docMikko Hypponen Chief Research Officer, F-Secure Mikko
download 
Report Transcription
Mikko Hypponen Chief Research Officer, F-Secure Mikko
Mikko Hypponen Chief Research Officer, F-Secure 1 F-Secure Corp 2 We used to be fighting these... Chen-Ing Hau Author of the CIH virus Joseph McElroy Hacked the Fermi lab network Jeffrey Parson Author of Blaster.C 4 Today we are fighting these! Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 5 Today we are fighting these! Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 6 Does anybody buy from spam? 7 8 Direct spam ?#%$ !? ? ?#%$! ?# % $!? Spammer Ed Bob Lisa ?#%$!? Jack ?#%$!? Mary 9 Spam through Proxy ?#%$ !? ? ?#%$! ?# % $!? Spammer Peter (Zombie / Proxy) Ed Bob Lisa ?#%$!? Jack ?#%$!? Mary 10 13 14 15 Send-safe 16 Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 17 22 23 24 http://www.f-secure.com/weblog 25 26 27 28 Jeremy Jaynes Millionaire, and a spammer Jay Echouafni CEO, and a DDoS attacker Andrew Schwarmkoff Member of Russian mob, and a phisher 29 30 31 32 33 So, what does phishing have to do with viruses? Not much Until we started monitoring some later variants of the Bagle worm Turns out the machines eventually download an email proxy And the mails sent through the infected machines turned out to be... 34 35 BankAsh.E Found on March 28th Shows a fake bank web page whenever uses accesses: web.da-us.citibank.com/cgi-bin/citifi/scripts/login2/login.jsp www.bankofscotlandhalifax-online.co.uk/_mem_bin/UMLogonVerify.asp www.halifax-online.co.uk/demos/public/umdemoengine.asp www.ebank.hsbc.com.hk/servlet/onlinehsbc www.iblogin.com/servlet/XCServlet;jsessionid www.national.com.au/cgi-bin/7614_1.pl www.bpinet.pt/verificaMCF.asp sec.westpactrust.co.nz/IOLB/csReq olb.westpac.com.au/ib/asp/login/bsd_lgvalidate.asp www.halifax-online.co.uk/_mem_bin/UMLogonVerify.asp www.rbsdigital.com/secure/default.asp www.nwolb.com/secure/default.asp olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp online.lloydstsb.co.uk/logon.ibc ibank.cahoot.com/Aquarius/web/en/core_banking/log_in/frameset_top_log_in.html ibank.barclays.co.uk/fp/1_2h/online/1,31705,,00.html myonlineaccounts2.abbeynational.co.uk/CentralLogonWeb/Logon?action=logon www.ebank.hsbc.co.uk/logonindex.jsp 36 BJs.com Hacker stole an undisclosed amount of the database with 8 million credit card numbers US Navy Unknown attacker stole 13,000 credit card numbers over the net. Total number of cards in the system: 22,000. Dpicorp.com Over 8 million Visa, AMEX, Mastercard and Discovery numbers stolen from a credit card brokerage. Playboy.com The whole customer database stolen. Hacker sent e-mail about this to all customers. Ecount.com Hacker stole a database containing 350,000 customers and asked for a $45,000 ransom. Egghead.com Over 3,700,000 customers had to change their credit cards after a break-in. Creditcards.com Hacker stole 55,000 credit card numbers. He asked for a ransom and when it wasn't met, he posted the numbers to a public web page. Westernunion.com Hacker stole over 15,000 credit card numbers and apparently sold them. CDUniverse.com Russian hacker "Maxus" stole 350,000 credit card numbers and posted them to a public web page. 37 38 Case Slacke 39 40 Cabir is spreading . in the wild Cabir was found in June 2004 First in-the-wild report from Philippines in August 2004 Singapore UAE China India Finland Vietnam Turkey Russia UK Italy USA Japan Hong Kong France South Africa Australia The Netherlands Egypt Luxembourg New Zealand Switzerland 41 Skulls.D 42 46 http://www.f-secure.com/weblog F-Secure Awards Austria Spain Serbia Norway 04/05 04/05 04/05 04/05 UK Finland United Kingdom United Kingdom Italy 04/05 04/05 03/05 02/05 12/04 Italy United States Sweden United States United Kingdom 12/04 12/04 11/04 11/04 10/04 Excellent 48
