Dealing With The Illusion of Invulnerability in Information Security

People overestimate their immunity to threats in many situations. One such example is discussed in a research paper by Grant and Hofmann, which explores how to motivate hand hygiene among healthcare professionals. Their findings might apply to other areas where individuals experience the illusion of invulnerability, including information security.

According to the researchers, doctors and nurses to wash their hands only half as often as recommended. This is, in part, due to the feeling that they are not vulnerable to disease. This might be because when people get sick, it’s not clear that poor hygiene is the culprit. It might be easier for individuals “to recall instances in which they failed to wash their hands without getting sick, but difficult for them to recall episodes in which failing to wash their hands made them ill.”

Two Versions of Hand Hygiene Signs

Grant and Hofmann’s paper describes a common way of motivating healthcare professionals to wash hands by posting signs that say:

Hand hygiene prevents you from catching diseases.

As you might expect, the illusion of invulnerability renders this approach relatively ineffective. However, researchers found that changing a single word in the sign significantly increased the rate of washing and sanitizing hands:

Hand hygiene prevents patients from catching diseases.

“You” was changed to “patients.” Researchers explain that healthcare professionals were more motivated by messages highlighting consequences to others, rather than to themselves because:

“Whereas people tend to overestimate their own invulnerability, for both motivational and cognitive reasons, they are less susceptible to this bias when estimating the vulnerability of other people.”

Explaining Vulnerability With Respect to Others

Following this logic, we might be more effective at influencing people’s information security practices by highlighting the risks to others, rather than to the individuals receiving the message.

If you are in the position to research the effectiveness of security awareness practices, consider explaining how weak security practices might expose customer data or how one’s infected system might be used to attack other victims. This might apply to selling or marketing information security products and services as well: Don’t pay attention to security for your own sake—do it to protect your clients, family members, friends, or even strangers.

The Illusion of Invulnerability Among Professionals

Shouldn’t healthcare professionals, who are knowledgeable about disease, wash their hands more often? It turns out, that they might actually be more susceptible to the illusion of invulnerability than laypersons. According to the paper, overestimating one’s immunity may be necessary “to maintain a sense of security while working in hazardous environments.” Convincing themselves that they are protected allows doctors and nurses to perform their jobs.

Could a similar dynamic apply to information security professionals, who deal with data breaches and computer attacks on regular basis? We become desensitized to such incidents and, perhaps, exercise less caution than would be prudent to protect our own information resources. How many infosec pros don’t follow their own advice about selecting passwords, restricting access or monitoring for suspicious activities? Truly, I don’t know, but I suspect more than care to admit.

Hand-picked related posts:

• Herd Behavior in Information Security - The Good and The Bad
• The Contagious Smell of Fear in Information Security
• Are Mistrustful People Better at Information Security?

— Lenny Zeltser

Malvertising: Dealing With Malicious Ads - Who and How?

My earlier posts presented malvertising examples and explored how malicious ads work and how they get deployed and protected. This note consider what might be done to handle the threats of malicious ads. Who can and should deal with this issue?

Spotting Malicious Ad Campaigns

Recommendations for ad networks for spotting potential malvertising campaigns include:

• Validate the integrity and authenticity of the entity wishing to place the ad by reviewing their credentials and documentation and by conducting a background search with financial review companies. Unfortunately, the documents are easily faked and review companies provide very limited coverage.
• Research advertisers with domain registry lookup tools looking for red flags, such as concealed contact details, recently-created or modified records or the use of webmail email addresses for domain contacts. This seems quite practical to me.
• Examine Flash ads with analysis tools, such as automated analyzers or web proxies. Unfortunately, the authors of malicious Flash ads are very good at concealing malicious logic, making it very hard to examine these programs to identify malware characteristics. (Perhaps ad networks could refuse accepting Flash ads with scripts that seem obscure or obfuscated.)
• Watch out for social engineering tricks, such as willingness to pay for the full campaign in cash, placing orders at the last moment or maintaining contact at odd hours. This is hard to do, considering how persuasive social engineers can be. Moreover, ad networks’ sales people might prefer to get paid and deal with the potential malvertisement later, rather than saying “no” to a new customer.

These practices are either not being followed or are ineffective, given the apparent popularity and effectiveness of malicious ads.

Who Can Deal With Malvertisements?

In an article that explored who should kill off malvertisements, Trend Micro’s Rik Ferguson pointed out that “website owners and ad networks alike suffer embarrassing brand damage when their customers are infected.” However, I am not sure brand tarnishing provides sufficient incentives to motivate companies to address the problem:

1. A website might suffer embarrassment when displaying a malicious advertisement;
2. The site apologizes and points a finger at the ad network that served the ad;
3. The network apologizes and disables the offending advertisement;
4. The world moves on and forgets about the incident after a few days.

Moreover, ad networks probably keep the money they were paid for the campaign that turned out to be malicious. This creates an incentive to look the other way even when the ad network’s sales staff notices red flags when processing the campaign.

The Role that Enterprises and Individuals Can Play by Blocking Ads

When describing his experience supporting LAN operations for about 4 years, Michael Robinson observed that the majority of malware infections in that environment occurred through malvertisements. In response, the company’s firewall engineers:

“Created rules to block traffic from 20 specific advertisers. By blocking only these sites, the number of malware infections on the LAN dropped by over 80%.”

If blocking ads is as effective as what Michael experienced, then by adopting this practice on a larger scale—at the level network level as well as on individual workstations—organizations might create powerful incentives for ad networks to work more rigorously as investigating, identifying and responding to malvertising campaigns.

For now, individuals and organizations can minimize their exposure to malvertisements by minimizing their exposure to banner ads. Also, the standard practices for combating social engineering scams, client-side exploits and malware apply when dealing with the threat of malicious ads.

This note is part of a series of malvertising-related posts. You can also learn:

• Examples of Malicious Ad Campaigns
• The Mechanics of Malicious Ads
• How Malicious Ad Campaigns Are Protected
• How Malicious Ads Are Deployed

— Lenny Zeltser

Malvertising: How Malicious Ads Are Deployed

My earlier posts looked at examples of malvertising campaigns, explored how malicious ads function and how they are protected. This note examines how scammers deploy malvertisements into the world, making them appear on numerous desktops, laptops and mobile devices across the web.

Sometimes, attackers compromise the ad network’s IT infrastructure to distribute malvertisements. This allows the attacker to directly control what banner ads are displayed, offering the ability of serving malvertisements or modifying legitimate ads to include malicious code or destinations. This seems to have been the case in the Unanimis incident that affected websites such as the London Stock Exchange. According to SC Magazine, Unanimis confirmed that the malvertisements were the result of unauthorized access to their systems.

Another, perhaps more common approach to injecting malvertisements into the web ecosystem involves impersonating agencies that supposedly represent legitimate clients wishing to advertise. This approach involves attackers spending money to pay for the malicious ad campaign. (But it takes money to make money, right? In any case, they are probably paying with stolen funds.)

For example, a scammer contacted Gawker Media pretending to be a popular ad agency:

“I work with Automotive and Entertainment clients in Spark. First and foremost, we want to run a performance campaign for Suzuki across your network. Our budget to start is $25k+.”

In their phone and email interactions the scammer sounded professional and knowledgeable and was able to fool Gawker’s ad sales representatives into placing the accepting and displaying the ads that turned out to be malicious.

Sometimes attackers pretend to be associated with legitimate and well-known ad agencies. In other cases, attackers represent fake ad agencies pretending to represent legitimate clients who wish to launch an advertising campaign. They might even present the ad network with a falsified Letter of Mandate, claiming that the company being advertised authorized the ad agency to act on its behalf. For instance, SkyAuction.com reported the following incident according to the Spyware Sucks blog:

“We were contacted by another company today that were duped into hosting one of the fraudulent ads for a couple of days (which have since been taken down). It seems that the source of the ads is a company called NetMediaGroup (http://www.netmediagroup.net). They are claiming to represent us and even provided a fake letter of mandate.”

Attackers can deploy malicious advertisements by compromising the ad networks systems or by purchasing campaigns that distribute the malicious ads. These tactics allow attackers to run malicious code in browsers and applications of numerous users across the web, providing an effective initial attack vector.

This note is part of a series of malvertising-related posts. You can also learn:

• Examples of Malicious Ad Campaigns
• The Mechanics of Malicious Ads
• How Malicious Ad Campaigns Are Protected
• Dealing With Malicious Ads - Who and How?

— Lenny Zeltser

Malvertising: How Malicious Ad Campaigns Are Protected

My earlier posts looked at examples of malvertising campaigns and explored how malicious ads function. In this note I look at the efforts that scammers put into protecting their ad-based attack campaigns.

Attackers do their best to make it harder for the advertisement networks to distinguish between benign and malicious ads. Obfuscating the logic implemented as part of the ad’s code—both HTML/JavaScript and Flash/ActionScript—is one way to do this. For instance, here’s an excerpt from a malicious web page using obfuscated JavaScript to evade detection and complicate analysis:

The script executes in the victim’s browser, recreating the original script on the file and executing it to implement the client-side attack.

ActionScript included in malicious Flash ads can be obfuscated as well using a variety of techniques. One of these methods is implemented using a commercial (and non-malicious in itself) tool SWF Encrypt, rendering the code within a Flash program virtually unreadable.

Another approach to protecting a malvertising campaign is to time it to take place over the weekend. The ad is often scheduled to begin displaying on Friday evening, but the malicious logic isn’t activated until early Saturday morning. This timing is designed to make it less likely that the advertisement network’s employees will be able to detect and quickly react to the malicious nature of the ad, since the staff probably isn’t at work during the weekend.

Unfortunately, it often takes a long time for the malicious ad to be disabled. Dasient’s Q4 2010 Malware Update reported the average lifetime of a malvertising campaign being about 10 days. Interestingly, according to Dasient’s data, Thursday appears to be the least popular day for malicious ads.

Attackers protect malvertising campaigns by carefully timing when the advertisements begin exhibiting malicious characteristics and also by obfuscating the code that implements the ad’s logic. These actions make it difficult for ad networks and end-users’ tools to distinguish between legitimate and malicious advertisements.

This note is part of a series of malvertising-related posts. You can also learn:

• Examples of Malicious Ad Campaigns
• The Mechanics of Malicious Ads
• How Malicious Ads Are Deployed
• Dealing With Malicious Ads - Who and How?

— Lenny Zeltser

Malvertising: The Mechanics of Malicious Ads

My earlier post discussed examples of high-profile malvertising campaigns as a starting point for exploring the malicious practice of deploying ads to infect computers. This note digs into the mechanics of malicious ads to better understand how they function and what they do.

One approach to conducting a malvertising campaign involves an image ad that people click on to visit the advertised website. In this context, the advertised website turns out to be malicious in itself or redirects to a malicious site. For example, Kimberly from StopMalvertising described one malvertisement that took the person viewing or clicking on the ad to popadscdn.net, which redirected to pop.biyoetanol.net, which redirected to ad.amiadrugaddict.info, which eventually redirected to the Blackhole Exploit Kit hosted at 0d1.cz.cc.

If redirected to a site hosting an exploit kit, the victim’s system is subjected to one or more attacks on the browser or the software that the browser can invoke, such as Acrobat Reader or Java Runtime. The exploit kit’s code probes the victim’s browser environment to determine which vulnerability to attempt exploiting. Some of the malicious sites implement another approach, relying on social engineering to trick the visitor into installing malicious software.

Malicious ads might also take the form of Flash programs. Flash provides the attacker with the ability to use ActionScript to embed “business logic” directly into the ad. This allows attackers to incorporate more elaborate instructions that would execute in the victim’s browser as soon as the advertisement is displayed.

For instance, the Flash-based ad can incorporate logic that decides when to attack the user and whom to attack. The ad might trigger a malicious action on a particular date; this is typically done to delay the attack until after the advertising network examined and approved the ad. For instance, the ad can begin redirecting victims to a malicious site only during a weekend, and may decide to only go after people in a particular location.

The Flash advertisement’s logic may also evade detection by only attacking the user once—such ads typically use a cookie-like Local Shared Object (LSO) to avoid attacking the user if he has already been targeted. These and other techniques are described in the paper Analyzing and Detecting Malicious Flash Advertisements by Ford, Cova, Kruegel and Vigna.

Since Flash executes in the victim’s browser as soon as the ad is displayed, Flash/ActionScript-based malvertisements provide attackers with more flexibility than those based on HTML/JavaScript. Perhaps the future will bring malvertising campaigns where Flash-based ads usurp the victim’s CPU cycles to run computations, such as distributed password cracking. Another potential is to use the browser for Bitcoin mining; such operations are already possible using pure JavaScript, so an ActionScript version isn’t that far off.

Attackers take advantage of the ad’s nature to direct people to the advertised website by advertising websites that turn out to be malicious. They do this by modifying the ad’s destination after submitting it to the advertising network. Using Flash programs to implement the banner ad provides the attacker with additional control over the attack logic, because Flash can incorporate ActionScript that tends to be harder to examine than JavaScript.

This note is part of a series of malvertising-related posts. You can also learn:

• Examples of Malicious Ad Campaigns
• How Malicious Ad Campaigns Are Protected
• How Malicious Ads Are Deployed
• Dealing With Malicious Ads - Who and How?

