March 31, 2011, 8:53 PM — This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Cybercriminals are increasingly targeting the information assets of some of the world's most well-known organizations, according to the findings of a recent global study by McAfee and Science Applications International Corp. (SAIC) entitled "Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency."
With firewalls, antivirus and other security mechanisms protecting corporate networks, how do attackers manage to penetrate enterprise computer systems? Simply by exploiting the weakest link in the security chain. One of the newest methods is tunnelling in via employees' browsers using an attack known as "Man-in-the-Browser" (MitB).
[ REPORT: Hackers are defeating tough authentication, Gartner warns ]
An MitB attack starts with malicious software (usually a Trojan like Zeus or SpyEye) lurking on a seemingly innocuous website. When visitors arrive the malware takes control of their Web browser and modifies pages, content or transaction data presented to the user.
All of this is done without the user's knowledge in a completely covert fashion. Depending on what the browser is being used for, MitB enables attackers to silently steal anything from login credentials to account numbers or financial information. With browser sessions often containing the logon details for email systems, VPNs and cloud services -- such as cloud CRM -- it's critical to lock down these sessions without impacting performance. Making the situation worse is the explosion of mobile devices and the multitude of people who can access enterprise resources remotely.
It's not difficult for employees to stumble upon infected sites and fall victim to drive-by infections, because fraudulent spoof sites are being created every day. Criminals even use search engine optimization techniques to raise these sites to the top of search engine listings. But many legitimate websites are also being infected. Engineered attacks, like the recent LinkedIn email phishing campaign, are increasingly being used to ambush individuals and install sophisticated malware such as Bugat and Clampi.
This modern malware is designed to slip under the radar of traditional antivirus solutions and bypass strong authentication technologies like tokens or network access control (NAC) systems. It then captures all data processed by that browser and transmits it back to the criminals. All this can be achieved without setting off alarms.
We recently decrypted an attack on the popular Citrix Access Gateway by the Zeus Trojan that illustrates how criminals are trying to stay one step ahead of security controls.
In an attempt to protect its SSL VPN product against key logging malware, Citrix allows companies to customize the logon page to include a virtual on-screen keyboard which replaces the physical keyboard. So instead of typing a password on the physical keyboard, mouse clicks are used to press the keys drawn on screen, theoretically bypassing keyloggers.
But one Zeus 2.0 configuration we recently decrypted includes the following code:
In English, the "@" means "capture a screenshot of the text within the mouse's vicinity when the left button is clicked." And the */citrix/* specifies that this screenshot should be captured when the text "/citrix/" appears in the browser address bar.
