Concealed Cyberthreats: Logic Bombs & Padlocked Sites
Online criminals might deploy a mixture of spyware and logic bombs to steal a user’s identity.
Clifton, N.J.- based cybersecurity firm Comodo in a blog warned about logic bomb, which refers to the malware (also called slag code), which gets activated by a response to an event. For example, firing up an application or when a specific date/time is reached.
“Online fraudsters make use of the logic bomb malware in a variety of ways. Attackers usually embed the code within a bogus application, or Trojan horse, and will automatically execute whenever the user launches the fake software,” reads the alert.
Online criminals might deploy a mixture of spyware and logic bombs to steal a user’s identity. For instance, spyware is used by online fraudsters to covertly install a keylogger on a computer. The keylogger captures the keystrokes of the user, usually the usernames and passwords, and sends it back to the remote attacker.
However, logic bomb malware waits for the user to visit a website that requires a log in with credentials. The details could include a banking site or social network. In the process, the logic bomb automatically executes the keylogger, snags the user credentials, and sends the information back to the hacker.
Comodo described how a malware attack in South Korea wiped a computer’s hard drive relating to the banks and broadcasting companies. It was later identified as the logic bomb in the code by the U.S. security firm.
The malware dictated the date and time to erase the data from machines to coordinate the destruction across multiple victims. It erased the hard drives and master boot record of at least three financial institutions and two media companies simultaneously. It also knocked some ATMs offline.
Comodo maintained logic bombs are hard to prevent because a remote attacker can plant them through numerous ways on multiple platforms by hiding the malicious code in a script or deploying it on a SQL server. Allocation of duties or limiting employee access to specific files and folders may offer protection. Many companies ready a business continuity and disaster recovery plan just in case.
Brian Krebs in his blog KrebsOnSecurity reported on research from PhishLabs that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://” which people usually think means a secure, trusted site.
Krebs said this disturbing swing is noteworthy because a majority of internet users have taken the age-old “look for the lock” advice to heart, and still associate the lock icon with legitimate sites. “In reality, the https:// part of the address (also called secure sockets layer or SSL) merely signifies the data being transmitted back and forth between a browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate.”
Paul Bischoff, privacy advocate at the U.K.-based Comparitech.com explained: “The study goes to show that there’s no one way to identify a phishing website. Making sure the site has a valid SSL certificate indicated by HTTPS and a padlock in the URL bar is just one step. Users should also look for character replacement (Punycode), subdomains, and other inconsistencies in a site’s real URL and webpage. You can usually find the real site by Googling the company name, then check it against the suspected phishing URL. Other means of combating phishing usually deal with emails and other means of getting victims to the phishing site.”
Bischoff indicated the PhishLabs study sheds light on the role of certificate authorities and browser makers, which could affect financial institutions and other organizations. “Certificate authorities like Let’s Encrypt make the web safer by making it cheap and easy for websites to use HTTPS, but they also lower the barrier for criminals. HTTPS instills trust in site visitors, so some argue certificate authorities should vet who they sell SSL certificates to. On the other hand, many experts argue that browser makers misrepresent what HTTPS accomplishes: encryption and authentication. It does not necessarily verify that the website owner is a legitimate entity.”