Attackers are not going to be satisfied with a simple PII breach any more. The market is becoming saturated with PII. Look at the stats. In 2007, credit card records sold for an average of $10 per cardholder record; in 2009 the same records sell for an average of 50 cents per record. Attackers want higher value than this. They want to control the endpoint. They want access to your online financial accounts. They are succeeding.

Controlling the endpoint within a business can net an attacker $100,000+. In "Real-Time Hackers Foil Two-Factor Security", Rob Lemos reports that an attacker was able to hitchhike on the computer of an employee of a construction company and issue transactions worth $447,000 in a matter of minutes. This sounds a lot better than 50 cents per record for cardholder data. Getting malicious remote access software installed on the computers of employees that conduct online banking then is a good plan of attack. That is exactly what just happened at PayChoice, an online payroll company.

The Washington Post reports that last week attackers stole email, usernames, and partial password information from PayChoice. They then used that information to target PayChoice's customers. PayChoice's customers recieved a phishing attack that was personalized with their PayChoice information. The phishing email contained browser and other client side exploits and also directed them to install a malicious plugin. The hybrid attack was designed to maximize the chances of owning the phished endpoint with the TrojanDownloader:Win32/Bredolab.X trojan. To add insult to injury. Customers who thought they were protected by endpoint security most likely weren't. Only 5 of 41 AV scanners on detected the malware.

PayChoice's customers are the ideal target for this type of multistage attack. The user that logs into an online payroll service is likely to be the user that logs into a business online banking account since payroll and banking go together in many companies. We can expect to see more attacks like this in the future.

Companies should put restrictions on the endpoints used to conduct online business.

  • A known set of software required for business should be running.
  • The machine should not be used for email.
  • An up to date browser should be used with no plugins.
  • JavaScript should be limited to a white list of trusted sites that require it.
  • The machine should only be able to connect to a known set of web sites.

Two factor authentication and up to date anti-virus software is not enough. Limiting the functionality of the endpoint is the only way to be secure. Be on the lookout for anti-malware companies offering a quick fix for this problem. Remember that only 5 out of 41 AV scanners found the PayChoice phishing malware and the percentage of malware detected by AV is decreasing over time.

Veracode Security Guides
Data Security Resources

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.