Security Watch

Spotting SpyEye

Trusteer Ltd., the vendor behind the Rapport antimalware system, has described how it fends off increasingly hostile attacks from SpyEye and its predecessor, the infamous Zeus bug.

In a company blog post Monday, Trusteer's chief executive, Mickey Boodaei, said that to be effective at stealing bank credentials and other sensitive information, hackers' programs must also shut down any security software installed on an infected machine — and once that behavior kicks in, the malware makes itself a lot easier to target and shut down.

"When the program becomes hostile against another program and tries to terminate its threads, remove its files, etc., there are two options — either it is security software with a false positive or malware applying a targeted attack," Boodaei wrote. "Security software can be whitelisted [because] they are all signed, public and can be tested and approved" by Trusteer's software.

"Therefore, anything else which uses this hostile logic must be malware and can be easily identified, blocked and completely removed," he said.

Boodaei made this post after examinations of SpyEye revealed that it had code meant to specifically target Rapport. He added that SpyEye's real strength is perhaps its proven ability to market itself as the next great threat.

SpyEye's "massive media coverage and nonstop chatter among security professionals is everything that a chief marketing officer can dream of before launching a new version," Boodaei wrote. "We're still debating whether we should thank SpyEye's chief marketing officer for including Trusteer as one of its main features for the upcoming version."

Skimmers Like Florida

More Florida ATMs are being compromised by card-skimming devices, according to the Orlando Sentinel.

The devices, which copy data from a card's magnetic stripe as it is used at an automated teller machine, are being spotted more frequently in the central and southern parts of the state. Nationally, skimming has increased at a 10% clip annually for the past three years, the Feb. 5 article said.

The Sentinel described an incident at a SunTrust Banks Inc. branch in Orlando, where a skimming device went unnoticed for six weeks. The stolen card data was used to steal roughly $10,000 from 17 accounts.

Separately, according to the article, "in a case still being investigated, two dozen skimmers with 50,000 card numbers on them were stolen by an organized crime group, the Secret Service said. The thieves … used cloned cards to buy gasoline and sell it to commercial construction sites in central Florida."

Blast from the Past

An old technology for remote access to servers is gaining new popularity among hackers.

According to a report published last month by Akamai Technologies Inc., 10% of attacks that came from mobile networks during the third quarter of 2010 were through a port used for Telnet access, which a Feb. 7 story posted by Computerworld describes as an "aging protocol."

According to the article, "Telnet has been gradually replaced by Secure Shell, or SSH, as a means of accessing servers remotely. Administrators are generally advised to disable Telnet if the protocol isn't being used, in order to prevent attacks targeting it, but some forget to do so."

Akamai found that Telnet's port has been used for many computer attacks taking place in Egypt, Peru and Turkey.

Stealers vs. Hackers

Superbowl Sunday saw an explosion of fake websites related to the game that were loaded with malicious ads and phishing scams, according to Eweek.com.

The ads had football imagery — including, of course, cheerleaders — and they encouraged users to click on links for work-from-home offers, free iPads and gambling sites, among other things. By clicking on the links, NFL fans infected their computers with malware that can compromise information like bank passwords.

Many game watchers also went in search of sneak peeks of the ads running during the game. Some encountered fake sites that encouraged them to install the "latest versions" of video players. Many downloaded malware this way as well, according to the report.

Bad Apple

Apple Inc. products are in high demand not only among gadget gurus; one alleged card forger bought $1 million in Apple products to cash out forged cards.

Shaheed Bilal, who was already behind bars at New York's Riker's Island for an unrelated conviction, is accused of orchestrating the activities of a ring of fraudsters, buying data from overseas criminals, which enabled him to create fake credit cards, according to a Feb. 3 story from the Business Insider.

Bilal allegedly called the shots from a cellphone.

The credit cards were used to purchase real Apple equipment, which in turn was allegedly sold at a discount on the black market by Bilal's girlfriend, his three brothers and others.

According to the Daily Mail of London, Bilal's ring was the subject of a yearlong investigation by the cybercrimes unit of the Secret Service.

The theft transpired between June 2008 and December 2010, and was harder to detect, the Daily Mail reported, because the fraudsters' names were on the cards — not the names of their victims. Hundreds of card accounts were stolen in 13 U.S. states and Washington.

The article reports Bilal and his girlfriend were charged with conspiracy and grand larceny. Nine others were charged with grand larceny and possession of forged instruments.

Exposure

Nasdaq OMX Group Inc. disclosed over the weekend that one of its services had been struck by hackers, though it said no sensitive data was taken.

The New York company said its Directors Desk system, which it offers companies for sharing sensitive information among board members, was hacked, according to an article on Tuesday in The Wall Street Journal. The Nasdaq trading platform was not affected by the breach, it said.

Nasdaq said it reported the incident to federal authorities last year.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.