Craftier Web threats hit finance firms

The last six months of 2003 saw a fivefold increase in worms and other types of malicious code that attempt to steal personal data from Internet users, according to Symantec Corp.'s semiannual Internet Security Threat Report.

Companies that process online financial transactions, including banks, brokerages and eBay Inc. with its PayPal payment service, are targets of these attacks more than any other type of industry, the report said.

The top troublemaker, a worm-Trojan-back-door threat named Bugbear.B, "would steal anything from anybody," says Alfred Huger, senior director of engineering at Symantec Security Response. Bugbear.B specifically looks to see if a host computer has information about financial data or if there's a bank domain name.

"Bugbear.B can also deliver logged keystrokes to a third party, compromising important information such as passwords and decryption keys," the report says. "The creator of this threat appears to have targeted financial institutions in an attempt to export financial data or gain future access to accounts."

The Symantec report compiles a range of data about computer viruses and software vulnerabilities, and the number of attacks recorded by 20,000 multi-vendor sensors that are maintained by companies all over the world.

In the first half of last year, only one-sixth of these companies reported a serious security breach, but from July through December, half of them reported a breach from worm attacks such as Blaster, the report said.

Financial institutions feel under siege

Financial institutions agree that they are under siege on the Internet.

Westpac Banking of Australia this week was hit by a so-called phishing scam that used fake e-mail that seemed to come from Westpac to trick customers into giving the attacker passwords to bank accounts. In most phishing scams, the attacker sets up a fake Web site with a home page that mimics the victim's home page.

In the scam against Westpac, the attacker carried out the plan through a re-direction scheme that involved opening a fake version of the Westpac Web site and opening the real Westpac Web site in a second browser window.

"They linked to a genuine Web site, ours, except for the crucial part where you put in a password," says Paul Gregory, a Westpac spokesman. About a half-dozen Westpac customers fell victim to the scam before Westpac discovered it, he says, adding this wasn't the first phishing scam to hit Westpac or other Australian banks.

"It's pretty common," he said.

There has been a steady rise in bank-targeted phishing scams, with Citibank Inc., eBay's PayPal service, Wachovia Corp., Bank of America Corp., Wells Fargo & Co. and several others warnng of problems in public announcements. Citibank's Web site has warned its customers of 18 phishing scams since December, with details about the fake e-mail and Web site links of each one. Some security consultants say the latest scam against Westpac stands out as particularly devious.

"These people were forcing you to a valid Web site," says Mike Hrabik, CTO at Solutionary Inc., a managed security services firm in Omaha, Neb. One way this can be done is through various techniques that fall under an attack called cross-site scripting. Most of them involve the attacker crafting a link with cookie-stealing code to interact with the victim's browsing session.

In spite of the growing problem, few security vendors have anti-phishing products, though some application firewalls, such as those from Teros and Sanctum, purportedly block cross-site scripting. Use of authentication methods stronger than simple passwords, such as public-key infrastructure (PKI) certificates or handheld tokens that generate one-time passwords, would make phishing much harder.

Few financial firms or e-commerce companies (Bank of Nova Scotia is one exception) make this kind of technology available to their mass-market customers. But some require PKI certificates and dynamic passwords in high-dollar investment and trading arrangements. Westpac says it is aware of these alternatives but is evaluating the economic cost of them.

Hrabik says companies should continually "sweep the Internet" to look for fake Web sites. He said it's often just a matter of doing extensive Web searches.

This story, "Craftier Web threats hit finance firms" was originally published by Network World.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon