By Gregg Keizer , TechWeb Technology News
A massive run-up in the number of Trojan horses and Trojan horse downloaders, as well as a corresponding jump in the number of malicious sites, over the last three weeks means that a new, large-scale, coordinated phishing campaign is being waged by criminals, a security vendor said Friday.
Websense, a San Diego-based security company, has detected a "four- to five-fold increase in the number of Trojans during the last week of June and especially the first two weeks of July," said Dan Hubbard, Websense's senior director of security.
"In July alone, we've seen more than a thousand different sites that are hosting this malicious code, and more than 100 unique Trojans," Hubbard added.
The Trojan horses are either planting keyloggers on compromised systems, or retrieving downloaders that in turn install a keylogger, said Hubbard. All have the same goal: snatch usernames and passwords to specific online banking sites so that the criminals can empty accounts.
"The keyloggers are going after a specific list of banks, and don't invoke themselves until or unless the user accesses the bank's Web site," said Hubbard. That list of banks, he noted, is hard-coded into the keylogger.
Once in possession of the account access username and password, the keylogger then transmits the information back to the attacker(s), sometimes in an encrypted form using SSL (Secure Socket Layer). "Because it's using HTTPS, the traffic is undetectable," said Hubbard, another way that phishers are camouflaging their criminal acts. While the technique isn't new, it is seeing wider user by phishers.
The Trojan horses (and thus the keyloggers) are installed after a user naively surfs to a malicious site linked in an e-mail or instant message, said Hubbard -- a now-standard tactic by hackers and phishers of all kinds. Those sites, which number in the hundreds, are hosted on free-of-charge U.S.- and U.K.-based Web hosting services, typically disguised as personal home pages, blogs, and home-made Web directories.
The e-mails and IMs that entice users to these sites run the range from those claiming to be a message from an ISP or a company's IT department to others allegedly from friends sending electronic greeting cards, said Hubbard.
"They're using good old-fashioned social engineering," he said.
And it seems to be the work of a tight group of criminals. "Based on the similarities, there are a small number of people behind this," Hubbard said.
"This further quantifies the fact that Trojan horses are gaining on worms. For now, worms are still the most frequent item on the hacker food chain," he concluded.
But with numbers jumping like this, maybe not for long.
Try TechWeb's RSS Feed!Assurant Health seeking Siebel Solution Delivery Lead in Milwaukee, WI
Rho Trading Securities seeking Network and Systems Technician in Chicago, IL
JK Group, Inc. seeking Programmer / Analyst in Plainsboro, NJ
Sibley Memorial Hospital seeking Chief Information Officer in Washington, DC
Lowe's seeking DC Systems Technician II in Pittston, PA
For more great jobs, career-related news, features and services, please visit our Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
