Malicious Malware: Six Ways Cybercriminals Beat Security
The Craftiest Security-Beating Malware
The tactics of cybercriminals has evolved from using malware-carrying spam in a shotgun-like approach to finding doorways into corporate networks to studying prey like a methodical marksman, learning security controls and figuring out ways to bypass them. Over the years, many tools, processes and techniques have emerged to try to stay ahead of the crooks. Most have failed because criminals are adept at bypassing the latest innovation. Trusteer, a security vendor focused on desktop security, has compiled a list of the most innovative malware used to beat the latest defenses. Here are six of the more ingenious malicious apps.
Exploiting The Browser
Rather than continuously trying to trick people into clicking on malware attached to spam, crooks are focusing on exploiting browser vulnerabilities to infect computers. The systems are compromised when users are routed to malicious Web sites through links embedded in search engine results or legitimate Web sites. Exploit code is loaded once the user lands on the criminal's site.
Stealing Banking Credentials
Crooks use to try to steer PC users to bank-lookalike Web sites to steal user names and passwords. Today, many criminals instead steal the credentials as users access genuine banking sites. To do that, hackers use key-logging malware in infected PCs. Such software records the keystrokes on a login page and sends the sequence to the fraudster's server. To defend against such malware, companies have introduced two-factor authentication using one-time passwords sent through a token device. Creative crooks have bypassed the added security through malware that collects login credentials, sends them in real time to a command and control server, and blocks the user for several minutes in order to give the fraudster time to access the site.
Man In The Browser
Most people are careful about e-mails requesting a large amount of personal data. People are less guarded when requests originate from a genuine bank Web site. Man-in-the-browser malware waits for the PC user to login to an employee VPN site or online banking site and then injects an HTML page that asks for additional credential information for "security reasons." Once the fraudsters have this information, they're free to impersonate the victim.
Malware Becomes More Human
Server-side security applications are designed to look for robotic activity that's a clear signal a human is not making a request. These applications maintain a list of acceptable human-generated request sequences. Cyber-criminals have figured out how to create malware that meticulously imitates user actions, making it difficult to tell malware from humans.
Mimicking Validation E-Mails
Sending e-mails and text messages following transactions is commonly used by businesses and banks to confirm that the recipient actually made the purchase or money transfer. Customers receiving notification on a fraudulent transaction will quickly contact the business to stop the process. Advanced malware can inject code into popular Web mail, such as AOL, Yahoo, and Microsoft Hotmail, hiding authorization messages. As a result, fraudulent transactions are completed unbeknownst to the victim.
Beating Transaction-Signing Protection
Some banks are fighting criminals by having customers use card-reader transaction-signing systems to authorize each and every transaction. Users receive a reader and chip/PIN card and are required to authenticate each transaction by entering details in the reader, such as amount and payee number. The transaction generates a code that banking applications validate against the details. To bypass this security, criminals have developed malware that waits for customers to log on to a bank's Web site and then changes the content of the post-login transaction to a message telling customers of an upgraded security system. The training process for the system includes making a money transfer to a fictitious bank account. If customers fall for the ruse, then they end up sending money to the fraudster.