Security Feature: Misplaced trust in trustworthy names?

Just the other day a journalist commented to me, as so many have before, that “surely people can be relatively safe online, if they just avoid dodgy sites” (and by dodgy sites, they usually mean porn or piracy sites). After all the years of telling people about malicious code injections, about drive-by downloads, and about Trojans just about everywhere you look (or don’t look), some still believe all they have to do to stay safe is to refrain from visiting dodgy sites. Well, just recently we have again been reminded that not only are troubles not limited to dodgy sites, but that even some sites we’d expect to be completely trustworthy can be compromised.

At the beginning of February, ESET researchers Aryeh Goretsky and Randy Abrams wrote about an infection that seems to have originated from Microsoft. In late January a customer reported that ESET NOD32 Antivirus had prevented a Trojan from infecting a mobile user’s computer, but that the source of the infection was Microsoft’s own Update Catalog. Though this was no direct fault of Microsoft, their driver updates page provides users with many third-party driver updates, and it is into one such that a Trojan sneaked (more in Aryeh’s full story). Randy Abrams then followed up with a detailed breakdown how the third party updates function, how such occurrences are not unusual and why Microsoft didn’t catch it.

Very soon after that came reports of BBC6 Radio’s homepage being afflicted by a malicious link which was reported to carry various types of malware. In addition Lush cosmetics websites have been compromised and customer data stolen (more in ESET researcher David Harley’s blog). David also reported that public access PCs in libraries have been found with hardware key-loggers attached, stealing people’s log in data. (See also Keyloggers in the Library and Dan Raywood’s article for SC Magazine on Keyloggers found plugged into library computers).

ESET’s Marek Polesensky added his contribution to the growing list of reports on Facebook threats, with a report on a slew of worms, including Win32/Yimfoca.AA and Win32/Fbphotofake, where for a few weeks Win32/Yimfoca.AA has even ranked in the ThreatSense.Net Top Ten Threats in many European countries.

Financial institutions weren’t spared either. In Ireland we’re still seeing plenty of phishing emails using templates of well known Irish banks, as well as a recent phish purporting to be from the Revenue Commissioner, and indicating that the recipient is entitled to a tax rebate. Elsewhere Trusteer has reported of a Trojan that keeps online banking sessions open for crooks to exploit, even after the user has logged out.

Combine then the confidence that everything will be all right if one avoids dodgy websites, with the reality that the above threats are lurking everywhere, even in supposedly very known and safe institutions. We sort of expect such organisations to take care of security concerns for us: since this clearly isn’t always the case, it comes as no surprise that one fifth of Irish businesses have experienced a data breach and UK business is losing over £20 billion to cyber crime, as reported in ESET Ireland’s blog. And tying in with this data, EU statistical office reports that a third of EU computer users have caught a computer virus.

Antivirus vendors, such as ESET, have often been accused by media of fear-mongering in order to stimulate sales of our products, but all one really has to do is glance over news headlines to see that every day there can be found a different report about another breach, fraud, scam, item of malware, etc. And very few of these are harmless or easy to ignore. And most of these stories don’t even come directly from antivirus vendors. Perhaps now, with names we have come to accept as trustworthy coming under attack, it is time for a less complacent attitude in dealing with cyber threats on the part of both the media and the general public. Just as regular crime is no longer seen exclusively in the dodgier parts of towns, so cybercrime has long since stopped being the domain of dodgy websites. On the contrary: the more successful security types are at spotting and taking down malicious sites, the more the bad guys will try to compromise sites that you’d expect to be thoroughly respectable and clad in virtual armour.

Urban Schrott,
IT Security & Cybercrime Analyst,
ESET Ireland

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s