James Lyne moves on with his analysis of malware distribution patterns, speaking on the techniques fraudsters are applying to diversify away from the expected conventional paradigm of cybercrime and scam, e.g. exploiting social media. Finally, Mr. Lynes draws conclusions on modernizing the approach to protection.
Now, I’ve talked a lot about threats and malicious code but it wouldn’t be right to talk about the bad guys without getting a little bit into social engineering. The bad guys love social media, brilliant tool for them to do social engineering. And it is not due to vulnerabilities in the platform, it’s just that social media is a really good way to reach lots of people and interest groups.Here we have an astonishing example, a Facebook page that was created saying: “Join for free 25 dollar giftcard to Starbucks”. So fantastic, 25 dollars for morning coffee, you can get your caffeine high and get to work. Now, in the real world we’ve all developed this sense of whether we trust people or not. For example, as a security person, if a sales guys walks into your office with slicked back hair and a nice suite and one of those skinny purple ties with little spots on it, and says: “I’ll be honest with you” – we all know that means: “I am about to lie to your face”, kind of got used to it.
However, in the digital world we don’t have the same equivalent. The very first sentence on this page says: “This is not a scam”. What does that mean? It’s a scam. Of course it’s a scam. And any economist is immediately gonna be going: “25 dollars of free coffee which you can share with all of your friends: okay, the world has free coffee for about four days. Probably cannot afford to do that”.But let’s take a closer look at what they actually ask you to do. First, click ‘Join’, then click ‘Share’, and the idea is you’re gonna share this with all of your friends so that they can get their 25 dollars of brown water too. Next – “Erase everything in the address bar”. That’s where the facebook.com is typed. Okay. Next – “Copy and paste this code into address bar and hit ‘Enter’, note this won’t work on Internet Explorer, only Mozilla Firefox and Safari”.
These bad guys were too lazy to write a virus. They put the code on the page, they asked people to run it, and people did! What? Is that simple – social engineering. Thousands and thousands of people joined this page and followed these instructions before the page was torn down, all in attempt to get their 25 dollars of morning caffeine.
To add insult to injury, at the end of it you get to go to this wonderful official page which has got a padlock on it that says: “Zero fraud tolerance”. Good to know this criminal gang wouldn’t be sharing my details with other criminal gangs. And the page says: “We are now just minutes away from being complete”, which is fascinating because I started off this journey hoping for 25 dollars of free coffee. Who knew social media was so powerful that all of my life had been leading up to this very moment? Brilliant social engineering, incredibly effective.
So the challenge we have is that the bad guys are not only using more affective technology, they are not only producing a much, much larger volume of malicious code, they are not only taking advantage of our stereotypes, of the fact that we need to protect a Microsoft PC and not other platforms – but they are diversifying away from these expectations users have on how they are going to get infected. They are moving beyond email and simple web. They are using social media. They launch incredible campaigns, and users aren’t updating their knowledge to know they need to not click those nasty links.
And there are some astonishing examples of these diverse scam techniques, like letters resembling the ‘traditional’ Nigerian scam. But they print those and put official logos on them, and post them to people. Now, most users, if you send them a link saying: “I am going to sell you a Rolex for five dollars” these days will probably delete it. There’s always one, but the success rate is much lower. How confident are you that your users will apply the same sense to social media on the mobile platform, or if they received a targeted letter?
So we need to be thinking about broadening the tenets of our acceptable use policy. Incidentally, if you are wondering what we did with the letter – we shredded it and posted it back to them for fun.
So, what have we got to do? The bad guys have fundamentally changed the game. The volume of malicious code, the quality, the quantity is making traditional protection unsustainable. It’s not working. Signature AV, traditional AV is dead, nails in the coffin, incinerated – game over. We all have to modernize our approach to protection. We all need to be looking at tenets like content, reputation and behavior.
We need to be thinking about remediation and hardening. We need to be making sure that we are patching things like Firefox, these other applications, raising the profile of our systems, not just the Windows PC.
To the security industry, the most critical message is this: most security technology for many years has been based on the concept of content, matching files, matching packets. It is too easy for the bad guys with these tools to generate massive quantities of malware that makes content-based detection fail.
All these things like advanced persistent threats, samples that will never be seen on a large scale – make content security fundamentally challenged. We need security technologies to be building in the concept of reputation and behavior. It doesn’t matter what PDF caused Adobe PDF to go off and start trying to create Admin accounts. What matters is it’s doing something bad. So we need these tenets to be built-in across the industry.
So, what should you do as a user to keep yourself safe, to drive cyber victory – it is our Internet, the bad guys cannot have it? You need to go back to the office, you need to make sure you are patching PDF, Flash, Firefox; take advantage of the good work that Adobe and others are doing.
You need to make sure that you are adopting and using behavior and reputation based capabilities, modernizing your protection portfolio. And you need to make sure that you are thinking about more than just the PC. Think about where all that valuable data flows across your environment, and have appropriate controls at each point.
And to the industry – simplify. The reason people don’t use technologies like HIPS1 is because they get these screens that say: “Right, there is a mob here, now turn it to the left, and of course now the A vector of anthological analyses engine with kernel32.dll on Internet Explorer, when accessed by user B, and IP address is C at 13:37 on Tuesday when the North wind is going this way and my hair is particularly ginger…” What on Earth does that mean? Where is the checkbox that says ‘Stop bad stuff’? We have got to make this stuff simple and adoptable. People don’t have the resources to be chasing all this flexibility and dealing with 95000 threats a day.
We’ve got to, as an industry, drive policy centrally, take advantage of community intelligence and make this stuff work for the customer. And please stop using the term ‘SaaSification’.
1 – HIPS (Host-based intrusion prevention system) is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.