Hackers who infect corporate systems with the intent of stealing money do not need a lot of technical expertise or startup money, according to a product manager from Cisco Systems Inc.
“You don’t need to be tech savvy,” in order to steal data, said Samantha Madrid, Cisco’s product manager for Web security “It’s very, very easy.”
Madrid made her remarks during a presentation at the recent Cisco Networkers Solution Forum in Toronto.
She said Cisco workers deliberately infected the company’s own systems in order to see what a hacker could get away with. Madrid’s presentation concluded with an information session on Cisco’s own IronPort security hardware.
IronPort, she said, scans all traffic, ports and protocols and is designed to prevent “phone home traffic.”
But protecting yourself from hackers requires user education, given the prevalence of so-called “social engineering,” such as phishing e-mails containing uniform resource locators (URLs) for malicious Web sites.
“Not even Cisco can guarantee 100 per cent protection from malware,” she said. “If any vendor stands in front of you and says, ‘We will stop all malware,’ I would actually run for the hills.”
Cisco found its own hacking team needed US$2,500 in “seed money” in order to start a data theft operation. This included $300 for the use of a server under a cloud computing arrangement and the Fragus tool kit for $800. Other expenditures included service fees to malware developers.
Fragus, first discovered in the summer of 2009, is described by Symantec Corp. as a tool kit that lets hackers exploit the browsers of victims, and includes a graphical user interface, a control panel
Madrid said the Cisco hackers used the Linux, MySQL and Apache software, all of which are free. They also selected a server using the specifications recommended by the developers of the Zeus bot, which included 2 GB of RAM and 700 GB of hard drive space.
Zeus and Fragus are two of the top three hacking tools, Madrid said. The third is Curtwail.
One reason Cisco chose Fragus is because it can use eight different methods to exploit. Madrid said hackers who use only one method have less chances of success because users normally have some — but not all — of their software patched.
Madrid said Cisco’s hackers were able to modify Web pages of banks accessed by their victims in order to steal passwords and credentials.
“The browser just renders whatever is in the HTML page,” she said. “It doesn’t care what’s good or bad or should not be there.”
Bots often enter networks through adware, Madrid said, adding when administrators do security checks and find adware, they think nothing of it.
Consumers are not the only potential victims of attacks designed to steal banking credentials, she said. For example, last year, a bank in Kentucky lost more than US$400,000 because hackers stole money in increments of less than $10,000, through fraudulent wire transfers, by stealing the controller’s credentials.
Hackers normally employ human assistants, also known as “mules,” to actually wire them the money, Madrid said.
She cited the example of an unemployed American woman who answered an online advertisement for a copy editor. It turned out she was copy editing drafts of spam email messages for hackers. When she asked how she was going to get paid, the employer told her to accept a wire transfer of US$9,500, transfer $9,000 to a third party and keep $500. That was the copy editor’s clue that something was wrong, Madrid said.
That copy editor was one of 25 mules involved in the heist from the Kentucky bank who spoke with police, Madrid said. Another mule who co-operated with investigators ended up losing thousands because when the bank detected fraud, it reversed the original wire transfer from the victim to the mule, but not the wire transfer from the mule to the hacker.
To protect your organization against such attacks, traditional anti-virus software and URL filtering is not enough, Madrid said.
URL filtering is designed to enforce corporate acceptable use policies, and was never meant to examine all requests made to Web sites.
You need to be able to break down all electronic transactions, look at every object being loaded and figure out if its malicious, she said.