One Tel Aviv-based anti-online fraud company has saved clients more than $1.9 billion this year. But hackers – including, some say, governments – are always developing new tricks
ISRAEL HAS built up a reputation as a high-tech hub in the Middle East. The birthplace of start-ups, it has churned out start-up after start-up, with the culture of technology entrepreneurship attributed to ambitious budding entrepreneurs who cut their teeth in military service.
One of these small companies was Cyota, which specialised in online security and anti-fraud solutions for financial institutions. It was snapped up by RSA in 2005; it in turn was bought by EMC in 2006, in a $2.1 billion (€1.7 billion) deal.
As a result, RSA has kept its anti-fraud command centre in Israel, at EMC’S building in Herzlyia, Tel Aviv. The command centre is RSA’s main weapon against fraudsters, and it’s proving a vital tool for the company.
A monitor in reception keeps a tally of the value of all the attacks that the company has prevented for its clients since January 1st each year – it’s currently at $1.9 billion (€1.5billion) and the number keeps rising. In 2011, it was more than $3 billion (€2.4 billion). Each January, the clock is reset, explains RSA’s head of cyber threats and management services, Daniel Cohen.
The centre itself is not really what you’d expect. Although a hive of activity, it’s a modest room. It’s manned 24 hours a day, seven days a week, with analysts checking reports of phishing attacks and having offending websites removed.
A series of monitors on the wall displays the attacks being directed at clients (whose names remain confidential) and where the threats are coming from. A running total of how many attacks are currently in progress sits at the bottom: the ultimate aim is to reduce that to zero by the end of the shift.
Since the beginning of this year alone, the centre has blocked 200,000 attacks, a higher rate than ever before.
It wasn’t expected that phishing would still be such a big problem. Experts thought it would die out as consumers wised up to the scam over time, allowing the phenomenon to die a natural death. But the scams still work, and fraudsters are getting smarter.
“People are a little more aware. They’re getting a little smarter about it, but it’s still out there and its still generating losses,” says Limor Kessem, cybercrime specialist with RSA.
It’s not difficult to see why there has been such a surge in recent months. There are more than seven billion networked devices worldwide. That’s enough for everyone on the planet to be connected to the internet, according to Cohen. By 2015, that number is expected to double.
More than half a billion mobile phones shipped last year. Some 27 exabytes of data are being transferred every day over the internet, and, within the smartphone market alone, 67 million apps are being downloaded on a daily basis. More targets mean potentially more money for fraudsters.
The security landscape has shifted dramatically over the past few years. Long gone are the images of teenagers playing about in their bedrooms creating viruses to unleash for a bit of fun; these days, it’s all business.
In recent years, an entire underground market has sprung up around malware, with people touting everything from credit card numbers (genuine, never been used before) to the expertise to infect networks of computers (for would-be spammers).
If you want to unleash a Trojan to infect computers and grab people’s credentials, someone will build it for you for a price; if you don’t know how to infect a site with that malware, someone else will set it all up for you. And if you need mule accounts to channel some of the money you make through such attacks, you can get them there too – for a cut.
“It’s important to understand that, as a fraudster or hacker, you don’t need to control the entire chain of fraud,” says Cohen. Instead, he explains, you can be a link in the fraud chain, making money.
Chat rooms and, subsequently, forums used to be the best places to showcase what you had for sale – busy noisy places that showed traders negotiating for a cut of whatever the customer was looking to shift. Forums sprang up as a way to cut out rippers – those who promise goods but never deliver – and also to keep things away from the prying eyes of security experts and law enforcement. The latest move is towards dedicated websites for such services.
It’s through these chat rooms, forums and websites that RSA gathers intelligence about each of the threats currently in the wild and aimed at its clients. It’s not quite as easy as that sounds. The forums are frequently closed to new members unless they’ve been vouched for by several members of the community. If you are a security company looking to gather information, that’s understandably difficult.
And some forums are practically invisible to outsiders and tough to crack – you have to know of their existence to get the link.
There is also etiquette in the the underground. Russian hackers generally don’t attack other Russian targets, for example. Partly out of respect, but also partly out of fear that hacking a mafia-linked operation may result in more than a retaliatory cyber attack. Reputation and trust are key too.
“It’s like Fight Club,” says Idan Aharoni, RSA’s head of cyber intelligence. “The first rule is you don’t talk about it.”
It’s what some describe as “the perpetual arms race”. The security companies are smart, but the hackers are just as smart, and always on the lookout for the next big thing.
In RSA’s FraudAction research lab, Etay Maor demonstrates how frighteningly easy it is to create a Trojan if you have the right software. You don’t even have to be a software expert to write one. You can buy software to create Trojans, such as Citadel or SpyEye, and get customer support thrown in. Like regular business software, there are knowledge bases.
Maor says the group is even mirroring some of the business models used by companies such as RSA – asking customers what features they would most like to see in such software via a poll. One of the recent additions was video capture, which neatly circumvents the protection afforded by using virtual keyboards.
RSA’s intelligence gathering has also picked up on some disturbing new trends that could hit closer to home for consumers.
As mobile phones become more advanced, they are grabbing the wrong kind of attention. In particular, Android smartphones are becoming a target for malware, due to the system’s popularity – the platform currently has a 50 per cent share of the market – and its open source nature.
With some banks using mobile phones as a third authentication point – sending codes to mobiles, for example – getting access to mobile systems and intercepting messages is a useful tool.
As with other malware, social engineering plays a huge part in pulling this off successfully. Infected software users are fooled into downloading does the rest.
“I hate the fact that people still call them phones, because they much closer to a laptop than a phone – they’re actually a small computer,” says Maor.
It’s a hot topic in the underground, RSA says. And when you realise how easily your information can be put at risk, it’s chilling. It may not be quite as widespread a problem as Trojans in PCs, but it is yet another front on which consumers are being attacked.
Meanwhile, back in the world of PCs, security experts are facing increasingly sophisticated malware writers, who know how to cover their tracks. The lengths some go to are extraordinary.
“There are a lot of things that impress us along the way,” says Limor Kessem, cybercrime specialist with RSA. “The sophistication of certain codes – there was a case where they took commercial malware written in a certain programming language, and rewrote the whole code in a different language, keeping all the same functions. So it works the same way but it will not be detected by the tools that are picking up other malware.”
And some hackers, RSA says, have even more weight behind them. “State sponsored” attacks are a hotly debated topic. Only last week, news broke of yet another threat that researchers claim is “nation-state sponsored”. Gauss combines an online banking Trojan with what Kaspersky described as “a warhead of unknown designation”.
The latest threat is closely related to Flame and Stux, which has led to claims that the newest threat is down to the US and Israeli governments. It’s a topic RSA isn’t really getting into. What its experts will say, however, is that “state sponsored” attacks are almost certainly a reality, due to the complex nature of some of the emerging threats.
“It’s credible because the amount of resources it takes is very high. For example, when Duqu came out, Kaspersky Labs found it,” says Kessem. “They did not know what programming language it was written in. Nobody knew. It was something that was custom written. Someone invented a new programming language to write this malware and used other ways of building the malware. This is not something that is out of the box – it’s a huge investment.”
The only defence at the moment is what RSA advocates as a multilayered security approach: strong authentication, perimeter security, network-based measures and intelligence all help keep the hackers at bay.
“At the end of the day you’re not winning a war, you’re winning a battle,” says Cohen.
The security landscape has shifted dramatically over the past few years. Long gone are the images of teenagers playing about in their bedrooms creating viruses to unleash for a bit of fun; these days, it’s all business