this malware via other means.) I cannot overstate the importance of Windows users being extremely cautious about opening unexpected attachments in e-mails, even if they appear to come from someone you know. When in doubt, fire a quick e-mail back to the sender to ask whether they really meant to send you the attachment."

hacking/phishing/logging != stealing, called fraud

[plasmacutter]

let's use proper diction here..

i'm getting really tired of everything under the sun being called "theft". It just allows certain other interest groups to keep implying greater moral bankruptcy than actually exists.

a more proper term would be "fraud".

So you say that "security" does not exist?

[khasim]

Windows may very well be shitty shitty shitty, but there isn't any reason to conclude that there is actually something out there that isn't shitty shitty shitty.

Windows has a specific security model designed and implemented by Microsoft.

Microsoft's choices have been disparaged by security professionals for YEARS because they violate the BASIC rules of security.

Ubuntu follows the basic rules far better than Windows. Ubuntu is far more secure than Windows.

There are different categories of threats and each category requires different security procedures. It's not that complicated. Just because Microsoft chose "user friendly" over security does not mean that security does not exist outside of Microsoft products.

Re:So you say that "security" does not exist?

[maxume]

If a tree falls in the for.. No wait, if a system has not been as widely deployed as Windows, is it worth comparing the security trade offs that have been made? "Better security" is only a feature if you are actually interested in using it, something which hasn't really been shown to be true. (OS X seems to be doing o.k., but it only has to be a little more secure than Windows to not be an interesting target).

Word ordering people!!!!!!

[woolio]

That's effectively why alternative operating systems are impenetrable to virii and other nasty things.

No, no no no. Did you not intend:

That's why alternative operating systems are effectively impenetrable to virii and other nasty things.

The words of ordering make a difference!

Re:Word ordering people!!!!!!

No

Advanced hackers can get into anything

Foreign governments can hack into almost anyone

Alternate OS's just guarantees that whomever gets into a machine is far more advanced than a script kiddie

What about....

Operating systems / applications likeliest to be hit?

University of Tulsa

http://www.cis.utulsa.edu/About/
http://www.cis.utulsa.edu/CyberCorps/

Center for Information Security at the University of Tulsa. Probably the top InfoSec university in the country (no, I'm NOT kidding, they've had an InfoSec program since waaaay before it was popular, top researchers, lots of grad placement to NSA and other DoD for threat analysis/crypto, FBI/IRS forensics labs, etc).

I participated in the "Cyber-Corp" program when I went there (MS in CS - Infosec): both my tuition and room and board were 100% paid for, with the stipulation that I work for the Federal gov for a year or two afterwards. I'm already done with my gov commitment and back in private industry.

those likely on computers are vulnerable ;)

[swschrad]

something like a java real time hack respects no particular OS, assuming it has the ability to speak back to the internet.

Re:hacking/phishing/logging != stealing, called fr

Moreover, calling it "identity theft" frames the crime as stealing from *you*, putting you on the hook for trying to recover whatever it is that was 'stolen', and making you responsible for its prevention.

Calling it "fraud" frames the crime as stealing from the banks/credit cards/whoever, putting *them* on the hook for trying to recover the damages, and making *them* responsible for its prevention.

That's the real crime.

Compromised machine in Bank of America

[Numbah+One]

That machine is probably secure unless the phisher speaks Spanish.

Like, DUH!

[khasim]

No wait, if a system has not been as widely deployed as Windows, is it worth comparing the security trade offs that have been made?

Well DUH! Of course it is.

We have this thing called "The Internet" now which means that machines can be scanned and cracked 24/7.

"Better security" is only a feature if you are actually interested in using it, something which hasn't really been shown to be true.

Hmmm, I guess that the sales or McAfee and Norton anti-virus are not real then.

Re:Like, DUH!

[maxume]

The point I am failing to make is that the sales of antivirus, while they are probably due to design flaws in Windows, they might be due to trade offs that are necessary in order to get normal people to use computers. Until there is another system with hundreds of millions of users that just want the computer to work and be easy, the 'necessary trade off' side really can't be disproved.

There are no threats

[ehaggis]

Outside of the United States (at least according to the maps.)

Re:hacking/phishing/logging != stealing, called fr

[/dev/trash]

Taking my money without permission is theft. T-H-E-F-T

School? That's half the problem right there

One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)

And let me guess: he was probably a frequent poster to Slashdot, and gleefully spreading the mantra of free software and evil Microsoft.

These zealots coming out of college have no idea of how to protect a system, because all their experience has been with the obscure platforms they love. You don't sharpen a knife with silk, and you don't learn proper security practices working on an OS nobody gives a damn about.

The Linux guys I've worked with were habitually the biggest pains in the asses, with the worst machines. All day long they would bitch and moan about Windows not being able to do something, and three seconds later I would tell them it was easy to do in Windows. RTFM, dickwads.

And of course they are running their machines without any protection from spyware or viruses, because supposedly Linux is so secure. Then when their uber-boxen get r00ted and are spewing viruses all over and corrupting network documents (at least), they just somehow find a way to blame their failures on Microsoft. MS doesn't provide security on your pathetic Ubunghole box, shithead. And obviously, nobody does.

I don't want preinstalled LINUX

[ps3udonym]

I want preinstalled NOTHING. That is it, just nothing. No windows, no shovelware, no headaches and no anoyances of paying for crap I don't want, and won't use. Just give me the option to have a empty hard drive ON ALL MODELS.

Seems simple enought to me. Then you can install what you like on it. I am sick of buying a new copy of a OS I already own again and again just to feed the MS machine.

trivial solution: use gmail's +address tags

With gmail, you can just add "+comment" to your username before the @ sign. So email sent to example+anycomment@gmail.com will be delivered to example@gmail.com, but it'll have that special +anycomment tag.

http://en.wikipedia.org/wiki/Gmail