Crimeware has advanced significantly in the last few years. In the 2015 Verizon Data Breach Investigations Report...
(DBIR), crimeware -- which constituted 25% of malware incidents -- is described as "representing malware infections within organizations that are not associated with more specialized classification patterns." In this tip, I'll discuss the current state of crimeware and why it is important to track incidents to find out what actions malicious programs are attempting in your environment.
Crimeware attacks motivated by money
Sensitive financial information is a key target for crimeware attackers because it allows direct access to bank accounts, enabling transfers of funds to attacker-controlled accounts. While attackers have realized that targeting point-of-sale terminals is highly effective, targeting individual end users is also very lucrative. Crimeware is primarily financially motivated and aims to directly access bank accounts or steal money using a number of techniques. These include tracking requests to banking sites and surreptitiously redirecting the user to a malicious site in order to steal credentials via command-and-control servers, installing ransomware (such as TeslaCrypt) to force users to pay to access their data, and stealing passwords stored on computers in order to access financial systems. Command-and-control crimeware is the most popular variant, but a change this year has shown attackers are moving more toward denial of service as an attack vector. This allows the attacker to demand ransom from the victim in order to restore service.
A recent example of crimeware is the Dyre variant, which uses the redirection technique to steal credentials for banking sites. The software will wait until the user tries to access a banking website before redirecting their browser to a clone of the site, which is hosted on an attacker-controlled domain. When the victim enters their credentials into the cloned website, they are sent to command-and-control servers for processing. The delivery method of the crimeware is usually via a malicious attachment in a phishing email. Dyre is an example of increasing sophistication in how crimeware operates, as it uses a randomly generated address to contact the command-and-control server so as to evade detection methods that use blacklisted URLs to block access.
Don't forgo formal investigation
The Verizon DBIR shows that crimeware incidents are less likely to be formally investigated than other types of incidents. However, these incidents should undergo the same formal investigation procedures as other incidents. Although, in some cases, this isn't always feasible (opportunistic attacks on home users, for example). When crimeware is introduced onto an organization's systems, a thorough investigation needs to be conducted, as it can still be used as a method of extracting sensitive corporate data, even if this was not its original goal.
Crimeware is also often distributed as part of an exploit kit (such as Angler or Nuclear), and therefore the discovery of certain crimeware strains may be an indicator of further infections. As an organization, you need to understand how these infections occur in order to identify the weak point in your defenses. The most likely infection point is through email phishing, which means staff awareness training may be required and email filters may need tweaking. Without investigating the individual cases, you won't learn anything and your system will remain vulnerable.
Most mature security programs are capable of detecting crimeware intrusions but do not have the manpower or willingness to spend the required money to investigate each incident. Most crimeware still involves intrusions that aim to contact command-and-control servers; however, a recent trend in distributed denial-of-service-style attacks via crimeware is emerging -- which could be termed "crimeware as a service" -- where specific malware can be designed and delivered. To mitigate the threat, a defense-in-depth strategy is needed. Strong technical controls, combined with an ongoing staff-awareness program, can help prevent most crimeware attacks. Investment in monitoring systems and a willingness to investigate incidents can help an organization find how an infection occurred, with the goal of preventing it next time.
About the author:
Rob Shapland is a senior penetration tester at First Base Technologies where he specializes in Web application security. He has used his skills to test the websites of companies ranging from large corporations to small businesses, using a wide variety of Web technologies.
Learn how to defend against exploit toolkits
See how Silverlight is vulnerable to attacks
Read about the value of using data to fight cyber criminals