March 2008 — News
Print this articleClick here to receive your FREE subscription to T.H.E. Journal
A White Hat Talks about Modern Malware
Schaffhauser: Let's cover some of the exploits that you've referenced on your blog. What's the hack involving Google AdWords. How could a Google ad be dangerous?
Thompson: Indeed, what could be safer than a Google ad? It turns out that the bad guys figured out that if they bought AdWords and actually took you to the real site, most people would think that was pretty safe. But in between you clicking on the ad and getting to the real site, they took you via an exploit site. In the original case it was based in Russia, but it could be anywhere. This sort of happened in the blink of an eye. If you weren't watching closely, you wouldn't even know it was happening.
In the case of the [search for 'BetterBusinessBureau'], it actually took you to the Better Business Bureau, where you wanted to go. But in between it took you to an exploit site, which was busily trying to install software in the background.
Schaffhauser: What kind of software?
Thompson: This one was installing something called a post-logger, which is like a keylogger [a method for capturing and storing keystrokes]. A post-logger is one step up from that. When you fill in data, like a user ID and password, you're actually filling in a form. There's a field name and your response and a field name and your response... When you have a post-logger, it tracks the field names alongside your response.
Schaffhauser: Which makes the hacker's job easier.
Thompson: That's right. Not only that. This particular event installed an XML file that was full of commands--extra commands. If you were at the World Bank of Scotland Web site, then it would modify the Web page as it came back to ask some extra questions, like, 'What is your mother's maiden name?' or 'What is your secret question?' So it would look like a perfectly normal Webpage. But it would have extra questions injected, to make sure it got the information they needed.
Schaffhauser: But this isn't the same as phishing, because you're at the legitimate Web site?
Thompson: Yes, without the legitimate Web site having anything to do with it. They've brought this sort of thing to an art form.
Schaffhauser: What was the Alicia Keys hack?
Thompson: At first we thought they had a hack into the whole of MySpace, so we were quite concerned about that. It turned out to be an initial half a dozen Web sites that we pretty quickly detected was all there was. They're all music accounts, Alicia Keys was the highest profile, but there were lots of other bands. I'm pretty sure that if we had been able to look more closely, we would have seen they were all managed by the same music company or perhaps their MySpace accounts were managed by the same Webmaster, and he'd had his password phished.