— Lenny Zeltser

Malvertising: Some Examples of Malicious Ad Campaigns

Internet advertisement networks provide attackers with an effective venue for targeting numerous computers through malicious banner ads. Such malvertisements may take the form of Flash programs that look like regular ads, but contain code that attacks the visitor’s system directly or redirects the browser to a malicious website. Malicious ads can also be implemented without Flash by simply redirecting the destination of the ad after the launch of the campaign.

How are such campaigns conducted? What, if anything, can we do about them? We can begin making sense of malicious ad practices by examining some examples of high-profile malvertising incidents.

Rik Ferguson from Trend Micro described an incident when the New York Times was hosting a banner ad that attempted to social-engineer people into installing a rogue antivirus tool. According to Rik, “the problem may have been ongoing for upwards of 24 hours” before the New York Times noticed the malicious nature of the ad and disabled it.

In another example, the London Stock Exchange website was also observed inadvertently serving malicious ads to its users, as described by Paul Mutton. This incident was traced to a possible breach at Unanimis—the company serving the ads the London Stock Exchange and many other companies.

Elad Sharf from Websense analyzed the Unanimis malvertising incident that affected a number of high profile web properties. He noted that such malvertising campaigns are attractive to attackers because they “can be easily spread across a large number of legitimate Websites without directly compromising those Websites.”

Mary Landesman from ScanSafe/Cisco pointed out that the list of popular websites serving malicious ads in the recent years included Hoovers.com, USNews.com, Tucows.com, TheOnion.com, SpeedTest.net and many others. She also explained that malvertisements aren’t limited to a particular ad network; they’ve been “delivered via DoubleClick (Google), YieldManager (Yahoo!), and rad.msn.com (Microsoft),” and also through webmail services, such as Windows Live (Hotmail) and Yahoo! Mail.

Jiri Sejtko from Avast! also reported that large scale ad-networks are often responsible for delivering malvertisements. For one malvertising campaign tracked by Avast!, the most compromised services were YieldManager.com (Yahoo!) and Fimserve.com (FOX Audience Network), which delivered more than half of the malicious ads in that incident.

While most of the malvertising campaigns have affected users of web browsers, an incident involving Spotify showed that applications can be used as a similar attack vector. Patrik Runald at Websense described how Spotify, a music streaming service, was displaying a malicious ad to the users of its media-playing application. The app rendered the ad and its malicious code as if it were a browser without requiring user interaction. “If you had Spotify open but running in the background, listening to your favorite tunes, you could still get infected.”

The wide reach that attackers can have by delivering client-side attacks through advertisement networks—and the difficulty with which we’ve hard curtailing malvertising practices—suggests that this attack vector isn’t likely to disappear soon. We need to find a better way of dealing with it.

This is the first post a series of malvertising-related posts. You can also learn:

• The Mechanics of Malicious Ads
• How Malicious Ad Campaigns Are Protected
• How Malicious Ads Are Deployed
• Dealing With Malicious Ads - Who and How?

— Lenny Zeltser

Shrinking vs. Slicing the Pie of Online and Computer Crime

Business managers use the term growing the pie to describe a scenario where the company’s actions increase the overall size of the market, for instance, by increasing the number of consumers willing to bye the product. In contrast, slicing the pie refers to the zero-sum game situation where the company pursues a market share solely at the expense of its competitors.

Consider the opposite dynamic—shrinking the pie—and how it might apply to online and computer crime. Is there anything we can do to make it less attractive, or perhaps more costly and risky, to participate in the online and computer crime ecosystem?

Slicing the Pie in Information Security

Most of the security mechanisms erected by organizations aim at making it harder to compromise the environment in the hopes that the attacker will find it more attractive to pursue another target. This is a slicing the pie situation, because the company hopes to decrease its own slice of the crime pie at the expense of increasing someone else’s.

For instance, but putting up a web application firewall, the organization makes it harder for the attacker to compromise the potentially vulnerable web app. If sufficient defenses exist to address other likely attack vectors, the cost of pursuing this target will exceed the attacker’s motivation, which will encourage him to go after another, less protected target. The enterprise improved its own security and, thusly, shrunk the size of its slice; however, the overall pie size didn’t change.

Shrinking the Pie in Information Security

In contrast, consider the activities in which we may engage that might dampen the growth of the online and computer crime ecosystem, thereby shrinking the whole pie. This is hard, but not impossible.

One way to shrink the pie is through more effective enforcement of computer crime laws. This might entail changing laws to make it easier to pursue suspects across jurisdictions and to encourage stronger international collaboration. For example, FBI’s Operation ACHing Mule made it more difficult to participate in online and computer crime by strengthening the deterrent and increasing criminals’ costs. That may have shrunk the pie a bit.

