Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online financial accounts. They are succeeding.
Controlling the endpoint within a business can net an attacker $100,000+. In "Real-Time Hackers Foil Two-Factor Security", Rob Lemos reports that an attacker was able to hitchhike on the computer of an employee of a construction company and issue transactions worth $447,000 in a matter of minutes. This sounds a lot better than 50 cents per record for cardholder data. Getting malicious remote access software installed on the computers of employees that conduct online banking then is a good plan of attack. That is exactly what just happened at PayChoice, an online payroll company.
The Washington Post reports that last week attackers stole email, usernames, and partial password information from PayChoice. They then used that information to target PayChoice's customers. PayChoice's customers recieved a phishing attack that was personalized with their PayChoice information. The phishing email contained browser and other client side exploits and also directed them to install a malicious plugin. The hybrid attack was designed to maximize the chances of owning the phished endpoint with the TrojanDownloader:Win32/Bredolab.X trojan. To add insult to injury. Customers who thought they were protected by endpoint security most likely weren't. Only 5 of 41 AV scanners on VirusTotal.com detected the malware.
PayChoice's customers are the ideal target for this type of multistage attack. The user that logs into an online payroll service is likely to be the user that logs into a business online banking account since payroll and banking go together in many companies. We can expect to see more attacks like this in the future.
Companies should put restrictions on the endpoints used to conduct online business.
- A known set of software required for business should be running.
- The machine should not be used for email.
- An up to date browser should be used with no plugins.
- The machine should only be able to connect to a known set of web sites.
Two factor authentication and up to date anti-virus software is not enough. Limiting the functionality of the endpoint is the only way to be secure. Be on the lookout for anti-malware companies offering a quick fix for this problem. Remember that only 5 out of 41 AV scanners found the PayChoice phishing malware and the percentage of malware detected by AV is decreasing over time.