Modern Internet Identity Theft

March 22, 2007

A recent report from Don Jackson at SecureWorks (dated March 20 2007) examines a new Trojan and provides some alarming insights on Internet Identity Theft. It is worth reviewing this case carefully to understand how sophisticated modern identity theft schemes have become, and how difficult it can be to investigate and prevent them.What makes this Trojan interesting is that it:

• is installed automatically simply by visiting an infected web site
• is invisible to the user
• is often missed by anti-virus software
• is able to steal identity information even if it is encrypted using https
• efficiently collects large amounts of information and sends it to a “mother ship”
• provides an interface for fraudsters to easily purchase the stolen data
• is been used to collect thousands of login credentials at major banks and government agencies
• has not been shut down
• is only one of many such programs that are now offered as kits

Gozi installs automatically and is invisible to the user

Jackson has labeled the new Trojan “Gozi” based on a unique string found within the code. Gozi is transmitted to a user’s PC using a well-known JavaScript flaw in Internet Explorer. Simply by visiting a web site that is hosting the Trojan, an executable (.exe) file is copied to the user’s computer and executed. Jackson was able to find a number of popular web sites that are currently hosting the Trojan code.

When run on the user’s computer, Gozi immediately installs itself in the user’s profile and sets keys in the computer’s registry to cause it to run each time the computer is restarted. Gozi also uses rootkit capabilities to hide itself from the registry editor and the Windows file explorer, so it is invisible to the user. Gozi then establishes a web connection back to the server it came from and downloads some more code, perhaps to update the nature of the attacks to follow.

Gozi captures “secure” identity data

Jackson watched Gozi operate by logging in to a bank account while monitoring all the network traffic coming in and out of the computer. Each time some information is provided to the bank site, such as username or password, the same information is also transmitted to the Trojan’s home server. This occurs even when the bank site uses the https scheme to encrypt the data traffic – Gozi is still able to capture the identity information and send it to its home server! After the banking session, Gozi continues to run and collect any information sent to any web site, and sends it back home to the “mother ship.”

Further investigation revealed how Gozi is collecting identity information from supposedly secure https transactions with a bank. The Trojan is inserting instructions directly into the computer code used to send data over the Internet (the Winsock2 interface), so that it sits between Internet Explorer and the network connection, watching all the data that passes by.

Gozi can defeat two-factor authentication

Gozi not only captures all the traffic sent by Internet Explorer, it also grabs any data being exchanged by JavaScript modules. These modules are used in new two-factor authentication schemes at some banks, and Gozi is able to capture all of the data going back and forth during the authentication process. This allows the Trojan to gather information over repeated logins about any security questions or image labels that might be used in these new authentication schemes.

Identity data is sent to Russia

Jackson was also able to track down the “mother ship” where the data is being sent. The computer is running on a Russian computer network, and is likely located in St. Petersburg, Russia. This computer appears to be a fairly standard web server, with no special security protections. In fact, Jackson was able to browse around the server’s directory structure. He found the code used to collect the data from the infected PCs and store it in a database. He also found an interface where “customers” could login and search the database of stolen information, including searching for specific banking sites or authentication information (e.g., passwords). Each search of the database had an associated price, where the unit of currency is Webmoney, a Russian payment scheme where values are equivalent to US dollars.

Further exploration of the fraudster’s server also revealed caches of stolen identity information. Jackson was able to find information from over 5,200 home PCs that contained authentication information for over 10,000 accounts. This included accounts from over 300 different organizations on the web, including banks and payment services. Jackson also found social security numbers and other personal information, including medical information. He even found user names and passwords for various federal, state, and local government agencies.

Thousands of accounts have been breached

Jackson is now working with the affected companies and law enforcement agencies to inform them of the data breaches. Some organizations have responded by notifying customers, putting watches on accounts, or forcing passwords to be reset (which is not helpful if the user’s PC is still infected). The Trojan mother ship is located on a Russian network that is known to be a haven for people doing various forms of attacks and fraud, including Trojans, phishing, and spyware. Attempts to have the server shut down have not been successful.

Jackson went one step further and went undercover to explore how widespread such identity theft activities have become. Posing as a fraudster looking to buy an identity theft kit like Gozi, Jackson met with various Russian people in Internet chat rooms who offered to sell him all that he would need to setup a data stealing and selling business.

Protection is difficult

Protecting a user from Trojan attacks like Gozi is difficult. Since the kits used to collect identity information are easily obtained and installed, fraud operations can pop-up anywhere, so blacklisting servers or networks will not be successful. Anti-virus and anti-spyware software is supposed to protect users from running bad programs, but they are not always successful in identifying new threats. When the Gozi Trojan was analyzed by 30 of the major anti-virus programs, most warned that it was some kind of unknown threat, while 5 did not report any threat at all. An anti-spyware program that detects when the Trojan attempts to install registry keys may offer some defense. A personal firewall may also detect when Gozi attempts to connect to the mother ship, although the Trojan uses the standard http protocol so it might go unnoticed.

Gozi does fall into the class of offline attacks (see my previous essay for background on authentication attacks), where the stolen information is stored and used at some later time. New authentication schemes based on having the user choose unique labels for their account, such as Bank of America’s SiteKey, may provide some protection. Jackson points out, however, that Gozi can record repeated logins at the bank and the captured information could be used to infer the proper security indicators.

Using dynamic passwords that change for each login would protect against offline attacks, including Gozi, but the passwords would have to be truly unique each time (as is done with RSA’s SecurID) if large numbers of logins are being recorded. Limited schemes based on table lookups, such as Circle Bank’s security matrix, might be compromised over time.