The so-called dark web, that shadowy criminal underground where anonymous authors sell off-the-cuff malware and buy stolen credit card numbers and consumer data in an environment far from the prying eyes of the legal world, is growing in significance.
It was a key enabler of high-profile point-of-sale (POS) attacks and data breaches in late 2013, and is poised to continue making an impact despite the fact that this off-the-shelf cybercrime-as-a-service community revolves mostly around technologies that fall into the “relatively unsophisticated” category.
The dark web, digitally signed malware, Android malware sample proliferation, ramsomware and suspicious URL growth all made up the top threats for the fourth quarter of 2013, according to McAfee’sQuarterly Threat Report.
Target, Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports, Michaels Stores, and ‘wichcraft all suffered high-profile credit card data breaches in 2013. Although there has been no public acknowledgment that the attacks are related or carried out by the same actor, many of them leveraged off-the-shelf point-of-sale (PoS) malware like BlackPOS, POSCardStealer, Dexter, Alina, vSkimmer, ProjectHook and others, many of which are available for purchase online. The malware used in the attacks were thus mainly crude technologies that were then customized specifically for these attacks.
McAfee Labs’ ongoing research into underground “dark web” markets further identified the attempted sale of stolen credit card numbers and personal information known to have been compromised in the Q4 retail breaches. The researchers found the thieves offering for sale some of the 40 million credit card numbers reported stolen in batches of between 1 million and 4 million at a time.
“The fourth quarter of 2013 will be remembered as the period when cybercrime became ‘real’ for more people than ever before,” said Vincent Weafer, senior vice president for McAfee Labs, in a statement. “These cyber-thefts occurred at a time when most people were focused on their holiday shopping and when the industry wanted people to feel secure and confident in their purchases.”
He added, “The impact of these attacks will be felt both at the kitchen table as well as the boardroom table. For security practitioners, the ‘off the shelf’ genesis of some of these crime campaigns, the scale of operations, and the ease of digitally monetizing stolen customer data all represent a coming of age for both cybercrime-as-a-service and the ‘dark web’ overall.”
When it comes to code signing, a practice that validates the identity of the developer who produced the code and ensures the code has not been tampered with, the number of digitally signed malware samples tripled over the course of 2013, to more than 8 million suspicious binaries. In the fourth quarter alone, McAfee Labs found more than 2.3 million new malicious signed applications, a 52% increase from the previous quarter.
Although the total number of signed malware samples includes stolen, purchased or abused certificates, this was driven largely by the abuse of automated content distribution networks (CDNs) that allow developers to upload their programs, or a URL that links to an external application, and wrap it in a signed installer. Criminals have learned to wrap malicious binaries within digitally signed, otherwise legitimate installers.
McAfee Labs said that it believes this accelerating trend could pose a significant threat to the long-established certificate authority (CA) model for authenticating “safe” software; the growing number of maliciously signed files could create confusion among users and administrators, and even call into question the continued viability of the CA model in general.
“Although the expansion of the CA and CDN industries has dramatically lowered the cost of developing and issuing software for developers, the standards for qualifying the identity of the publisher have also decreased dramatically,” said Weafer. “We will need to learn to place more trust in the reputation of the vendor that signed the file, and less trust in the simple presence of a certificate.”
Meanwhile, McAfee Labs found 200 new malware samples every minute in 2013, or more than three new threats every second. Two growth trends are malware that’s master boot record-related, and ransomware. McAfee Labs found 2.2 million new MBR-attacks in 2013. Also, the volume of new ransomware samples rose by 1 million for the year, doubling in number from Q4 2012 to Q4 2013.
Mobile malware continued to be a story at the end of 2013; McAfee Labs collected 2.47 million new Android samples in 2013, with 744,000 in the fourth quarter alone. McAfee’s Android malware zoo of unique samples grew by an astounding 197% from the end of 2012.
“Digging into mobile malware behavior, we see a couple of interesting things,” the report noted. “First, the most common behavior—shown by more than one-third of the malware—is to collect and send device telemetry. The malware sends data that can be used to build a profile of the mobile device owner’s behavior. There’s also a high prevalence of acts commonly associated with device hijacking, such as making the mobile device into a bot and installing other, even more malicious malware. Second, from a trend standpoint, mobile malware appears to be evolving from exploiting vulnerabilities toward more profile building and device-hijacking behavior. There appears to be an increasing value placed on the movements of the device owner.”
And, finally, McAfee Labs recorded a 70% increase in the number of suspect URLs in 2013.