Canadian online threat protection company BD-BrandProtect is fighting against the growing amount of dangerous e-card malware, tackling evil e-cards with a combination of automated helpmates like spiders and honeypots, and good old-fashioned human analysis.
The Mississauga, Ont.-based company has been going since 2001, keeping pace with what company president Roberto Drassinower calls “the increasing sophistication of attacks and the continuing evolution” of security threats. “Five years ago, the volume was much lower by comparison, and very specifically focused on the financial services industry, and were often just simple phishing attacks,” said Drassinower. “Now they’re targeting beyond the financial services industry, often with a two-phase attack that first distributes malware and then uses it on a secondary target.”
One of the ways that dangerous malware is being disseminated is through phony e-cards that unsuspecting recipients open, unleashing bots onto their machine. This then turns their PC into a command point for sending out legions of harmful bots that do a lot of damage. If opened in an enterprise setting, they could prove disastrous, installing keyloggers, scanning directories for personal or valuable information, and modifying Web pages so that sensitive information given to a “mirror” site gets into the wrong hands.
According to Drassinower, these e-cards are especially effective because they are often sent to users not used to the social engineering tactics employed in these e-cards (they often go under popular e-card brand-names, or address the recipient as an old school-friend, or by name).
The company has a 24-hour threat-tracking centre with a database that hosts BD-BrandProtect’s SQL Server Database, which, according to Drassinower, is the second-busiest database in the world, second only to the NASDAQ, in terms of the amount of information processed daily. He said that the company keeps track of 85 per cent of all Internet traffic.
For this purpose, BD-BrandProtect uses Web spiders that scour the Internet for mentions of a client, forging broad link maps to company mentions or data. Hugh Hyndman, CTO with the company, said, “Looking for data, the Web spider scans billions of Web pages a month for mentions of the product or brand. You can do things like looking for images (that belong to the company), and then giving them a watermark so that if they are used again, it acts as a flag.” This practice can be especially helpful if a Web site is pulling a bait-and-switch by offering to sell one product and substituting it with another (or with nothing).
By knowing which pages are linked to one another, said Hyndman, “If we find something suspicious, we know what is linked to it.”
Hyndman also employs honeypots, which gather suspicious-seeming e-mail addresses and re-routes the spam e-mails back to itself. This method is growing in popularity.
Google senior staff engineer Neils Provos recently co-wrote a book entitled "Virtual Honeypots: From Botnet Tracking to Intrusion Detection". "It’s essentially a resource that lets you find out things that you might not know of or be aware of. The basic idea is that you run some kind of computer system that really doesn’t have any use in your production network. It doesn’t serve any Web pages, it doesn’t provide any services to regular visitors. Then you monitor what happens. The basic idea is, adversaries might try scanning the network or might try to attack resources that you provide to your network, and any connection that happens to your honeypot is suspicious by itself because you wouldn’t expect any regular visitor to connect to the system," said Provos.
"By carefully instrumenting it you essentially get to see anything that’s a potential attack … that might end up compromising it with security vulnerabilities that nobody might have been aware of. As a result of getting your honeypot compromised, you might actually know about flaws that you didn’t know about before," he said. "And then the other benefit is you might see how they further compromise the system, what kind of back doors they install, or what kind of root kits or other technologies they use. So the basic benefit of a honeypot is you can observe what potential adversaries might do."
And the results of BD-BrandProtect's honeypot-ing? Said Hyndman: “We’ve been collecting thousands of e-mail e-card messages.”
Once a security profile has been assembled, the client’s assigned Internet threat expert provides them with a prioritized list of problems and issues. “The main things that they want to know is how they’re doing in relation to everybody else, and to highlight the major security threats,” said Drassinower. The company will also attempt to identify each computer in which a bot has been installed.
The client and the expert then work together to determine what to leave be (for instance, company-friendly comments on a forum) and what to target (fraudsters using malware). This is where BD-BrandProtect’s extensive network of ISP partners comes in; they number over 2000, all over the world, and are instrumental in helping the company to bring down the spammers and criminals perpetrating the malware. Forensic analysis is practiced by security experts on the data to determine where the command and control centres are.
Despite BD-BrandProtect’s hands-on approach, the IT professional also comes into play in preventing such intrusions from happening again—or not at all. Drassinower said, “They are in charge of reacting to the incident, but also for being pro-active in organizing policy-setting and reporting, so that these decisions can factor into the budget.” And, said Drassinower, the IT professional can also take the lead by providing information to workers about the perils of opening even the friendliest-seeming e-card.
—With files from Dave Webb.