What do former vice-presidential candidate Sarah Palin and French president Nicolas Sarkozy have in common?
Both are individuals in the public eye who fell victim to Internet crime in the space of a month; Sarkozy’s online banking username and password were stolen and used to funnel funds from his bank account, while Palin’s Yahoo! email account was compromised after a hacker reset her password and accessed her inbox by answering ‘secret questions’ – information such as her birth date, zip code and high school, all publicly available on Wikipedia. Her private emails were published online and her account was accessible to all and sundry before a good Samaritan changed the password and contacted her office.
These kinds of targeted attacks are increasingly prevalent in the corporate world too, says Mike Davies, VeriSign’s marketing director for EMEA, with large amounts of information about many corporate executives available online (and indeed offered freely as in the case of social networking sites such as LinkedIn).
The attraction for cybercrooks, says Davies, is that corporate cards and accounts, or those belonging to frequent-flying executives, tend to have higher limits but can ironically be less protected than consumer cards. Corporate cards that frequently transact high amounts in many different countries are much less likely to be picked up by fraud detection systems looking for uncharacteristic transaction patterns. They are also highly prized by criminals, selling for significantly more on card data trading sites.
A bonus for the thieves, says Davies, is that such cards are often poorly monitored by their users. “Most people in business don’t look at their bills on a weekly basis, and they’re not quite as worried if they see a $3,000 charge on a work card than they are if they see one on their own,” he says.
The tactic, known as ‘spearphishing or ‘whaling’ when the victim is a big enough corporate fish, is relatively new. According to a study by VeriSign’s iDefense division, since February 2007, 66 distinct attack profiles have been logged, targeting an estimated 15,000 corporate victims. And individual losses have been as high as $100,000. One attack that VeriSign has details on, launched in April this year, was typical: emails masquerading as subpoenas contained the correct names, addresses, phone number and company details of the executives, and directed them to a website purporting to contain a full version of the document. Those who clicked on it were informed that they needed to download a browser add-on, which would install a Trojan and keylogger program.
The success rate was high: as many as 20,000 executives were targeted, iDefense reported, and 10% took the bait. Of these, emails claiming to be from the IRS or the US Treasury Tax Court were the most successful, claiming over three-quarters of the victims between them.
Davies believes that targeted attacks will increase as personal information becomes more accessible.
“Not everyone has a Wikipedia page,” he says, “but 13 to 14 year olds are now putting information on social networking sites that in five to ten years will [make them] vulnerable.”
Line of defence?
Besides education, one-time authentication could mitigate the effects of many such attacks even if a username and password is uncovered by a keylogger. VeriSign and smartcard manufacturer Giesecke & Devrient are developing a card with an integrated screen that generates a random authentication number for every transaction or account access simply by pressing on the card. The only way to access the account or make a transaction would be to conduct a relatively sophisticated man-in-the-middle attack – or to have the card, the size of which overcomes the portability issue inherent in many ‘one-time pad’ devices.
In common with other devices however, the unit cost has yet to reach a point where it justifies adoption across the general populace, but for those most at risk of targeted cybercrime it could ensure that spearphishers go home empty handed.