Tracking the Password Thieves

wiredog writes "From The Washington Post, yet another story about phishers, keyloggers, and viruses. The story is nothing new, but the author has a blog where he describes how he gathered the information that went into the story. Information including the locations of the victims, and the ISPs likeliest to be hit. Some of the victims included "an engineer for the Architect of the Capitol" and a man who "works in computer security for IBM." One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)" A compromised machine was also found in "the new accounts department at Bank of America" (Score!)"

Re:A list could be good

[Sunburnt]

A list of vulnerable ISPs may help encourage those ISPs to help change.

Not so much as a series of lawsuits.

ISPs most likely to be hit

[DarkLegacy]

That chart simply looks like a demographic on the amount of users currently using those ISPs. As with spyware, it makes sense of course that the biggest population will be hit the hardest. That's effectively why alternative operating systems are impenetrable to virii and other nasty things. They aren't looked at by the majority of the 'bad people' out there. :P

Re:ISPs most likely to be hit

[pilgrim23]

So the gaping holes in Microsoft products, that any 16 year old with a few hours reading of a VB manual could exploit has nothing to do with it?
Submarine one: "We are sinking because we are the most popular submarine.
Submarine two: "uh, guy.. Try shutting your hatch"

Re:A list could be good

[geoffspear]

I doubt it's the ISPs' fault; looking at the list it seems plausible that the "most likely" to be hit are simply the largest ISPs, so you'd expect the largest numbers of affected users to be using those ISPs.

Besides, if 2 supposed "network security" people got hit, do the ISPs really have any hope whatsoever in trying to educate their users to avoid phishing?

Re:A list could be good

[Balsamic+Moon]

"Likeliest to be hit" is a mislable. It should read "ISP's inept users" who allow themselves to become vunerable due to ignorance or carelessness.

This isn't some war between ISPs. The graph shows clearly what ISP had the most victims due to this virii. But even that isnt conclusive of anything because of the quantity of overall customers isnt revealed. Yeh sure we can say Comcast has the most, but they surely have more customers overall than say, oh Qwest.

Looking at the Distribution Map

[Gryle]

It would appear that nobody in South Dakota has an identity worth stealing. That's gotta hurt your pride.

AOL is at the bottom of the list

[Frosty+Piss]

Interesting how AOL is at the bottom of the list of ISPs likeliest to be hit. Who would have thought.

Re:AOL is at the bottom of the list

AOL users being mostly dialup users likely has something to do with it. It's much easier for the phishing spyware to work when it has an active internet connection with which to report back. Even your most clueless AOL user would likely realize something is up if their computer "randomly" connected to the net all by itself.

Even if their thing only works when the user is already online, you need to get it to the person to begin with. Sending the payload over dialup may not be feasible.

"Likeliest"

[mwvdlee]

"Likeliest" is a perfectly cromulent word.

Re:It's the Russian mafia! Ahhh!

[geoffspear]

The problem is that you apparently need to make the requirements to get a "computer license" more stringent than those required to get a job in network security at IBM or a degree in information security. Good luck legislating that when you're going to have to take away the computers of everyone in Congress and all of their staff.

Re:It's the Russian mafia! Ahhh!

[LighterShadeOfBlack]

Charts are nice and all, but I would life to see more work done to prevent this. Agreed.

Or perhaps, don't let idiots use the computer (computer license). It's the only way! The biggest security hole in computers isn't the computer, but the user. :( And mugging and theft are up in my neighbourhood. It's all these old people. There should be a licence for walking the street! The biggest reason for crime is people who can't put up a fight. Euthanasia at 60 is the only way! :(

Seriously though, users should definitely be educated on computer security wherever and whenever possible (ie. as a fundamental part of job training and IT education in schools). But any talk of computer licences is ridiculous.

Did you major in arrogance?

[Digital+Vomit]

One victim "was fresh out of college, where he'd just earned a degree in information security. (He was actively looking for a job in the field; I suggested he may want to go back to the classroom.)"

Because college creates people who are perfectly skilled at a certain field...

