Compilation of Phishing and Keylogger AttacksIn today’s scenario it seems that barely a day goes by without another story breakingaround a password-protected service being compromised in some way or other. Passwordscan be compromised through various forms of attack, including key-logging/screen-logging,phishing and shoulder-surfing among others. This note elaborates on the extent to whichthe keyloggers/screenloggers and phishing attacks are prevalent in today’s world.KeyLoggers/ScreenLoggers:KeyLoggers/ScreenLoggers are malware that are present in user’s computer without hisknowledge and tracks (or logs) the keys struck on a keyboard as well as take screenshots ofwhat is displayed on screen typically in a covert manner and sends it to a distant hacker. Inpresent scenario all keyloggers are capable of both capturing key strokes and screenshots.Hence keylogger/screenloggers name can be used interchangeably. Below are some of thestatistics related to the keyloggers/screenloggers. • In a survey conducted in Year 2006 by WebSense it came out that almost one in five organizations have been the victim of a keylogger attack in USA1 • The SANS Institute, a group that trains and certifies computer security professionals, estimated that at a single moment in year 2006, as many as 9.9 million machines in the United States were infected with keyloggers2 • In June 2009, security company Prevx discovered that a variant of keylogger trojan Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek3
• In October 2009, Trusteer Research reported that there was a new attack using Zeus trojan to harvest credentials used to access enterprise web accounts such as webmail, CRM, financial and other SaaS applications4 • On 1 October 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m as well as attempted to steal a total of $220m3 • In April 2010, Visa has issued an alert that there is a growing cases of keylogger/screenlogger attacks involving the online payment card transactions. The particular key logger malware identified by Visa is equipped to send payment card data to a fixed e-mail or IP address accessible to the hacker8 • Card-not-present fraud costs the U.S. payments industry, including issuers, merchants and acquirers, an estimated $1 billion per year according to a recent report from Aite Group LLC, a Boston-based consulting firm.9 Majority of the above happens mainly because of KeyLogger/ScreenLogger malware. • Credit and debit card fraud is the No. 1 fear of Americans in the midst of the global financial crisis. Concern about fraud supersedes that of terrorism, computer and health viruses and personal safety.10Phishing:Phishing is the criminally fraudulent process of attempting to acquire sensitive informationsuch as usernames and passwords by typically directing users to enter details at a fakewebsite whose look and feel are almost identical to the legitimate one. Below are some ofthe statistics related to the phishing attacks.
• Gartner reported that $3.2 billion is lost due to Phishing attacks in the United States in 20075 • Cybercriminals stole more than $120 million through online banking fraud in the third quarter of 2008, reports the Federal Deposit Insurance Corp. (FDIC). Much of the fraud occurred after users were tricked into visiting malicious Web sites or downloading Trojan horses that enabled cybercriminals to steal online banking passwords9 • In November 2009, Symantec has alerted that the CEOs are being targeted for advanced Spear Phishing attacks6 • One in 20 people in Britian have lost money to some sort of online scam such as "phishing", according to research commissioned by AOL UK in 20057 • A class of Spear Phishing attacks are on rise, a recent attack indicating compromising of 100 email service providers where in criminals have been conducting complex, targeted e-mail attacks. Recipients who clicked the links were redirected to sites that attempted to silently install software designed to steal passwords11There are also many more recent cases of twitter, facebook, Vodafone, itunes linked withpaypal account hacks in 2010 which were also attributed to password-based authenticationsystems. The Vodafone hack in particular is attributed to a type of social engineering attack.Also there was a popular case of bruteforce password cracking done on yahoo mail whichhas given a red flag for all cloud based providers who are using password basedauthentication in 2009. And, according to a report by Verizon in 2009, password guessing isthe most frequent means of gaining control of compromised enterprise systems.
Another case in point is an escrow firm in Missouri suing its bank to recover $440,000 thatorganized cyber thieves stole in an online robbery earlier in 2010, claiming the bank’sreliance on passwords to secure high-dollar transactions failed to measure up to federal e-banking security guidelines. 12As the current password based system is no longer sufficient to combat the above attacks,there is an urgent need for having a dynamic password system (strong authentication)which will effectively address the same.References: 1. http://www.scmagazineus.com/websense-keylogger-attacks-double-in-a-year/article/33436/ 2. http://www.trusteer.com/sites/default/files/Anti_Keylogger_Myths.pdf 3. http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29 4. http://www.trusteer.com/sites/default/files/Zeus-OWA_Advisory_Oct_2009.pdf 5. http://www.gartner.com/it/page.jsp?id=565125 6. http://www.spamfighter.com/News-13452-Symantec-CEOs-Becoming-Victims-of-Spear-Phishing-Attacks.htm 7. http://www.theregister.co.uk/2005/05/03/aol_phishing/ 8. http://usa.visa.com/download/merchants/key-logger-key-stroke-and-screen-capture.pdf 9. http://security.magtek.com/fraud-statistics/ 10. http://www.creditcards.com/credit-card-news/credit-card-industry-facts-personal-debt-statistics-1276.php 11. http://krebsonsecurity.com/2010/11/spear-phishing-attacks-snag-e-mail-marketers/ 12. http://krebsonsecurity.com/2010/11/escrow-co-sues-bank-over-440k-cyber-theft/