Top 5 2010 Threat Predictions: Year in Review
In January 2010, Fortinet’s FortiGuard threat researchers issued a report outlining their predictions for The Top 10 Security Trends for 2010. In a mid-year report published in June, “From prediction to prophecy: The 2010 threat landscape” the research team looked back on the first half year to see how those predictions evolved over the course of six months. In this end-of-the-year review, FortiGuard threat researcher, Derek Manky, highlights the top five threats we predicted at the beginning of 2010 and the impact they’ve had over the course of the year.
1) Money Mules Multiply
**January 2010: **FortiGuard said, “Unwitting consumers may find themselves accessories to a crime as cybercriminals find new “mules” to launder their ill-gotten gains.”
June 2010: ****FortiGuard said, “We observed numerous instances of this trend and highlighted several examples in our threat reports. These socially-engineered attacks dupe users into fraudulent jobs that may sound innocent by description. Typically, the recurring job descriptions we observed in 2010 were accounts receivable ones, which involved the candidate receiving and forwarding funds while taking commission.”
EOY 2010: At the end of September 2010, the U.S. attorney and Manhattan district attorney offices brought charges against 70 money mules used in a large scale Zeus operation that was engineered to launder funds. Allegedly, they were the vehicles that helped transfer more than $3 million USD in funds. In another case that targeted elderly citizens, one mule was charged with racketeering – transferring over $800k USD over a year to accounts overseas. These are intriguing examples of the rising demand for money mules as cyber criminal operations continue to grow. While we don't have sheer data on the number of active mules out there, it goes to show how important of a role they play in modern cyber criminal schemes.
2) Botnets Hide through Legit Means
**January 2010: ****FortiGuard said,**** **“Botnets will no longer just obfuscate their binary codes to escape detection. Instead, they will piggyback on legitimate communications vehicles to propagate and cloak activities.”
June 2010: ****FortiGuard said, “This year several new botnets that have come into scope, each using common protocols such as HTTP to do their dirty work. Botnets, which existed before 2010, continue to remain strong and develop their protocols to obfuscate activity. This year we discovered Webwail, a Web-based scripting engine that can create accounts through the Web (such as Yahoo, Hotmail, Gmail, etc) and then spam through them. To do this, CAPTCHAs are cracked dynamically by a third party, so that the Web bot may proceed as if it were human. While we have only observed Webwail to create and send spam, our analysis indicates it is much more capable.”
EOY 2010: In March 2010, authorities dismantled Mariposa, arguably one of the largest botnet operations to date. Mariposa successfully grew a large infection base of zombies thanks to discrete communication. The botnet operated purely on UDP through port 53 (DNS), sending heartbeats and regular pings to command and control to keep communication channels open for malicious instructions. In November, FortiGuard Labs discovered a Hiloti bot variant which was using RFC-compliant DNS queries to report information to attackers. The information was embedded in the “A Record” query sent directly to a custom DNS server controlled by attackers. While the former used a custom protocol, both examples show innovative ways to cloak botnet communication.
3) CaaS vs. SaaS
**January 2010: ****FortiGuard said, **“Cybercriminals will take a page from the new security-as-a-service (SaaS) business model to implement their own crime-as-a-service approach, a criminal “environment for hire,” so to speak.”
June 2010: ****FortiGuard said, “Crime services have been openly available in 2010, most notably through the use of simplified botnets – loader software that downloads and executes malware. These botnets will then report statistics back for quality control, so that the operators selling services (”loads”) can inform their customers when and where their malicious software was installed. We also continue to observe the Cutwail spam bot being distributed with different identification numbers. These are customer IDs, with each hired bot sending spam for the customers who bought them.”
**EOY 2010: **CAPTCHA solving, money transaction and Blackhat SEO services were notable crime services used this year. As more crime services like these continue to pop up, traditional ones such as pay-per-install (PPI) are becoming ubiquitous. In October 2010, a large Bredolab botnet operation that had infected millions of machines was taken offline thanks to the work of Dutch authorities. Bredolab is a simplified botnet; it solely downloads and executes files, and it was one of the most prevalent threats we have seen in 2010. Bredolab controllers can send malware downloads to specific machines thanks to parameters passed in by the clients on check-in; its primary use has been loading malicious software via Crime as a Service. FortiGuard observed Bredolab primarily downloading ransomware and fake antivirus malware during its runs in 2010 – since these affiliate based loads are where the most money can be made. The Bredolab operator we monitored allegedly made up to $139,000 USD monthly using this method. This example offers a glimpse of the significant resources criminals are willing to invest in to build out crime-service oriented networks.
**4) **Scareware and Affiliates Find New Ground****
**January 2010: ****FortiGuard said, **“With consumers becoming wise to scareware, cybercriminals are expected to up the stakes in 2010 by holding consumers’ digital assets hostage for ransom.”
June 2010: ****FortiGuard said, “The rise of ransomware is no longer a myth, it’s a reality. We have witnessed several variations of ransomware emerge in 2010, from SMS-based locks to ones that kill applications until the user has paid the recovery fee. Detection levels have grown stronger in 2010, with variations of ransomware making their way into our top ten threat listings. While volume increases, attack strategy and technology continues to grow increasingly sophisticated. Combine this with solid encryption algorithms, and there is no doubt that ransomware will continue to plague cyberspace as we move through the remainder of 2010 and beyond.”
**EOY 2010: **FortiGuard said, “Ransomware, with different affiliate programs, continue to appear. The latest sample we observed is simply known as 'AntiVirus' and performs typical force-close tactics on applications. The most prevalent ransomware variants in 2010 were Total Security and SecurityTool. These malicious applications were actually the same product with new skins and upgrades (including the name) that were made during the year as the Ransomware product matured. With the 'AntiVirus' ransomware, developers actually went a step further by throwing a secure browser skin over their payment portal. When visiting the payment portal, it appears to be SSL/VeriSign secured – when in fact it is not.”
Multiple Platforms in the Crosshairs:
**January 2010: ****FortiGuard said, **“With a growing number of users on new platforms, cybercriminals will target their attacks beyond Microsoft Windows.”
June 2010: ****FortiGuard said, “As predicted, we have seen an increase in mobile threat activity. Symbian OS still remains a favored attack platform – viruses like Yxes are becoming more increasingly sophisticated while others, such as Enoriv, are just starting to emerge. As other operating systems such as Android continue to gain momentum, they, too, could shortly pose similar threats.”
**EOY 2010: **While smart phone threats regularly appeared on the radar through the end of 2010, customized attacks for specific platforms, such as the notorious Stuxnet, also reared their heads. Conspiracy theories aside, there is no doubt that Stuxnet was a threat that was developed to attack multiple platforms: infections and rootkits through MS Windows, followed by injected attack target code for PLCs (MC7 Byte Code) through Siemens Simatic S7. The Koobface botnet, which is designed to spread on compromised social media pages via malicious links, turned multi-platform in November this year when started targeting multiple operating systems through its use of Java.