Stealing virtual items from videogame characters in massively-multiplayer games, then reselling the items in a quasilegal grey market to other gamers, makes a lot of criminals a lot of ‘IRL’ money.
By Dancho Danchev
It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012.
Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year?
Let’s find out.
By Ian Moyse, EMEA Channel Director
We seem to take phishing attacks for granted these days, in much the same way that we’ve accepted spam as a natural, and inevitable, by-product of email. Some experts believe that one of the best solutions to thwart phishing attacks is end-user training, but I doubt training alone can be a viable solution. Can we really train every computer user to be sufficiently security literate, such that anyone can distinguish a phishing message from a genuine bank email? I doubt that it is possible, especially given how specific the details in spear phishing (phishing targeted at specific people and/or companies) attacks have become.
It used to be that thieves could satiate their hunger for evil (and money) merely through the emulation of a consumer bank or a PayPal login screen. While those low-hanging-fruit scams show no signs of abating, even following some major busts of phishing rings, we’ve seen new types of phishing attacks that wear the mask of a Web security product, persuading users to follow through on fake spam quarantine messages, or security update alerts, sometimes using the name of real vendors. It’s all very plausible.
Unfortunately, the average user is not a trained security expert—and why should he or she be? Criminals lure us into phishing and email scams in much the same way that street cons lure some people into losing their wallet at Three-card Monte. We let our curiosity get the best of us, and at times can be gullible. Like street hustlers, cybercriminals aren’t afraid to experiment with hacking our inclinations (or, as many security experts call it, social engineering). The volume of phishing attacks has increased, as have their variety and sophistication. Even security experts struggle to identify some of the fakes.
The phishers cast their rods farther and with more efficiency than ever before. They can easily download phishing site creation tools (yes they exist) and produce convincing messages and pages. Expecting an average PC user to beat these guys without any help is tantamount to pitting an average golfer against Tiger Woods (albeit a few years ago; no offense, Tiger). The criminal’s job is to create online scams that work, and the returns on their investments are huge. Why would we expect non-criminally-minded users to be more adept at spotting scams, than scammers are at reeling in the users?
Technology has to step up its game. We need to continue to make it harder and less lucrative for online scammers to do their “jobs.” That’s really the most effective way to stop phishers from attacking our end users.
By Andrew Brandt
With 2010 finally behind us, and an unknown number of cyberattacks likely to come in the new year, I thought I’d run down a brief list of the malicious campaigns criminals pulled off last year that I’d really dread to see anyone repeat. Now that they’re in the past, they should stay there.
Operation Aurora: Google’s accusation (with Adobe, Juniper Networks, Rackspace, Yahoo! and Symantec) that China hacked its servers, allegedly stealing private emails stored on the company’s servers. The big surprise wasn’t that it was happening, but that companies were publicly talking about it.
Abused ccTLDs: 2010 saw lots more malicious content originating from previously un-abused country code top-level domains, which are assigned to national authorities, such as the .in (India) and .cc (Cocos (Keeling) Islands) top-level domains. The Cocos Islands’ .cc domain deserves particular note because the more than 2200 malicious domains (discovered during 2010) hosted under this ccTLD outnumber the approximately 600 human inhabitants of the tiny archipelago by nearly 4-to-1.
Koobface: “the little social network worm that could” employed new URL obfuscation techniques, introduced its own keylogger, and focused efforts on a smaller number of social media sites, while Facebook got more proactive at shutting down the worm’s operations quickly. Maybe this year they’ll disappear altogether.
By Andrew Brandt and Curtis Fechner
It’s appropriate that this year’s Blizzcon, the two-day celebration of all things World of Warcraft, takes place during National Cyber Security Awareness Month. No other game is as heavily targeted by thieves as WoW, so we thought this would be as good a time as any to run down some of the malware threats that face gamers. 2010 has been a big year for Trojans that steal game passwords or license keys.
The people who create malware targeting online games show no signs of relenting, nor are they laying down on the job. Innovation is the name of the game, and password-stealers this year innovated their infection techniques to make them more effective and even harder to detect.
Two-factor authentication tokens, such as the Blizzard Authenticator, do a great job of preventing fraud. If you play WoW, the seven or so bucks the Authenticator costs can prevent a lot of headaches if your account becomes compromised by either a Trojan or a phishing Web site. The Authenticator displays a series of numbers that change about once a minute, and a gamer needs to enter these numbers along with a username and password to play the game.
However, while gamers who play Blizzard’s games might find themselves at reduced risk of phishing thanks to the Authenticator, other companies that operate the kinds of massively-multiplayer games most targeted by phishing pages and malware are also targets for theft, and don’t yet offer an equivalent method of securing login credentials.
By Andrew Brandt
Last week, Activision/Blizzard released a long-anticipated patch for its immensely popular game, World of Warcraft. While I don’t play this game, a number of our Threat Researchers do, and they’ve been on the lookout for shenanigans. Curtis Fechner found a doozy.
The update comprises a major overhaul of many core systems within the game, affecting the graphics engine, game rules, player abilities, and also the interface. Many players use downloadable, player-created add-ons to further customize the appearance of the user interface; Patches as comprehensive as this one mean that many of the old add-ons simply won’t work until the add-on’s creator releases a new version.
So this week’s rush to patch the game and update some add-ons led to some interesting news. One of the add-ons Curtis uses is something called RatingBuster, written by a player who goes by the name WhiteTooth. The add-on, available from a number of locations, typically comes in the form of a .zip archive and contains several plain text files (called LUA files). But earlier this year, someone registered the domain name ratingbuster.org and began serving Trojans from this legitimate looking Website instead of the RatingBuster add-on.
