Compilation of Phishing and Keylogger Attacks: Password Risks
1. Compilation of Phishing and Keylogger Attacks
In today’s scenario it seems that barely a day goes by without another story breaking
around a password-protected service being compromised in some way or other. Passwords
can be compromised through various forms of attack, including key-logging/screen-logging,
phishing and shoulder-surfing among others. This note elaborates on the extent to which
the keyloggers/screenloggers and phishing attacks are prevalent in today’s world.
KeyLoggers/ScreenLoggers:
KeyLoggers/ScreenLoggers are malware that are present in user’s computer without his
knowledge and tracks (or logs) the keys struck on a keyboard as well as take screenshots of
what is displayed on screen typically in a covert manner and sends it to a distant hacker. In
present scenario all keyloggers are capable of both capturing key strokes and screenshots.
Hence keylogger/screenloggers name can be used interchangeably. Below are some of the
statistics related to the keyloggers/screenloggers.
• In a survey conducted in Year 2006 by WebSense it came out that almost one in five
organizations have been the victim of a keylogger attack in USA1
• The SANS Institute, a group that trains and certifies computer security professionals,
estimated that at a single moment in year 2006, as many as 9.9 million machines in
the United States were infected with keyloggers2
• In June 2009, security company Prevx discovered that a variant of keylogger trojan
Zeus had compromised over 74,000 FTP accounts on websites of such companies as
the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and
BusinessWeek3
2. • In October 2009, Trusteer Research reported that there was a new attack using Zeus
trojan to harvest credentials used to access enterprise web accounts such as
webmail, CRM, financial and other SaaS applications4
• On 1 October 2010, FBI announced it had discovered a major international cyber
crime network which had used Zeus to hack into US computers and steal around
$70m as well as attempted to steal a total of $220m3
• In April 2010, Visa has issued an alert that there is a growing cases of
keylogger/screenlogger attacks involving the online payment card transactions. The
particular key logger malware identified by Visa is equipped to send payment card
data to a fixed e-mail or IP address accessible to the hacker8
• Card-not-present fraud costs the U.S. payments industry, including issuers,
merchants and acquirers, an estimated $1 billion per year according to a recent
report from Aite Group LLC, a Boston-based consulting firm.9 Majority of the above
happens mainly because of KeyLogger/ScreenLogger malware.
• Credit and debit card fraud is the No. 1 fear of Americans in the midst of the
global financial crisis. Concern about fraud supersedes that of terrorism,
computer and health viruses and personal safety.10
Phishing:
Phishing is the criminally fraudulent process of attempting to acquire sensitive information
such as usernames and passwords by typically directing users to enter details at a fake
website whose look and feel are almost identical to the legitimate one. Below are some of
the statistics related to the phishing attacks.
3. • Gartner reported that $3.2 billion is lost due to Phishing attacks in the United States
in 20075
• Cybercriminals stole more than $120 million through online banking fraud in the
third quarter of 2008, reports the Federal Deposit Insurance Corp. (FDIC). Much of
the fraud occurred after users were tricked into visiting malicious Web sites or
downloading Trojan horses that enabled cybercriminals to steal online banking
passwords9
• In November 2009, Symantec has alerted that the CEOs are being targeted for
advanced Spear Phishing attacks6
•
One in 20 people in Britian have lost money to some sort of online scam such as
"phishing", according to research commissioned by AOL UK in 20057
•
A class of Spear Phishing attacks are on rise, a recent attack indicating compromising
of 100 email service providers where in criminals have been conducting complex,
targeted e-mail attacks. Recipients who clicked the links were redirected to sites
that attempted to silently install software designed to steal passwords11
There are also many more recent cases of twitter, facebook, Vodafone, itunes linked with
paypal account hacks in 2010 which were also attributed to password-based authentication
systems. The Vodafone hack in particular is attributed to a type of social engineering attack.
Also there was a popular case of bruteforce password cracking done on yahoo mail which
has given a red flag for all cloud based providers who are using password based
authentication in 2009. And, according to a report by Verizon in 2009, password guessing is
the most frequent means of gaining control of compromised enterprise systems.
4. Another case in point is an escrow firm in Missouri suing its bank to recover $440,000 that
organized cyber thieves stole in an online robbery earlier in 2010, claiming the bank’s
reliance on passwords to secure high-dollar transactions failed to measure up to federal e-
banking security guidelines. 12
As the current password based system is no longer sufficient to combat the above attacks,
there is an urgent need for having a dynamic password system (strong authentication)
which will effectively address the same.
References:
1. http://www.scmagazineus.com/websense-keylogger-attacks-double-in-a-year/article/33436/
2. http://www.trusteer.com/sites/default/files/Anti_Keylogger_Myths.pdf
3. http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
4. http://www.trusteer.com/sites/default/files/Zeus-OWA_Advisory_Oct_2009.pdf
5. http://www.gartner.com/it/page.jsp?id=565125
6. http://www.spamfighter.com/News-13452-Symantec-CEOs-Becoming-Victims-of-Spear-Phishing-Attacks.htm
7. http://www.theregister.co.uk/2005/05/03/aol_phishing/
8. http://usa.visa.com/download/merchants/key-logger-key-stroke-and-screen-capture.pdf
9. http://security.magtek.com/fraud-statistics/
10. http://www.creditcards.com/credit-card-news/credit-card-industry-facts-personal-debt-statistics-1276.php
11. http://krebsonsecurity.com/2010/11/spear-phishing-attacks-snag-e-mail-marketers/
12. http://krebsonsecurity.com/2010/11/escrow-co-sues-bank-over-440k-cyber-theft/