Uninformed: Informative Information for the Uninformed

Vol 5» 2006.Sep

Next: More on The Money Up: The War Previous: Thievery

Setting up an Infrastructure

So far all this seems pretty straight forward; they setup a webserver to collect information about the people interested in mortgage loans and the mailers responsible for advertising get a sales commission for leads collected by their spam7 run. To complete the cycle, the people interested in loans receive an email which sparks their interest and they navigate to the link found in the email. Collectors are usually ambitious and make an eager attempt at keeping their domains, websites, and mailers going round the clock. In the United States it is illegal to spam a person without their consent, and to use spam as advertisement to a website (the loan forms) hosted on a webserver in the US is not too common but they do exist. The easiest thing for a collector to do is to find a hosting provider in a communist country with no regard for the content placed on their servers. The technical term for this type of service is bullet-proof-hosting8. The average price for such a service is about 2,500 US dollars a month. An alternative to dishing out large amounts of cash for hosting services is using a bot network9. Usually though, bot networks are pretty dynamic and don't fit the necessary requirements to host this type of content. If a collector pays a mailer to spam his site for two or three days and the host goes down the first night (because of an unreliable bot host) a lot is lost and so generally experienced folks tend to pay for reliable hosting.

Often, the businesses providing the bullet-proof-hosting servers are relatively well known, and if they are known so is their allotted IP space. This, in turn, makes finding servers hosting mortgage applications a piece of cake. All one has to do is scan a known IP segment for specific criteria and keep track of those that fit the profile. Once a worthy target list has been collected, the attacks follow. An interesting fact about the individuals involvement in this industry is that nothing either one is doing is really all that legal. This, in fact, allows an attacker to launch whatever type of attack he wants on the victim machine with little to no worry about legal repercussions. Often a collection machine will have several required services open to the Internet, for example: http, ssh, ftp, mysql or mssql and sometimes an administrative web interface. The scope of an attack is unlimited and the number of man hours invested directly reflects on the amount of traffic the victim website attracts. It is even pretty common for certain prowlers to lease a server from the same segment the victim machine is on simply to increase their odds of breaching the host. The following shortly describes common attack practices launched against victim websites.

Brute-force Enumeration

An attacker will attempt to guess login and password pairs on any if not all of these services. Usually this kind of attack is not too stealthy, but remember there is little worry - I mean the victim cannot simply pick up the phone and call his lawyer can he?

SQL Injection

If any of the web interfaces are accessible through the site, sql injection attacks are another vector for entry. Although the success ratio of sql injection is now relatively low, there are still some low hanging fruit to find and be assured someone greedy and ambitious enough will find it.

Classic Attacks

With the massively large number of exploits developed and released to the public daily, searching and launching attacks is a frequent action. This sometimes opens up a new market for exploit writers looking to make some quick cash. Collectors can advertise the need for an exploit and place a price on a particular application. There are even online auctions that have been built specifically for this purpose.

Passive / Passive Aggressive

When an attacker decides to lease a machine on the same segment, it is usually because they failed to remotely compromise the victim's machine. As a last resort they can do several things to retrieve the information they are looking for. The attacker can launch an ARP Poisoning attack and sniff all the incoming traffic to the victim machines, an attacker can simply redirect all the client requests to himself and collect the leads himself, or even hope for the victim himself to logon and perform a man-in-the middle attack to passively collect credentials.

Next: More on The Money Up: The War Previous: Thievery