Cyberthieves mine online for corporate data nuggets
By Byron Acohido, USA TODAY
An innocuous posting appeared on a Houston-based technology company's internal website on a recent Friday afternoon.
A couple of workers saw it, and obeyed instructions to click on a Web link. The posting seemed trustworthy. It was on an employees-only message board. And the link referenced news about a favorite company charity.
By clicking on the link, the workers infected their PCs with a virus that shut down the company's antivirus defenses, says Don Jackson, director of Threat Intelligence at Atlanta-based SecureWorks, who investigated the break-in. As a rule, tech security firms help clients under non-disclosure agreements.
The virus swiftly located — and infected — some 300 other workstation PCs, silently copying the contents of each computer's MyDocuments folder. It transmitted the data across the Internet to a gang of thieves operating out of Turkey.
"It was kind of like high-tech dumpster diving," Jackson says. "You get in, grab all the stuff you think might be important and sort through it later."
That Sept. 19 caper underscores an alarming shift in the teeming world of Internet crime. In the past year, cybercriminals have begun to infiltrate corporate tech systems as never before. Knowing that some governments and companies will pay handsomely for industrial secrets, data thieves are harvesting as much corporate data as they can, in anticipation of rising demand.
Criminal groups are beginning to refine business models for turning data raided from corporate networks into cold, hard cash. "As they get better at finding ways to sell the information they steal, we can expect this type of attack to become more common — and harder to detect," says Marcus Sachs, director of the SANS Internet Storm Center.
Industrial espionage is nothing new, of course. But what's taking shape in the Internet underground is as distinctive as it is worrisome, security experts say.
Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division.
Cybercriminals on the cutting edge are forging ahead. They're culling the ocean of stolen personal data for user names and passwords to access corporate systems. They've begun to target corporate employees who use free Web tools, such as instant messaging, Web-based e-mail and group chats on social-networking sites.
Often employees use such free tools to expand their business contacts and to back up clunky, company-supplied systems. But corporations have been slow to come to grips with security holes intrinsic to such free tools, or to restrict their use. "Corporations need to accept the fact that these tools are here to stay and secure them," says Jose Nazario, senior security researcher at Arbor Networks.
The most fertile turf: AOL, Yahoo and MSN instant messaging; YahooMail, HotMail and Gmail; and MySpace and FaceBook, the free tools that on any given day you'll find open on millions of workplace PCs. The most coveted loot: e-mail address books, instant-messaging buddy lists, PowerPoint slide presentations, engineering drawings, partnership agreements, price lists, bid proposals, supply contracts, executive e-mail exchanges and the like.
One set of stolen data — say, a senior manager's user name and password — is often used to get deeper access to key databases, says IBM's Ollmann. Each infected PC becomes a beachhead to breach other PCs and harvest more data. "This is maturing fast," says Ollmann. "New forums for hooking up buyers and sellers of this data are appearing on a daily basis."
Grab and run
Who buys stolen business data? Brett Kingstone, founder of Super Vision International (now Nexxus Lighting), an Orlando-based industrial lighting manufacturer, knows the answer all too well. In 2000, an intruder breached Super Vision's public-facing website and probed deep enough to snatch secrets behind the company's patented fiber-optic technology.
That intelligence made its way into the hands of a Chinese entrepreneur, Samson Wu. In his book, The Real War Against America, Kingstone recounts how Wu obtained Super Vision's detailed business plans, built a new Chinese factory from scratch and began mass marketing low-priced counterfeit lighting fixtures, complete with warranties referring complaints to Super Vision.
"They had an entire clone of our manufacturing facility," says Kingstone, who won a civil judgment against Wu. "What took us $10 million and 10 years to develop, they were able to do for $1.4 million in six months."
Wu disagreed with the civil judgment, says his attorney, Philip Snyderburn. Federal agents investigated Wu, but criminal charges were never pressed against him, noted Snyderburn, adding that he is not aware of Wu's current whereabouts.
Last year, the PCs of executives at several large Japanese conglomerates got infected with a virus spread through Ichitaro, a popular Japanese word-processing program. The intruders grabbed copies of supply contracts for an electronics maker, a plastics research firm and a train manufacturer, says SecureWorks' Jackson. That information reached rivals, who then undercut the established suppliers. "These were very targeted attacks that went on for several weeks without being detected," says Jackson.
In the past nine months, data thieves have stepped up attacks against any corporation with weak Internet defenses. The goal: harvest wide swaths of data, with no specific buyer yet in mind, according to security firm Finjan. Last May, Finjan documented how a large health care company and a major airline came under this type of attack, losing large caches of data. In each case, the thieves took pains to encrypt the stolen data, preserving it for future sale or use. Yuval Ben-Itzhak, Finjan's chief technical officer, calls it the "grab-and-run" technique.
"Cybercriminals are focusing on data that can be easily obtained, managed and controlled in order to get the maximum profit in a minimum amount of time," says Ben-Itzhak.
Researchers at RSA, the security division of tech systems supplier EMC, have been monitoring deals on criminal message boards. One recent solicitation came from a buyer offering $50 each for e-mail addresses for top executives at U.S. corporations. "He wants to send something specifically targeted to a senior-level employee to gain access to that resource," says Uri Rivner, RSA's head of new technologies. "These fraudsters know what they want."
Meanwhile, corporations make it all too easy, say tech security experts and law enforcement officials.
The military and many financial services firms block access to YouTube and other popular websites on work computers. But most organizations pay little heed to how employees use free Web programs; only a small minority actually pay for secure alternatives, such as company-supplied instant messaging, says Chris King marketing director at security firm Palo Alto Networks.
Similarly, most customized business applications used in commerce and government continue to be created with functionality, not security, as the top specification, says Joe Jarzombek, director of software assurance at the Department of Homeland Security's, National Cyber Security Division.
Data thieves understand this, says Shawn Henry, the FBI's assistant director in charge of the cyberdivision. At an Oct. 15 press conference, Henry noted the vast criminal opportunities created by the rapid digitalization of data.
"Twenty years ago, it was all maintained in file cabinets," Henry said. "All of the most sensitive data relating to a corporation, because of ease of transmittal and the need to communicate, has been migrated to the network. You can only imagine what certain actors would do, given access to that particular type of information."
Last month, enterprising thieves discovered a big security hole in millions of work computers that forced Microsoft to issue a rare emergency patch.
The flaw, in Windows XP and Windows Server PCs, makes it possible to control any Internet-connected PC without having to trick the user into clicking on a tainted attachment or Web page. Criminals implanted a program in corporate PCs that automatically turned on every 10 minutes, says Sunbelt Software researcher Eric Sites.
The program copied and extracted all personal data stored by a PC's Web browser and registry, which gives the Web location of the machine, then turned off.
"This looks like something very customized, targeting very specific people," says Sites. "They could be after business intelligence or military secrets. These are not your average attackers."
Microsoft did not know about the flaw until reports of ongoing intrusions reached the software giant. Security experts say it will take months for the patch it issued to be installed pervasively in corporate settings. That's because large organizations test and install patches methodically, so as not to disrupt internal networks.
Meanwhile, criminal groups continue to probe the Internet for unpatched PCs, snare employees who use free Web tools at work and research novel ways to access corporate networks.
Randy Abrams, director of technical education at antivirus firm ESET, describes corporate data as "existing in a state of anarchy," moving haphazardly about company networks with too few protections. "The bad guys are aware of this," says Abrams. "Right now, there is little stopping them from moving data to places it should not be going."