This post is also available in: Spanish
“The Snowden leak and recent events have highlighted that cyber espionage and nation sponsored attacks are not fictitious threats. No corporation dares to claim it is exempted from the exposure to targeted attacks and surveillance, “ says F-Secure’s Chief Research Officer, Mikko Hypponen, chief security researcher.
Mr Hypponen gave a talk in Hong Kong on the issues 12 December, 2013 and Pressenza Hong Kong was there.
“The online criminal gangs are very quick to react,” Hypponen continued. “Now we are seeing attacks against Bitcoin, and Bitcoin is a very new phenomenon. Criminals are very quick to find opportunities and the jump on the bandwagon and capitalise on them. Money making in this manner at first was very simple and started with botnets and spam about ten years ago. Then we started to see keyloggers. Stealing credit card numbers stealing passwords as people started using home computers then they started using online banking on their executive computers. Then we started seeing ransom trojans. They have used different vectors originally using floppy disks. The email attachements. USB sticks. But today by far the most used way people get infected is the Web.
“So, when infected by surfing the web is the problem; what kind of website do you have to visit in order to get infected? Well, for example that of the Los Angeles Times! One of the largest newspapers in the United States. So, the answer is, very common websites and very trusted websites.
“People living in Los Angeles would open this every morning looking for today’s news. Well, one day in June this year  when they opened up this website they got infected. Why did they get infected, well, they got infected because there was an exploit on the site. Why was there an exploit on the site? Did LA Times put an exploit on their website, of course they didn’t Or, did they get hacked, no they didn’t. What happened was the ad provider, providing those banner ads that you see on websites they got hacked. And theta ad was injected with one line of Java script which redirected every visitor to the LA Times into an exploit kit. Then that exploit kit then launched an attack.
“What was the exploit kit targetting? Well, exploit kits target all the vulnerabilities you have on your system. They go through a list. Are you a new visitor, which operating system are you using, a Mac, a Windows or a phone. Let’s say it’s a Windows user, then what version of Windows is running? XP, Six, or Seven or Eight? Let’s say Windows 7. Which service pack is he running? One or two or three, well is it fully up to date? If it is not fully up to date it will launch an attack against the vulnerability in the operating system. But if it is fully up to date then it will continue. Which browser is the user running? IE, Firefox, Safari? Lets’ say he is using firefox, which version of Firefox is he running? Is it fully up to date. Let’s say it was, if not, it would launch an attack against the browser. It continues. Which plug-in does the user have? Does it have Flash, Java, Quicktime, the eReader plug-in? Are all these up to date. As you might guess for the majority of users it will find some component in there which is not up to date. One hole is enough.
“How do these kits do that, because they are professionally done. Developed and sold by online criminals for other online criminals. One of the most well know is Black Hole. I can show the screen here but the victims never see this screen. Visitors just go to websites like the LA Times and they only see that, they never see anything. Only if you buy Black Hole do you get to see this screen. As you install it on a hacked website this is what you see, the full analytic of your victims like who is visiting the hacked website, where in the world are they coming from, which browser are they using. On the screen – which is real world – you can see out of the 87,000 visitors coming in through IE, 13,500 got infected, around 15% also of Opera uses got infected, around 13% of Firefox users got infected, but only less than 2% of Chrome users got infected. Interesting Chrome, at least with this type of attack, seems to be much more secure. Why? Because most of the exploits are either Java exploits or PDF Reader exploits and Chrome’s particular Java prevents this kind of attack and Chrome has its own built in Reader.
“However Chrome could have other problems, for example Privacy. After all we have to remember that Chrome is done by Google [laughter]. Google is a great company, we all like Google, and we use Google all the time. We use Youtube, Google maps, we search with Google, we host our sites in Blogspot but we have to remember that Google is in the business of making money, it seems none of us pays money for all these services. All the services are free… that’s funny, all those services. Obviously the services they run are very expansive. You can imagine the costs of the data centres Google are running around the world, even if you see the electricity bill for Google that stands at more than one hundred million dollars a year. Just for the electricity. So if all these services are for free surely this company must be making huge losses. But it is not it is making around 60 billion dollars a year revenue out of which they make 12 billion dollars profit a year – for free services. Interesting isn’t it. They have around one billion users. 12 billion profit out of one billion users which means you made 12 dollars profit for Google last year. Even though we did not actually pay anything; we paid with our data. Paid with our privacy, our profile.
“So this Black Hole is very professionally done, very professionally sold. Sold by a guy named Porch, a guy in Moscow, a Russian. He has been doing this for almost three years now. Its price is around 2,000 dollars, depending on the support package, you might need hosting. So how come we seem unable to catch the guys who write tools like these? Well for Porch in particular his logic seems to be clear… he is not attacking anyone himself he is just building tools for other criminals. The other criminals are the ones breaking the law. He’s just providing the tools. It’s some thing like selling guns, you are not killing anyone, just selling guns. He believes this makes him untouchable. He believes he will not be caught. And I am truly happy to share with you the good news. Porch was wrong, the way he was working did not put him above the law. Because Porch was found. He was leaving leaks about his real world identity; he had to be visible online in order to sell. So we knew his email address, we knew his website. Eventually different researchers were able to pinpoint Porches real world identity as against his online identity. He also used the nickname Toast. And the good news is, three weeks ago Torch was arrested, charged with online crime in Russia.
