Cybercriminals are evolving their security subversion strategy, says Fortinet

Derek Manky, the firm's project manager for cybersecurity and threat research, says that the last month has seen his team identify a wide variety of money mule recruitment campaigns that, for the first time, targeted specific countries in an orchestrated manner.

"The campaigns, which were seeded in a number of Asian and European countries, solicited local individuals who already have – or had established – relationships in the banking industry or were looking for work as online sales administrators", he explained.

To make these 'localised' campaigns even more effective, he says that have they incorporated regional-sounding domain names, such as, and

December, says Manky, also saw the reemergence of the Buzus Trojan, this time being distributed through mass emails posed as e-cards just in time for the holiday season.

Once a compromised attachment is opened, the now infected system sends out similar e-cards to everyone it finds in the system's email address book in an effort to seed the growth of the botnet, he adds.

During December, Manky and his team at Fortinet also discovered three arbitrary code execution vulnerabilities in Microsoft and Apple products. FGA-2010-65 describes an MS Windows Kernel vulnerability that may allow execution in privileged (Ring0) context. FGA-2010-64 is yet another DLL loading vulnerability that affects multiple products within the Windows 7 operating system.

And, he added, FGA-2010-62 outlines an integer overflow vulnerability in Apple QuickTime, which can lead to potential infection by simply viewing a specially-crafted QuickTime movie file.

Against this backdrop, Manky argues that new and old vulnerabilities will continue to be exploited, so it's important to keep all application patches up to date.

Additionally, he says, a valid intrusion prevention system (IPS) can help mitigate attacks against both known vulnerabilities and zero-days. With the use of communication through common protocols, application control is becoming more important to identify malicious activity on the application level.

According to the report, as 2010 turns into 2011, there was certainly no lack of activity on the threat scene. Perhaps most visible was the recent WikiLeaks DDoS attack against various entities.

"DDoS attacks are inherently old, and simply aim to cripple resources such as web servers – typically by overloading them with too many requests. To accomplish this, many DDoS attacks are launched by botnets – either rented out or commanded at will by their operators. In fact, there are DDoS services offered for hire on various underground forums", says the report.

The interesting part about the WikiLeaks campaign, the December report adds, is that the main engine used to launch the DDoS, the Low Orbit Ion Cannon, was in effect a voluntary botnet.

"It's available on Sourceforge, allowing anyone to configure the software to join cyber protest campaigns like WikiLeaks' Operation Payback", says the report.

"Regardless of the motivation, DDoS attacks have, can and will occur. Fortinet detects the Low Orbit Ion Cannon DDoS tool as 'HackerTool/MSIL_Loic', it adds.


What’s Hot on Infosecurity Magazine?