I was just reviewing the latest FBI report from the Internet Crime Complaint Center (IC3) here (PDF), and although I’m sure that a lot of security vendors out there are going to jump on the “33% increase in internet fraud last year” statements, looking into the actual numbers, it’s important to realize how “off” they are. As “Non-delivery” and “Auction fraud” top the charts (with 32.9% and 25.5% respectively), this means that the report only sees the tip of the iceberg. These are just the money mule schemes that are intended for laundering all of the profits actually made by eCrime. And it makes sense – most of the focus for law enforcement is on the lowest hanging fruit, and in the eCrime business model this means money laundering.

Another insight on how eCrime actually works can be learned from the amounts reported (average) per complaint type – the “non-delivery” types (of merchandise or money) ranges around $800 per complaint, while check and confidence fraud are at the $2000-$3000 loss per complaint. This makes sense as when an eCrime “transaction” starts, it is usually based on banking/financial institution account directly, harvesting large sums of money that are later split to smaller amounts (to lower visibility) and laundered through the “field operatives” (i.e. money mules). Bottom line – we still don’t have the full picture and (unfortunately) still cannot amass the true impact of eCrime in economic terms.

The bright side is that there is more awareness in the public (hence the rising numbers – remember that these are based on REPORTED cases…). Although the main focus as I mentioned is still on the perimeter of the business model, hopefully the continued cooperation between law enforcement and the industry (kudos again to the e-Crime congress which I had the pleasure to be part of last month) will get us all to the phase of handling the actual core of the business model and deal with it properly. We’ll keep doing our job in investigating both the technical aspects of the attacks associated with eCrime, as well as the back-office operations, and hope to get everyone lined up to deal with this growing threat. 

It’s that time of the year again… March madness is engulfing us with news and pre-season activities, and everyone is out and about to see what we would be seeing in the coming months. Just as we have portrayed before, eCrime is a social animal just as well, and is not going to let the action go by without having a chance to have a go at the crowd.

As usual – it’s the same technique all over again – using SEO (Search Engine Optimization) to grab high ranking in search results and leading users clicking on the related links to a variety of malicious content. We have see similar techniques used during the US presidential election season covered quite elaborately in the past, and don’t be surprised to see more of the same hitting the next seasonal event as long as it can attract enough “eyeballs” on search engines.

eSafe AID – the Attack Intelligence Datacenter has recently discovered a new massive Web attack, operated by RBN, in which an exploit code is being injected on compromised legitimate websites. The injected obfuscated malicious script points to a remote obfuscated hidden IFrame that leads to another obfuscated exploit. The last chain of this multistage Web attack includes Adobe PDF and Windows media encoder exploit variants.

The attack stages:

The first obfuscated exploit code has a low detection rate by Anti-virus vendors. eSafe detects the exploit as JS.Agent.au

The obfuscated exploit code:
 

Virus Total results:
 
 

The attack stages in brief:

1. A user visits a legitimate hacked website where an obfuscated script leads to other hacked websites.
2. The second stage hacked websites, located in Ukraine, contain obfuscated hidden IFrames that lead to the hacker’s server.
3. The obfuscated exploit code on the hacker sever contains Adobe PDF and Windows media encoder exploit variants.
4. Affected systems are automatically joined to a bot controller located in Luxemburg.

Tracking the footprints of these domains leads to the infamous RBN (hosting illegal sites, DDos attacks, Hacking, and pornography).

A recent report from McAffee reaffirms our 2009 predictions, and talks about how eCrime is starting to benefit from ex-employees, noting that this trend is not limited to the IT guys... As we recall - the possibility to participate in the emerging eCrime business is closer than ever, with a quick buck to be made, and most importantly - quickly...

As the recession is hitting every sector and every business, many ex-employees find themselves with a very "unique" opportunity to leverage their dayjob skills to turn a profit in this financial dire. Having a proper security policy in the organization, and probably just as important - a humane and considering layoff operations that put the most valuable asset (regardless if it is to leave the company) - the employee as a first priority, can help mitigate the risks of data loss, and disgruntled employee damages.

As we have been predicting (and following during 2008), the criminal’s mind is very much attuned to public mind. The current issues that everyone (well, at least a lot of us) has been dealing with are the current economical situation, and what president Obama is going to do about it. Without fail, eCriminals have been worried about the same issues, and in their latest “marketing” efforts have made sure that relevant internet sites will cater for themselves as well. Reports by Websense and Sophos show how both the official Barack Obama website, and a couple of popular job sites have been compromised in an attempt to capitalize on the volume of traffic that has been hitting these sites.

As usual, no much surprise here (read more details about the “almanac” of web security here), still, be careful out there – even on sites which you supposedly trust. Common sense usually trumps the irresistible urge to click and approve everything shown to you when trying to get to some content.