Author (#12)July 2006 Archives

Ben Edelman has some new spyware research about Vonage and some of the unsavory things going on. It is a long and technical read, but I recommend it. (see link to video at end) and Late Entry on Vonage behind the scenes action.

He covered several examples, but the one that caught my eye and I wanted to talk about was the use of ad injection.

Examples he covered in the article. Ad Injection in bold.

Spyware-Delivered Pop-Up Ads
Direct Revenue
Targetsaver - covering AOL
Targetsaver - covering a sexually-explicit site

Banner Injection Into Others' Properties
Fullcontext - ad injected into
Searchingbooth - ad injected into
Searchingbooth - ad injected into eBay
DollarRevenue - replacing an ad within

Spyware Delivered Banner Farms
Hula's Global-Store

Spyware Lead Acquisition
Direct Revenue - Vendare's Myphonebillsavings
Direct Revenue - NextClick's Phonebillsolution

It is worthy to note that in the first three examples: Google, eBay, and ads are injected above a site.
However, DollarRevenue injects its ads into a site - covering a banner placed by the site. For a site this means the person who bought the media might not be getting their fair share and the site owner is not getting paid.

But what does this mean for people- netizens?

I was intrigued by this question and what seems to be a relatively dead tactic coming to life the field. So I queried Ben for a discussion. In short he wondered aloud whether banner injection might be "the next big thing." He told me that until this past month, he had only seen one spyware program injecting banner ads into others' sites: DeskWizz's SearchingBooth. but then this past month he found two more -- FullContext and DollarRevenue. That's a startling and rapid growth -- suggesting there may be more to come.

Ben also pointed out that these ad injectors benefit from the lack of transparency in banner ad syndication. At least affiliate merchants generally get to approve their partners one by one. (Most sophisticated merchants have long since disabled auto-approve.) But when advertisers buy banner ads, especially run-of-network / remnant / untargeted ads, they get very little visibility into where those ads appear. This is practically an invitation for placements in spyware injections and other unseemly locations.

In the past many users suspected they had spyware from all the annoying pop-ups, but like the Borg the dark forces adapt and change tactics- smaller front prints, random file names and MD5's, using rootkits- so I am not surpised if this new tactic enters into the fray. I can invision it popping up on social networks like MySpace or non-hierarchical news sites like Digg.

The Ad Injection is very subtle and thus people may not know it is going on and that a program is doing it.

Take for this instance an "anti-fraud screen" I found while tracing the money trails of a mass spam attack (still looking into that one) that was delivering malware and porn through deceptive SEO and encoded JavaScript injection. In this case, as I understand it so far, a company from Russia runs a private pay-click-engine and I believe offers XML feeds and search results powered through syndication results from various pay-per-click search engines. They dole out up to 75% or more for webmasters and pocket the rest.

Click To Enlarge In New Window

While it is good 7Search is periodically checking for problem syndication- I have to ask- why do you need the end user to police it? I would prefer them to keep the problems out at the gate.

What topic did you click? Straight forward. If you can remember. Why not log the topic?

Are you infected with spyware? How would they really know? That is how it got the moniker "spyware" in the first place. People didn't know how it got there or someone else installed it or any number of situations occur.

Are you a part of pay-to-surf program- name them? Ouch. Not as if people getting paid are going to out anyone- or would they? Doesn't add up to me. Not to mention incetivized search historically gives low yields for advertisers.

In closing pay close attention to this video from Ben's research on the DollarRevenue ad injection. The easy to catch warning signs of spyware infection may indeed fade meaning people will have to be all the more careful.

Watch in full video of what an ad injection looks like: Edelman's Video on Ad Injection. (Opens to New Window)

LATE ENTRY: Using the ever-so-handy insider status in the ad world I have learned from more than one anonymous source that Vonage is putting on hold a number of their advertising deals. I am not sure if it is just with the companies Edelman cited in his research or how far this reaches yet. At any rate Vonage is reacting and getting serious in their response. This could be a pivotal movement in the spyware wars. You kill the spies by cutting out the well-funded brands sponsoring their existence.

Doing research is often a mind-wracking excursion, but it is great to learn the hard work pays off.

Our RTGuardian is designed for Enterprise protection and Network Testing Labs Calls the RTGuardian 'A World Class Internet Gateway'. The RTG specifically attacks the growing IM and P2P problem and can attack the spyware problem too. Thumbs up!

From the release.

