As we round the bend into the second half of 2011, enterprises face a triple threat on the IT security front. These threats won’t be easily addressed merely by updating anti-virus programs. Some attacks will be capable of reaching even the security-minded users.
Here are three main threats that will dominate over the next six months.
PC Malware Migrates to Mobile Platform
While mobile devices have posed a security threat to enterprises for some time, what is new this year is the increase in mobile malware. It’s only a matter of time before traditional PC malware, such as Zeus, makes the leap to smartphones and tablets. While some may argue that malware is already targeting mobiles, which is true, a PC is still involved in the infection process. This is about to change.
Here’s why. Mobile devices are increasingly being used to verify a user’s identity, especially in financial services applications. For example, some banks send an SMS text message to a customer’s registered mobile phone that contains a code needed to complete online transactions. We have seen attacks that combine desktop malware, including Zeus and SpyEye, with mobile malware that is custom-made to intercept SMS messages — to dupe SMS-based transaction verification. In these scenarios, a fraudulent transaction is silently requested by the desktop malware using Man in the Browser (MitB) techniques. The bank then sends a verification SMS to the legitimate mobile device. This message is intercepted by the mobile malware and forwarded to the attacker’s phone number, where it is used to complete the fraudulent transaction.
In the second half of 2011, we can expect to see smartphone verification increase as mobile banking apps become more widely available and adopted. At the same time, we can also expect to see mobile operating systems begin to converge on a more open platform. These three alignments will get the attention of criminals, who will look for ways to enhance their PC malware so that it can directly infect smartphones in an effort to follow and intercept the money trail.
The Browser Becomes the Perimeter
Ten years ago only corporate-owned devices would be allowed to connect to enterprise networks. Of course, this is no longer the case and hasn’t been for some time. Employees seeking a more flexible working environment are using their personal devices to access corporate resources, often through a VPN. External partners are also granted access to corporate applications to complete tasks and collaborate on projects. In fact, some organizations are considering opening up virtual doors that allow customers to link directly into their systems.
Although this blurring of the perimeter has been happening for a number of years, attacks have usually been initiated by individuals hacking into protected systems. What’s different now is malware that resides inside the browser is sniffing and modifying the traffic into the enterprise. In fact, we have recently seen Zeus malware specifically designed to capture credentials from VPN gateways. Using these credentials, criminals can gain unrestricted access to CRM, financial, and other sensitive systems for monetary gain.
Enterprise Attacks Go Social
The concept of targeted attacks against users to punch through the security defenses of organizations will gain momentum. The recent attacks against RSA and the International Monetary Fund (IMF) are good examples. Based on our research, we believe these types of attacks will accelerate as a leading source of online fraud.
Here’s an example that illustrates why targeted attacks are so effective.
We call it “VIGNS” — Vanity Infection from Google News Searches. The purpose of the VIGNS attack is to place under-the-radar malware on a computer owned by an executive who has access to sensitive corporate information. Once the malware is on the executive’s computer, it can transmit information on an on-going basis to an IP address of the hacker’s choice.
The attack process begins with reconnaissance: The attacker searches a business social networking site like LinkedIn for executives at the targeted organization. It’s easy to find victims searching by company name and role.
Next, the attacker builds a Web page that infects visitors. The page itself exploits a zero day or a recently discovered browser or browser add-on vulnerability. Now, the attackers have a webpage that can be used to infect visitors with malware, as well as the name of the victim whose computer they want to compromise.
With the help of Google — and human vanity — the victims are lured to the malicious site. Since many executives have a Google Alert set up on their name, attackers can place the victim’s name within the malicious webpage, which generates an alert when it is indexed by Google. When the executive receives and clicks on the link, he or she is directed to the malicious Web page and their computer gets infected.
This is a simple example, and we have seen far more complex and sophisticated attacks in the wild.
In Conclusion
The triple threat — mobile, browser, and targeted attacks — facing organizations is not easily addressed by simply keeping systems and anti-virus programs up to date, and educating users on security hygiene best practices. Many attacks use zero-day unpatched exploits which makes the malware completely undetectable by anti-virus solutions. Meanwhile, targeted attacks like the VIGNS example above can victimize even the most security-savvy and conscious users.
One possible solution is to use tools that specialize in zero-day attack prevention. Unlike traditional signature-based security solutions, new technologies are available that use a data-centric approach. For example, by monitoring sensitive data and applications on an endpoint device, it is possible to identify unknown pieces of software that attempt to access this information or applications. From there, corrective actions can be taken. The malware can be blocked, the access attempt reported to IT, and the violating software can be disinfected from the computer. This approach is most likely to detect and block malicious software that has not been seen before.