The "Bouncer" attack toolkit apparently generates a unique ID for each of its intended targets, with others receiving...
an error message. What's the point of attackers using what appears to be whitelisting security methods? Isn't the point of creating such malicious sites to get the most clicks possible?
Ask the expert
SearchSecurity expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
One of the top challenges facing cybercriminals is how to monetize the compromised credentials or the access they gain from their attacks. By assigning a unique ID for each of their intended targets, they can better track how many of their targets have been successfully compromised, and thus better focus their efforts on the most profitable credentials they can sell on digital black markets. While getting more clicks will increase the pool of victims for a toolkit to exploit, unique IDs will not necessarily inhibit the number of victims exploited. For example, this unique ID could allow an attacker to track a single user from one computer to another, improving analysis of the data collected by the malware. If the attacker knows two different systems are used by the same person, the second system could be blocked from installing and running the malware, minimizing the chances of it being detected.
As RSA mentions in its blog post detailing Bouncer, one of the benefits of denying access for systems without the unique ID is that it makes it more difficult for analysts to connect to the system and investigate the malware. While monitoring the communications to and from malware, actually interacting with the malicious service helps better correlate cause and effect when investigating the inner workings of malware sample, a process which could now be more difficult if access to systems is denied without a password. This cat-and-mouse game between malware authors and the researchers that write signatures for antimalware vendors has been going on for ages, so it's no surprise when malware employs new capabilities such as whitelisting to make research more difficult.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.