This fake RatingBuster comes in the form of an executable file named rbv1.4.9.exe — running unknown executables is a big no-no most WoW players know to avoid. This particular executable is a self-extracting RAR archive, which utilities like WinRAR can easily unpack. Inside the archive is another file, a single executable named bot.exe (22794 bytes, MD5: 6831c35e6d19ea0a1e1e9e346368b3e3). This is our malware installer, stored inside the other installer.
By Andrew Brandt
Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.
In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.
It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.
Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.
By Andrew Brandt
While some members of our Threat Research group are attending talks at the Black Hat Briefings, the rest of the team is back at our offices, hard at work watching for novel threats. That’s good news for gamers, and bad news for malware distributors who might try to take advantage of a confluence of events where many elite members of the security community are temporarily turned away from monitors while they attend the conference. I received a warning about one potential threat facing gamers who might turn to piracy to get a copy of Blizzard’s new real-time-strategy game, Starcraft II.
Apparently, there are a flood of torrents where gamers can download purportedly pirated versions of SC2. While your less ethical gamer might cheer this news, you might be less pleased to find out that some of the SC2 torrents appear to bring along a side order of malware. One of the torrents, for example, touted as a custom game launcher, drops the Zbot keylogger Trojan—albeit a variant we can easily detect and remove.
While this isn’t exactly new, we’re finding that the incredible demand for this game is driving malware distributors to supply something that looks like what the gamers want. We’ll keep an eye on this trend, and update the post if necessary with more details as they become available.
And if you want a copy of the game, just go out and buy it. It may not be the most thrifty use of your money, but it’s the ethical thing to do, and the safest way to get a copy of the game.
(Starcraft 2 logo courtesy of Blizzard Entertainment)
By Andrew Brandt
Blizzard’s announcement today that they will begin a closed beta-test for the latest expansion pack is likely to generate a lot of excitement among that particularly low breed of online criminals who steal the fruits of other people’s entertainment when they commandeer passwords for other players.
While it’s hard to believe that most players of online games aren’t aware of the profusion of phishing sites attempting to steal logins, the problem clearly isn’t going away, so the warnings remain the same: Keep a close eye on your browser’s Address Bar, and make sure you’re really logging into Blizzard’s Web site, and not some phishing creep’s trap.
If history serves, they’ll try to lure you with false promises of getting access to the beta. Don’t fall for the trap.
(Tip ‘o the hat to Threat Research Analyst Curtis Fechner for the breaking news tip.)
By Andrew Brandt
Malware distributors in China have started pushing the same kinds of fake codec scams on unsuspecting Chinese Web surfers that criminals elsewhere in the world have mastered.
I’m not sure how I feel about this. On the one hand, I feel sorry for the Chinese victims, most of whom are probably blissfully unaware of the dangers they now face on the Web. On the other, perhaps this will finally serve as a wake up call to Chinese authorities that they need to do something about homegrown Sino-cybercrime.
In the course of investigating some odd-looking URLs (including one which uses the name of every popular Chinese portal), I stumbled into a maze of Web sites that forcefully urge visitors to download and install software.
The scams start at Chinese porn sites — though, it must be noted, the photos on most of these sites are significantly less racy than what you’d find on your typical college coed’s MySpace page, even before Spring Break. The sites promote streamed video, but warn users that they must download and install a special “video on demand” player in order to watch the videos. Sound familiar?
In the course of a few hours, I pulled down and researched five distinct Trojaned software packages, all of which originated from a “click here to download the player” link on a Web page. At best, the programs attempt to convince users to pay 100 Yuan (about $15) for access to what the program promises is a vast library of TV shows and movies from China and the rest of the world.
At worst, the programs pull down dozens of keylogging Trojans, downloaders, and backdoors at the same time as they install benign Chinese video software, such as the popular (and completely free) QVOD player.
Continue reading
By Andrew Brandt
PC gamers have a new threat to contend with, one that has your personal information in its crosshairs and you can’t dispatch with a sniper rifle or BFG9000: A Trojan designed to steal game passwords that uses Microsoft’s own graphics engine, DirectX, against you.
The Trojan, which appears to have originated in China, modifies one or more of the DirectX driver files — such as DirectSound, Direct3D, or DirectDraw — so it only loads when Windows fires up the modified DirectX driver. Because DirectX is typically used by games, it means this sleeper cell Trojan activates when you fire up a PC game, then terminates when you stop playing. As a result of using this unusual load point to start itself up, instead of a more typical Run key or Services entry in the Windows Registry, the Trojan is unusually low key.
In our tests, the installer drops one or more randomly named DLLs (the keylogger component) in the c:\windows\system directory, then modifies one or more DirectX files. Each modified DirectX file is used to load one keylogger payload, so if the installer happens to drop four keyloggers, it will also modify four DirectX files. It also adds instructions that call functions from another, unmodified, legitimate system file named mscat32.dll. MSCAT32 is completely benign: Windows uses mscat32.dll to create Microsoft Cabinet .cab files, which are similar to .zip archive files. We’ve named this aide-du-vol Trojan-PWS-Cashcab (though some of our competitors call it Kykymber).
As a result of the modifications, the keylogger component loads whenever any program initializes the modified DirectX driver file. Fortunately, it also loads when you run the DirectX Diagnostics program included with DirectX, DxDiag (click Start, Run, then type dxdiag and click OK to start it up). That’s also the easiest way to determine if your PC is infected.