RTG Detects 100 Percent of IM Protocols, 99 Percent of P2P Protocols and 96 Percent of Malware, Spyware and Adware, and Effectively Detects and Controls Skype

FOSTER CITY, Calif., July 18 /PRNewswire/ -- FaceTime Communications, the leading provider of solutions for securing and managing greynets, today announced that Network Testing Labs (Mobile, Ala.), the world's foremost independent security testing facility, has recognized the RTGuardian 500 with an "excellent" rating based on five key criteria: identifying and thwarting malware, ease of use, reports, installation and documentation.

Now back to more research...

Phishing is a form of criminal activity using social engineering or trickster techniques to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to "fish" for users' financial information and passwords. Some phishing has become so complicated that it no longer needs to steal information from the web, IM or E-mail, but lure users to use phone connections and capture them using phone techniques. (You call a number, they ask you to enter in your account number and PIN and viola- they capture the "tones" made by your telephone keypad input and your account is wide open to the scammer.)

We talked a while ago about the global phishing termination operation launched by CastleCops and Sunbelt Software. The volunteer PIRT Squad is comprised of folks who report phish, investigate phish, and actively work on phish takedown and termination (original concept by Robin Laudanski). PIRT is funded by CastleCops.

Our own Microsoft Security MVP, Chris Boyd, has been participating on the PIRT Squad over at CastleCops and some of the first results are in. CastleCops' operators, Robin and Paul Laundanski, have compiled the list of the top phished brands in May. Here the all-volunteer group of phishing terminators has been having a real impact on phishing. Our own research team follows-up on many of these phish sites and note that many are offline quickly! That is good news...but the battle is far from over. (Other "things" may lurk on the end of these phish attempts, but that is for another entry.)

So without further ado the top brands fished in May:
Pay special attention to how "pure Internet play" brands like PayPal and eBay are the most common targets.

May 2006 confirmed phish (brand plus total count for May):

PayPal - 520
eBay - 309
Bank of America - 37
Barclays - 36
Wells Fargo - 36
Chase - 33
WAMU - 28
HSBC - 20
MasterCard - 18
e-gold - 17
Nationwide - 17
Citi - 16
BancorpSouth - 14 - 12
Halifax - 11
NetBank - 11
Laredo Nat'l Bank - 10
Nat'l Australia Bank - 10
Western Union - 10
National Credit Union - 9

With this early report in mind we have to take into account that Google is now throwing their hat into the e-commerce ring with a service called "Google Checkout". The business implications of this move are very, very complicated and beyond the scope of this entry- although they are important to security researchers too. However, in terms of pure security research the proverbial writing is on the wall...Google and e-commerce will only attract scammers like bears to honey. How successful they will be will depend much on how Google implements the process, their anti-fraud features, and how educated people are on phishing in general.

I admit, especially in my talks and speeches with youngsters, I am quite dismayed at the lack of awareness on Internet safety. That is one area I, and our team, have been pondering.

One of the best forms of defense is very simply- "street smarts". For example, we teach children not to go into dark alleys late at night, actually most parents wouldn't let their children out in a city at night! Yet our digital highways can be dangerous too- often the mediums are treated differently. I plan more on this in the future.

For now, us get back to Google Checkout.

Some of the features of Google Checkout include:

1) Google will store your complete shopping history. This is convenient of course, but remember if you lose access to that account- that history goes with you. This is no different than losing access via a hack to any e-mail account.

2) Google won't share your full credit card number, even with the merchants you buy from. This makes sense, since Google is doing the transaction on behalf of the merchant.

3) Google won't share your email address with merchants if you don't want them to. This is nice- you don't have to worry about getting lots of promotions via e-mail if you don't want.

4) Google will not spam you. Google pledges they will not spam you- great. They never have and I believe that is not in their plans.

5) You can store as many credit cards in Google Checkout as you want! That is where it starts to get a little bit risky.

Now, again, I am not being anti-Google, I am only being a realist. You have a pure play Internet brand, new to offering payment transaction processing to the public at large, prepared to do business en masse. If we look at recent history, like the PIRT report, it only stands to reason that Google, other privacy concerns aside, will experience their fair share of phishing attempts.

For now- use "street smarts". Be wary and be careful.

NOTE: If you are technically adept at handling phishing attempts and want to help by joining the PIRT Squad you can join the team here, if you simply want to report a phishing attempt you can do so by clicking here.

About this Archive

This page is a archive of recent entries written by (Display Name not set) in July 2006.

Author (#12)June 2006 is the previous archive.

Author (#12)August 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.