Post on 28-Oct-2020
transcript
1
Mikko Hypponen Chief Research Officer, F-Secure
Mikko Hypponen Chief Research Officer, F-Secure
2
F-Secure Corp
4
We used to be fighting these...
Chen-Ing HauAuthor of the CIH virus
Joseph McElroyHacked the Fermi lab network
Jeffrey ParsonAuthor of Blaster.C
5
Today we are fighting these!
Jeremy JaynesMillionaire,and a spammer
Jay EchouafniCEO,and a DDoS attacker
Andrew SchwarmkoffMember of Russian mob, and a phisher
6
Today we are fighting these!
Jeremy JaynesMillionaire,and a spammer
Jay EchouafniCEO,and a DDoS attacker
Andrew SchwarmkoffMember of Russian mob, and a phisher
7
Does anybody buy from spam?
8
9
Direct spam
Spammer
Ed
Bob
Lisa
Jack
Mary
?#%$!??#%$!?
?#%$!??#%$!?
?#%$!?
?#%$!?
?#%$!??#%$!?
?#%$!??#%$!?
10
Spam through Proxy
Spammer
Ed
Bob
Lisa
Jack
Mary
Peter
(Zombie / Proxy)
?#%$!??#%$!?
?#%$!??#%$!?
?#%$!?
?#%$!?
?#%$!??#%$!?
?#%$!??#%$!?
13
14
15
16
Send-safe
17
Jeremy JaynesMillionaire,and a spammer
Jay EchouafniCEO,and a DDoS attacker
Andrew SchwarmkoffMember of Russian mob, and a phisher
22
23
24
25
http://www.f-secure.com/weblog
26
27
28
29
Jeremy JaynesMillionaire,and a spammer
Jay EchouafniCEO,and a DDoS attacker
Andrew SchwarmkoffMember of Russian mob, and a phisher
30
31
32
33
34
So, what does phishing have to do with viruses?
Not much
Until we started monitoring some later variants of the Bagle worm
Turns out the machines eventually download an email proxy
And the mails sent through the infected machines turned out to be...
35
36
BankAsh.E
Found on March 28th
Shows a fake bank web page whenever uses accesses:web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jspwww.bankofscotlandhalifax-online.co.uk/_mem_bin/UMLogonVerify.aspwww.halifax-online.co.uk/demos/public/umdemoengine.aspwww.ebank.hsbc.com.hk/servlet/onlinehsbcwww.iblogin.com/servlet/XCServlet;jsessionidwww.national.com.au/cgi-bin/7614_1.plwww.bpinet.pt/verificaMCF.aspsec.westpactrust.co.nz/IOLB/csReqolb.westpac.com.au/ib/asp/login/bsd_lgvalidate.aspwww.halifax-online.co.uk/_mem_bin/UMLogonVerify.aspwww.rbsdigital.com/secure/default.aspwww.nwolb.com/secure/default.aspolb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asponline.lloydstsb.co.uk/logon.ibcibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html ibank.barclays.co.uk/fp/1_2h/online/1,31705,,00.htmlmyonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=logonwww.ebank.hsbc.co.uk/logonindex.jsp
37
Hacker stole an undisclosed amount of the database with 8 million credit card numbers
BJs.com
Unknown attacker stole 13,000 credit card numbers over the net. Total number of cards in the system: 22,000.
US Navy
Over 8 million Visa, AMEX, Mastercard and Discovery numbers stolen from a credit card brokerage.
Dpicorp.com
Russian hacker "Maxus" stole 350,000 credit card numbers and posted them to a public web page.
CDUniverse.com
Hacker stole over 15,000 credit card numbers and apparently soldthem.
Westernunion.com
Hacker stole 55,000 credit card numbers. He asked for a ransom and when it wasn't met, he posted the numbers to a public web page.
Creditcards.com
Over 3,700,000 customers had to change their credit cards after a break-in.
Egghead.com
Hacker stole a database containing 350,000 customers and asked for a $45,000 ransom.
Ecount.com
The whole customer database stolen. Hacker sent e-mail about this to all customers.
Playboy.com
38
39
Case Slacke
40
41
Cabir is spreadingin the wild .
Cabir was found in June 2004
First in-the-wild report from Philippines in August 2004
SingaporeUAEChinaIndiaFinlandVietnamTurkeyRussiaUKItalyUSAJapan
Hong KongFranceSouth AfricaAustraliaThe NetherlandsEgyptLuxembourgNew ZealandSwitzerland
42
Skulls.DSkulls.D
46
http://www.f-secure.com/weblog
48United Kingdom
10/04
United States
11/04
Sweden
11/04
United States
12/04
Finland
04/05
United Kingdom
02/05
Italy
12/04
United Kingdom
03/05
F-Secure Awards
Italy
12/04
Excellent
UK
04/05
Norway
04/05
Serbia
04/05
Spain
04/05
Austria
04/05