Hopefully he will go to jail. He made several millions. He was also driving a Porch! As soon as Porch was taken off line three weeks ago we saw his Dark Hole sales plummet. It used to be number one and now is not listed from the top ten in our lists. He was very quickly replaced by other exploit kits. Like Angler, and Nuclear, because there is a whole underground market for goods of the kind offered by Porch. Developing and selling exploit kits. But these are just the way of getting in. It is entirely up to the criminal using it to decide what malware to drop.
“For example in the LA Times case they dropped a key logger, the kind you can take credit card numbers with. What is typical today though is the Ransom Trojan. A very simple idea, it takes over your computer and either, blocks your computer or encrypts your files and asks for a payment to release them back to you. Here is an example, here is Cryptolocker which is a problem we have now, it is a Trojan which encrypts your document files, your Excel files, your Powerpoint files, your PDF files your text files and your images. It encrypts all your hard drive or all the network drives you can write to and even your Dropbox shares. It will greet you with a message, “Hello, I am a Trojan and I have just encrypted your files, so please pay me the equivalent of US$300 and you will get your files back. It gives you 72 hours to do this. If you actually do this. If you actually send them the money, they will send you back the program which will decrypt the files so at least they are honest criminals [laughter].
“We do not recommend paying them, paying money to any of these clowns, but we know that a lot of people have done so in order to get their files back. Because, people do not have back ups – which is the obvious solution. If you back up every day and this happened yesterday, no need to pay, just perform a restore. But we know many people do not do that.
“There was an incident only recently in the US where a police station in California got infected with Cryptolocker – they had to pay. Yes, the police paid the criminals. Another claim is to appear to be someone official and they make a demand because you have done something illegal with your computer so they have locked it. Let’s face it, we all have something with might infringe copyright so it’s likely any such threat would fall on fertile ground. A copyright trojan will lock your computer and then claim this has been done by the copyright agency for copyright violation. They claim to have found pirated movies and music on your hard drive. Using the appropriate acronym they claim to have officially locked your system. So now you have to pay a copyright fee to unlock your system. It looks very real. There’s even an evidence list which lists all the music files found on your hard drive. It has your IP history all these logos – but it is not the copyright alliance. These are criminals.
“But is it easy to see why people fall for these ruses because we all know copyright agencies do really play hard ball. I bet most here have some illegal music on their hard drive so getting one of these notices you will say, “oh shit how did they find out!” This is the trend we see nowadays, criminals use trojans to infect computers and then demand payment for release from the predicament.
“Now we have something different again to beware of and its due to a young Japanese mathematician Satoshi Nakamoto who in 2008 wrote a technical paper for a cryptographic conference where he described a very complicated block-chain which he said could be used to create a peer to peer network which could be used to create a virtual hub – and the result is Bitcoin – cyber currency.”
Mikko Hypponen passed his own Bitcoin around for all to see and a further talk ensued around this fairly new phenomenon.
It would seem that the basic idea is sound enough if the very fact of a currency without any support – such as the previous gold standard – is acceptable and the highly indebted US dollar seems to be acceptable to a sufficient number of players in the finance industry to affirm that it is… to a majority anyway because there are very articulate nay sayers who are totally against such currencies. However, fact is, the Bitcocin and others are in use today but on top of that ‘doubt’ people are misusing the Bitcoin. They are hoarding it hoping to gain from its ever increasing value but that was not the intention; it was intended as medium of exchange only. It could have worked but, the fast buck attitude came into play.
Mikko Hypponen paid 40 euros for the coin that circulated among us that day, and at that moment it was worth 900 euros. It’s value had skyrocketed.
“A lot of the users are hoarding it,” he continued, “waiting for the value to go up they are not using it for buying things they are just hoarding it, speculating on it, but that was not what it was intended for. It also means that this guy who had this 50 euro computer in 2009 to bid for Bitcoin, if he had kept his Bitcoin he would be a millionaire today!
“Today you can go and buy a purpose built, ASIC-based mining rig for US$25,000 which can be used for nothing else other than buying-selling Bitcoin. And the deal is, you get your money back in two weeks. Where can I get one we all may ask? Well, there’s a two-year queue!
“Why are we speaking about Bitcoin. Because online criminals are very interested in virtual currencies. Various crimes in regard to bitcoin have been seen. They get stolen. If you have Bitcoin in a wallet on your computer, if you steal the file you steal the coins. It’s just like cash you are free to use it when ever you want; you will never be caught; there is no way for the victim to get the file back. Just as if someone steals your cash you never get it back.
“The botnets started using their computers on their botnets for Bitcoin mining so instead of service attacks they would be used in this other way. This is a very interesting shift in the attack scenario. Now the attacker is not trying to steal money from the owner of the computer… now the owner of the computer is irrelevant – you don’t have to have a human at the keyboard of the computer for the attackers to make money the valuable thing is the CPU or the GPU [GPU-accelerated computing is the use of a graphics processing unit (GPU) together with a CPU].”