Another way to shrink the pie is by intervening with the flow of money in the crimeware ecosystem and increasing attackers’ costs. This approach was proposed in the paper Click Trajectories: End-to-End Analysis of the Spam Value Chain (PDF). The researchers’ goal was to:

“Identify any ‘bottlenecks’ in the spam value chain: opportunities for disrupting monetization at a stage where the fewest alternatives are available to spammers (and ideally for which switching cost is high as well).”

They showed that only “three banks provide the payment servicing for over 95% of the spam-advertised goods.” By refusing to settle certain transactions with a few high-risk banks, U.S. credit card issuing banks could dramatically increase the cost of sending spam. If it works, this would be an example of shrinking the pie of online and computer crime, and it would make all of us better off.

Related:

• Market Segmentation in Computer Attacks
• Security Products and Services: The Long Tail of Customers

Explaining Your Progress to Clients or Colleagues

Your non-security colleagues or clients probably have a hard time telling whether you are doing your job well, unless you interact with them on regular basis. After all, they probably don’t understand the intricacies of your work, which makes it hard for them to judge its quality. What can you do about it?

Out of Sight, Out of Mind

As I wrote earlier post, people who don’t understand a specialized skill set estimate the value they receive by assessing the effort (usually time) that goes into the project. Nowadays many employees and consultants work remotely; this makes it harder to know how much people have worked on a given task. This can lead colleagues or clients to assume that the person wasn’t working hard enough.

The solution to this challenge may involve meeting with the relevant people more often by phone or in person. In addition, we should put effort into providing regular status updates electronically regarding both the tasks in progress and recent milestones. (At the same time, we must be careful not to spam people or annoy them with numerous unnecessary calls.)

Posters in the Subway

Consider an example from the world outside of information security:

New Yorkers were grumpy about the apparent lack of improvements in the city’s transit infrastructure. The Metropolitan Transportation Authority (MTA) was asking for additional funding and planned to increase fares; yet, the riders and policy makers didn’t understand how the existing money was being spent.

MTA responded with a PR campaign to highlight the improvements it was making to subways, buses and bridges. The advertisement posters, extolled the hard work of MTA employees and include the tag line “Improving, non-stop.” (It’s too early to say whether the campaign had the desired effect.)

What You Can Do

Perhaps your organization, department or self should launch a PR campaign to make sure that your colleagues or clients understand the work you do and how they benefit from it. Companies use similar tactics as part of a security awareness program or overall marketing campaigns, so this shouldn’t be a completely unfamiliar effort. Who knows, perhaps some day you’ll be receiving thank-you cards from appreciative admirers of your work.

— Lenny Zeltser

Antivirus Products Are Like Cold Medicine - Not A Rant

The maturing antivirus industry exhibits several dynamics reminiscent of the cold medicine sector. This isn’t a criticism of antivirus products, but rather an observation that AV vendors can refine their business practices by learning from the more experienced pharmaceutical companies.

Consider the following similarities between cold medicines and antivirus products:

• Cold medicine options are very similar in their ability to deal with colds (research 1, research 2). Established antivirus products have few meaningful characteristics that differentiate one tool from the other.

• Cold medicines ease the symptoms of the infection, rather than attacking the underlying infection (research). Antivirus tools tackle individual malware cases, but underlying security problems remain to be resolved through other means.

• The active ingredients used in cold medicines haven’t changed for many years (listing). Antivirus technologies still incorporate malware detection approaches developed a while back (though new technologies are evolving).

• Consumers’ understanding of cold medicine effectiveness is based on limited personal experience and brand perception, rather than objective research. Antivirus product selection tends to follow similar subjective and brand-based criteria.

A paper by Zahra Ladh points out that during the 1980’s and 1990’s, “the pharma industry enjoyed success over an extended period achieving double-digit growth consistently. The success of the industry depended on strong R & D, the use of patents and a powerful sales force.” With the growth rate slowing down, the industry increased its investment into marketing and branding strategies.

Similarly, with the antivirus industry becoming crowded with vendors and with the standard AV products exhibiting commodity-like characteristics, the antivirus vendors are focusing on stronger branding for their products. Marketing for the mass-market is expensive, which is why large AV companies have an edge in this respect over the smaller vendors.

Understanding the similarities between antivirus products and cold medicine (and pharma) industries can help AV vendors learn from the business development and marketing approaches utilized by pharmaceutical companies. At the same time, users of antivirus products should look more closely at the effectiveness of the tools they are purchasing and should demand that the vendors provide more details about the products’ capabilities than talking using general terms like “cloud antivirus” or “most powerful solution.”

— Lenny Zeltser