While reading through my bloglists this week I ran across this article from SANS: Malware Infection That Began with Windshield Fliers. I have to admit the cleverness of the approach, and the covering of tracks by blurring the license plates with Paint Shop Pro (If we knew whose car it was, perhaps there is footage from a parking lot camera of the criminal?). The message that no surfing is without risk unfortunately seems to be playing out in more and more areas of our daily life. As a security professional I sure would not have suspected the URL of being malicious, and would likely have surfed to the address to see what the story was… Of course I wouldn’t click to load a plugin, nor likely use Windows or Internet Explorer, but that alone does not ensure my safety. What if the exploit were in a PDF photograph of your supposed illegal action? Would you be safe and cozy on your Mac?
This disturbing trend is related to the Fake-AV malware attacks, and if this method of criminal wealth distribution continues unhindered, we will see these types of attacks seeping into every aspect of our daily lives. Secureworks.com did an incredible write-up of how these scams work including the fact that some of these scammers can pull in over $150,000 USD per week. What’s new about this parking scam is that it shows how the affiliate method of criminal wealth distribution gives new techniques to small time con artists to bring home the bacon. The botnets and infected webpages are nothing new, and certainly not unexpected. The use of these systems to do highly localized and targeted attacks that literally “take it to the streets” is quite scary. What’s next? Fake classified ads in your local paper? Advertisements on cable for the Shazam-Wow with an infected URL? Postcards?
I always try to wrap up these articles with some sort of an idea of what we can do. Those of us that are potential victims (all), and those of us in the security industry. This particular nut is a tough one to crack. Most of these affiliate networks are part of the Russian Business Network, and many appear to be based in Saint Petersburg Russia. Can our governments apply pressure to the Russian authorities to take any meaningful action? Unlikely… With estimated 100’s of millions of dollars in scams/frauds/botnet service revenue per year, the Russian economy probably welcomes the additional cash infusion from the west to the struggling Ruble.
One of the only methods I see that can genuinely make a difference is to start organizing to put pressure on the Payment Card Industry. I do not have a specific bone to pick with these folks, but it does seem that they are putting a lot of us at risk recently. Somehow these affiliates are laundering millions of dollars (duly paying the card industry their illegal share of course) through the payment card system, and yet someone is always standing by to provide payment processing to known cyber-criminals. I can’t say for sure, but according to the SecureWorks analysis of the Rogue Anti-Virus referenced earlier ChronoPay doesn’t seem shy about providing card services to criminals.. For a small fee of course. They are based in the Netherlands, and I am sure MasterCard/Visa and others must see an awful lot of unusual activity from some of their customers… yet the money continues on unobstrcuted from the pockets of duped consumers. ChronoPay has an illustrious history as they also provided payment services for AllofMP3.com.
As if the collapse of the global economy isn’t enough to draw our attention to the reckless behavior of the financial services industry, I guess this is just another example or greed over responsibility. Maybe I should retire to Saint Petersberg and enjoy the residual benefits.