The "Bouncer" attack toolkit apparently generates a unique ID for each of its intended targets, with others receiving an error message. What's the point of attackers using what appears to be whitelisting security methods? Isn't the point of creating such malicious sites to get the most clicks possible?
Ask the expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
One of the top challenges facing cybercriminals is how to monetize the compromised credentials or the access they gain from their attacks. By assigning a unique ID for each of their intended targets, they can better track how many of their targets have been successfully compromised, and thus better focus their efforts on the most profitable credentials they can sell on digital black markets. While getting more clicks will increase the pool of victims for a toolkit to exploit, unique IDs will not necessarily inhibit the number of victims exploited. For example, this unique ID could allow an attacker to track a single user from one computer to another, improving analysis of the data collected by the malware. If the attacker knows two different systems are used by the same person, the second system could be blocked from installing and running the malware, minimizing the chances of it being detected.
As RSA mentions in its blog post detailing Bouncer, one of the benefits of denying access for systems without the unique ID is that it makes it more difficult for analysts to connect to the system and investigate the malware. While monitoring the communications to and from malware, actually interacting with the malicious service helps better correlate cause and effect when investigating the inner workings of malware sample, a process which could now be more difficult if access to systems is denied without a password. This cat-and-mouse game between malware authors and the researchers that write signatures for antimalware vendors has been going on for ages, so it's no surprise when malware employs new capabilities such as whitelisting to make research more difficult.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.