Poison their lists

[Martin+Spamer]

The corps that are targeted for login credentials should poison the phishers lists while they are waiting for the phishers ISP to take them down.

When the poison credentials are used by the phisher the targeted corp should use their source ip and browser fingerprints help identify other compromised accounts logged in from the same source. Places like banks and pay-pal could also this information to freeze compromised accounts more quickly.

Re:Trojan != Virus

[tyler.willard]

Yeah I RTFA...and the email virus was just a vector for keylogging trojan it dropped.

hacking/phishing/logging != stealing, called fraud

[plasmacutter]

let's use proper diction here..

i'm getting really tired of everything under the sun being called "theft". It just allows certain other interest groups to keep implying greater moral bankruptcy than actually exists.

a more proper term would be "fraud".

Re:What exactly were they doing or not doing?

[borkus]

It sounds like people opened one bad attachment and that was it. It's easy to blame them for that, but people get personal e-mail with legitimate attachments all the time. All it takes is one mistake to infect your PC. Also, the malware these days often does some devious things -

*Often, the software uses your copy of outlook to hit other people in your address book. Consequently, the infected messages often come from a trusted source - bypassing spam filters as well as the recipients normal level of suspicion.

*The messages often mirror a terse business communication ie, "Please review and respond" along with a safe looking file name. These are no longer the "click here for nude pictures" e-mails, but good impersonations of day-to-day business correspondance.

I think of a friend of mine who kept birds. Her boyfriend got her a cat (she was a big animal fan) and she figured she could keep both in her apartment as long as the birds were in a room with a door to it. Her plan was to close the door every day before she went to work so the cat couldn't get in there when she was out. Of course, she had several things she had to do every morning before going to work and the cat had only one thing to pay attention to - did she leave the door open today? Eventually, she was in a rush one morning and came home to find the door open to the bird's room but no bird.

And yep, having Windows and MS Office was the canary to the hacker's cat.

Re:A list could be good

[russ1337]

You might still start to get spam, if someone on your list has a compromised address list or computer.

I've often thought of generating some kind of unique e-mail address for each of my friends, to detect if my e-mail address has been compromised by them (or their PC). e.g:

asdf2344ks@gmail.com for my emails to Tom
oieo116i2k@gmail.com for my emails to Liz

The idea is they reply to that address, and mail to these addresses would aggregate to my inbox. If one of those email addresses starts to get spammed, I'll have an idea of who's responsible, change the address for them and see if it continues. After it happening a couple of times I could inform them that they may have a compromised computer and help them out etc.

I just dont have the time to implement such a scheme and rely on Gmails spam filtering which i think is pretty good.

Re:What exactly were they doing or not doing?

[cyberbob2351]

The botnet problem is a little worse than you may think....And it is these botnets that are allowing such rampant system compromise.

First of all, recognize that botnet malware evolves at a pace in which it is rather difficult for the antivirus vendors to keep up with. All it takes is a download of phatbot, a little code hacking to ensure it is just perfect for your uses, and then you run it through a packer. You won't preserve the same md5sum of course once your binary is customized, so the only other way that the sample can be detected is some more advanced techniques. (API hooking, entropy scanners, or looking for certain assembly sequence patterns). I'm not sure what the default scanning behavior of most AV scanners is, but they might not utilize such hardcore tests on every file in your system.

Secondly, most botnets run over port 6667, so even if you were running a firewall, you would need to have one that blocked the default IRC port by default. If this is unlikely for the majority of firewalls out there, also recognize that many newer IRC bots are relying more heavily on http command and control mechanisms. That is, they no longer communicate over IRC, and instead resort to making web posts to communicate with the hacker. Being port 80 based, suddenly its not so detectable amongst the stream of internet web traffic.

As for infection trajectories, also recognize that many infections today are indeed user error, whether it be an email attachment or downloading some videogame crack off of some site. The zero day exploits contribute to the problem as well.

There are no threats

[ehaggis]

Outside of the United States (at least according to the maps.)