Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Gait Analysis from Satellite | Main | Secret Military Technology »

September 10, 2008

News from the Rock Phish Gang

Definitely interesting:

Based in Europe, the Rock Phish group is a criminal collective that has been targeting banks and other financial institutions since 2004. According to RSA, they are responsible for half of the worldwide phishing attacks and have siphoned tens of millions of dollars from individuals' bank accounts. The group got its name from a now discontinued quirk in which the phishers used directory paths that contained the word "rock."

The first sign the group was expanding operations came in April, when it introduced a trojan known alternately as Zeus or WSNPOEM, which steals sensitive financial information in transit from a victim's machine to a bank. Shortly afterward, the gang added more crimeware, including a custom-made botnet client that was spread, among other means, using the Neosploit infection kit.

[...]

Soon, additional signs appeared pointing to a partnership between Rock Phishers and Asprox. Most notably, the command and control server for the custom Rock Phish crimeware had exactly the same directory structure of many of the Asprox servers, leading RSA researchers to believe Rock Phish and Asprox attacks were using at least one common server. (Researchers from Damballa were able to confirm this finding after observing malware samples from each of the respective botnets establish HTTP proxy server connections to a common set of destination IPs.)

Posted on September 10, 2008 at 7:47 AM14 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

>> which steals sensitive financial information in transit from a victim's machine to a bank<<

Whatever happened to the security promised by ssl and (theoretical) defenses against man(or woman now) in the middle attack ?

Posted by: sooth sayer at September 10, 2008 8:40 AM

@Sooth Sayer

If you "own" the machine, then you own the end "after" the decryption takes place. Internet explorer bundled into the OS makes it VERY easy.

Got to see it with a 2006 malware that stole "everything" you saw and typed, including intranets, SSL, etc..

Posted by: David at September 10, 2008 8:54 AM

@sooth sayer: I guess (barring subvering either user's machine, or bank server) that they used Man In the Middle attack; how close do you check SSL/TLS certificates?

Posted by: Jakub Narebski at September 10, 2008 9:04 AM

@ Sooth Sayer

This isn't a man in the middle attack, since they are on one end of the encryption. Man in the middle is when you can sniff or relay (and therefore change) data going between computers.

As soon as you have execution on one of those machines the paradigm has changed.

Your question is like asking "How did John hear if she whispered it to both Bob and John?"

Posted by: Ross Snider at September 10, 2008 9:15 AM

@Sooth Sayer

In addition to the other comments: Many phishing attacks rely on he fact that people not only fail to check the security certificates, they fail to recognize at all that a session to their bank SHOULD be encrypted but is not. So an attacker can set up an SSL session to that bank with the data provided by the user over the unencrypted line.

Posted by: Jeroen at September 10, 2008 9:35 AM

When I read the post's title, Bruce, I thought you were talking about the music band called Phish!

http://en.wikipedia.org/wiki/Phish

But then the first sentence set me straight.

Posted by: Nick Hoffman at September 10, 2008 10:53 AM

@sooth sayer

Not sure where you got the impression that this was MITM. But if it was the portion of the article wherein it refers to the exploit occuring "in transit" - that is simply journalistic misunderstanding. Basically, based on my understanding of the inital exploit: users get phished, users get WNSPOEM trojan, trojan gets sensitive data from client, user is pwned.

There are, of course, ways to pwn users using MITM but that isn't what this article is about.

This is about a link between Asprox and Rock Phish as they both are employing the same directory structure (which tends to imply some connection) in the command/control servers in their respective "fast-flux" bot-nets. Or at least that was my reading.

Posted by: rich at September 10, 2008 11:01 AM

@all the commentator

read the description of the problem more closely .. or any closely.

>> in transit from a victim's machine to a bank<<

I have no idea what you guys are reading; but this says nothing of infected machines or bogus certificates -- it clearly says someone was intercepting the sessions

Posted by: sooth sayer at September 10, 2008 12:53 PM

The point's been made before, but SSL is really not much of a security measure... MITM attacks are the exception, endpoint attacks are the rule. SSL is more about securing what was easy to secure than what needed to be secured.

Posted by: K. Signal Eingang at September 10, 2008 12:53 PM

@rich
If this is the only angel -- then this article/report is bogus sensationalism.


Posted by: sooth sayer at September 10, 2008 1:00 PM

@soothsayer

"I have no idea what you guys are reading; but this says nothing of infected machines"

Read the whole sentence again, especially the part before the comma that says "...introduced a trojan known alternately as Zeus or WSNPOEM, which steals sensitive financial information in transit from a victim's machine"

Trojans are a reference to infected machines.

Limbo, Snatch, WSNPOEM/TCPWP/Zeus, etc. are host-based and not network MIIM.

Posted by: Davi Ottenheimer at September 10, 2008 2:05 PM

@sooth sayer

well, yes and no. the point isn't the trojan, or previous exploits but rather the link between the bot-nets. i would guess that those items were just thrown in to beef up the register article and maybe give some history.

ultimately, though, one should be able to understand that this isn't about MITM since that isn't what trojans or bot-nets do.

also, probably should throw in here that SSL isn't a complete security - it has a role but a limited one. for instance, if you are surfing unsecured wireless, like bruce here does (ssl or not), you may be pwned

Posted by: rich at September 10, 2008 4:03 PM

@ all

hmm, trojan ... keylogger?

Posted by: riots at September 10, 2008 9:30 PM

@riots

um...ok.

I wonder if anyone commenting on this post will ever have an opinion about the forensic link between rock phish and asprox instead of an off-topic remark about SSL or MITM or helpfully pointing out that a trojan could be a key-logger?!?!?

I, for one, am done with the charity work of trying to convince people that this post is not about MITM and does not implicate SSL (in its limited role).

Posted by: rich at September 11, 2008 9:20 AM

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2010 J F M
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Latest Book
Cryptography Engineering book cover
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Download Feed For E-Book Readers
Follow on Twitter

Translations
German
Italian (selected entries)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more