Hacker attacks getting more personal

Hackers are personalizing intrusion techniques to net more victims

In the same way some e-commerce sites serve up customized content based on a user's profile, cybercriminals are increasingly using personalization techniques to more effectively attack those who visit their Web sites.

Over the past year or so, the number of malicious sites using personalization techniques has mushroomed and today represents a new and disturbing trend, according to IBM's Internet Security Systems X-Force threat analysis group.

Unlike older sites that simply served up the same exploit code over and over, the new ones are loaded with multiple exploits and payloads, said Gunter Ollmann, director of security strategies at IBM's ISS X-Force team. The sites are crafted to first probe a visitor's browser for specific information, which it then uses to craft a customized attack, he said.

"We're seeing a large number of malicious Web sites that make use of IP address and browser information before they start to create an attack," Ollmann said

For instance, a user who visited a malicious Web site using Internet Explorer would be targeted with exploits seeking to take advantage of specific IE flaws, while those running Firefox or Netscape would be targeted with attacks specific to their browser types. The typical payloads include spyware programs and keystroke logging software, he said.

Each Web site can host literally "dozens and dozens of exploits" targeted at old and new flaws in browsers such as IE, Firefox and Netscape, Ollmann said. "We have seen a lot of zero-day exploits being used on such sites."

Very often, the exploits are secured from organized "managed exploit providers" who, for a monthly subscription fee -- sometimes as low as US$20 per month -- provide a virtually unlimited number of exploits, he said.

According to the X-Force 2006 report on security trends, about 30 percent of malicious Web sites at the end of 2006 were using personalization techniques. That number is growing at the rate of about 1,000 new sites every week, Ollmann said. Many of the sites are live for about four or five days before disappearing, he said.

Cybercriminals typically lure users to such sites by using spam mail or by hijacking and using domains that appear to be legitimate sites, he said. Sometimes, users can also get directed to such sites when they click on shared objects within a Web page, such as a banner advertisement or a visitor counter, he said.

Often such sites use IP addresses to ensure that they deliver the malicious code just once in order to minimize the chance of being detected, Ollmann said. Some are even beginning to compile lists of IP addresses of Web sites belonging to security vendors to ensure that visitors from such sites are not targeted with malicious content at all, he said.

Many of these Web sites use sophisticated obfuscation techniques to evade detection, he said. Java scripts, for instance, are often used to "basically encrypt the contents within a page" to hide information from signature-based detection technologies, Ollmann said. A malicious program might also be sometimes truncated into two or more innocuous looking bits, which can then be later reassembled when needed.

Many sites also deliver the payload in two phases. First, a so-called dropper or a downloader program is installed on a system. This program is then later activated to download the malicious payload.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?