Cybercriminals go for easy money: Facebook and Bitcoin users
Bank, credit card and PayPal accounts aren't as lucrative treasures for cybercriminals -- not like they once were. New security measures make pilfering accounts more difficult than years past. So the bad guys are going after easier money and, in process, younger users. In its third-quarter "Community Powered Threat Report", released today, AVG Technologies identifies two emerging security trends: Clipjacking and Survey Scamming Facebook accounts and siphoning digital money from Bitcoin users. With both, cybercriminals tap new revenue streams, cell phone accounts for the one and pure currency for the other.
Yesterday, I spoke with Yuval Ben-Itzhak, AVG's chief technology officer, about the new report and these two trends. "There's a ridiculous number of stolen credit cards on criminal sites", Ben-Itzhak says. "The main issue is how to use these compromised credit cards, because the credit card companies have taken serious actions to prevent and minimize the damages". Auction of PayPal accounts is commonplace, too, "but this is also becoming challenging to monetize because of all the security that is in place".
Target: Young People w/o Credit Cards
Predators don't give up when cut off from their main food animals, they simply look for new prey. "Premium SMS starts to be the main monetization vehicle for cybercriminals, both from the mobiles themselves and fake applications -- but also from the web itself and the best example is Facebook", Ben-Itzhak says.
The United Nations estimates that there are 5.6 billion cell phone subscribers worldwide. The number of potential victims eclipses those on PCs by huge margin -- more than 5 to 1.
Cybercriminals seek to trick cell phone users into accepting bogus services. The way cellular carriers handle certain services makes adding new ones, without explicit permission, easy. Charges tend to be $10/month and target "young people without credit cards" Ben-Itzhak says. These extra charges can go unnoticed for months.
The appeal to cybercriminals:
- They can go after "many more users".
- Credit cards are higher criminal risk.
- It's easier than stealing credit card numbers.
- "It's much easier to monetize because they can use the mobile operators in many countries".
"That's a big change from how they've been monetizing for the last couple of years", Ben-Itzhak emphasizes.
Facebook is becoming an increasingly popular means of launching these kinds of attacks. In the companion to this story, AVG's CTO explains the process in-depth. Quickly summarizing: cybercriminals exploit trust. Someone receives a link to "Cool Video" and clicks it. Clicking the video actually activates a "clear GIF" -- an image with hidden script that launches the attack. Unknown to him or her, this posts the bogus video to the Wall, which Friends see, too. The user is presented with a series of survey questions before the video can be viewed. The last, supposedly for verification purposes, requests the cell phone number, which authorizes a $10/monthly charge against the phone bill.
"Until a parent or an adult notices these charges, it could take some time. Think about the volume of traffic happening in Facebook, you can imagine just how much money is running around here", Ben-Itzhak says.
Picking Bitcoin's Wallet
AVG also sees an increasing number of attacks targeting digital currencies, such as Bitcoin. People use Bitcoin in place of cash for the purpose of conducting online transactions -- it's essentially a micro-payments system. Credentials and transaction are placed on the user's PC or on service providers' servers. The AVG report explains:
The main difference of Bitcoin is that it designed to allow people to buy and sell without centralized control by banks, governments or commercial companies. It also allows for pseudonymous transactions, which aren't tied to a real identity...Bitcoin is a digital version of cash. Payments are made with no intermediaries, but it also has the same major disadvantage as cash, if someone is stealing cash, it is almost impossible to get it back, the same goes for Bitcoin, once the transaction is approved by the network, there is no way to reverse the action...As of August 2011 there are over 7.1 Bitcoins available. Estimated Market Capital is $63,336,546.
AVG's report identifies several methods being used to steal Bitcoins. Among them:
Our Security Labs have noticed a kind of a Trojan that uses the user's computer to mine Bitcoins on behalf of the attacker. The Trojan manages to silently install itself on victim's computers (exploiting various vulnerabilities). This piece of malware can run without a user’s knowledge, it is running in the background by disguising itself as a windows process (using filenames that belong to or are similar to the Microsoft Windows processes, often exploited to hide a malware presence such as spoolsv.exe, svcho0st.exe, explorer.exe). The Malware is using victims CPU and/or GPU computing power to mine BTC (Bitcoin currency) for someone else.
Users could get the Trojan by a number of means, including the all-too-common installation with another application. The Trojan opens a back door that mines Bitcoins from others and/or steals the Bitcoin "Wallet" from the compromised PC.
"Surprise, surprise, the hackers are running after that. It's really about free cash they are collecting right from the computer, and they can use it right away", Ben-Itzhak says.