The "Bouncer" attack toolkit apparently generates a unique ID for each of its intended targets, with others receiving...
an error message. What's the point of attackers using what appears to be whitelisting security methods? Isn't the point of creating such malicious sites to get the most clicks possible?
Ask the expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
One of the top challenges facing cybercriminals is how to monetize the compromised credentials or the access they gain from their attacks. By assigning a unique ID for each of their intended targets, they can better track how many of their targets have been successfully compromised, and thus better focus their efforts on the most profitable credentials they can sell on digital black markets. While getting more clicks will increase the pool of victims for a toolkit to exploit, unique IDs will not necessarily inhibit the number of victims exploited. For example, this unique ID could allow an attacker to track a single user from one computer to another, improving analysis of the data collected by the malware. If the attacker knows two different systems are used by the same person, the second system could be blocked from installing and running the malware, minimizing the chances of it being detected.
As RSA mentions in its blog post detailing Bouncer, one of the benefits of denying access for systems without the unique ID is that it makes it more difficult for analysts to connect to the system and investigate the malware. While monitoring the communications to and from malware, actually interacting with the malicious service helps better correlate cause and effect when investigating the inner workings of malware sample, a process which could now be more difficult if access to systems is denied without a password. This cat-and-mouse game between malware authors and the researchers that write signatures for antimalware vendors has been going on for ages, so it's no surprise when malware employs new capabilities such as whitelisting to make research more difficult.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the ...continue reading
RIPPER malware has been found responsible for the theft of $378,000 from ATMs in Thailand. Expert Nick Lewis explains how this ATM malware works.continue reading
Researchers found that facial recognition systems can be bypassed with 3D models. Expert Nick Lewis explains how these spoofing attacks work and what...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.