|Topic:||Convergence of threats|
|Author:||Jamie de Guerre|
|Title:||Chief Technology Officer|
Jamie de Guerre is the Chief Technology Officer at Cloudmark; he is responsible for Cloudmark’s technical strategy, technology services, sales engineering and ISP support teams. Mr de Guerre started as a core member of Cloudmark’s design team. Mr de Guerre often speaks at industry events on email security, mobile technologies and future security threat vectors related to new types of messaging. Jamie de Guerre holds a Bachelor degree with honours in Computer Science from the University of Western Ontario.
Convergence is everywhere; the attackers that create viruses, phishing and other forms of malware attacks are even using it. Today’s threats target multiple mediums and take advantage of ‘holes’ in traditional medium-specific security solutions for mobile, email, Web and social networks. To combat this, service providers need security platforms that can work across multiple mediums and handle multiple converged attacks via email, mobile messaging and social networks. Service providers must deploy converged protection in parallel with new converged services.
As a service provider, one thinks of convergence in terms of triple play, quad play, SIP, IMS and overall IP network convergence. However, convergence is all around us, and this trend applies to many industries. Ask someone in the gaming industry and they will tell you about the convergence of functionality on the latest consoles – the ability to play games, browse the Internet, listen to music and socialise online with friends. Look for ‘convergence culture’ online and a group of researchers at MIT will share with you their research on ‘an emerging pattern of relations bringing together entertainment, advertising, brands, and consumers in creative and often surprising ways’. A new form of convergence is emerging in the online attacker community. Leveraging the same principles and goals from each of the industries mentioned above, attackers are now innovating with new threats that combine techniques and cross multiple mediums. These new converged threats have an important impact on the security strategies of service providers, so let’s examine this trend further. Service convergence Triple and quadruple play services are a reality today; service providers around the world now offer television, phone, Internet and mobile services on one bill. On the technological side, operators are making significant efforts to enable new services over IP backbones, made possible by new technologies and standards like SIP, IMS and VoIP. However, this is just scratching the surface of the true potential of convergence. The real benefits of convergence will come with new converged services and experiences enabled by the foundation currently being laid. Beyond simply having a single bill or discounted prices for a bundled purchase, converged experiences provide new, synergistic functionality. In the U.S., Comcast’s upcoming SmartZone Communications Center is an example of this – merging voicemail from subscriber’s home phone service with email and Web content from their Internet service in a seamless interface that provides more value than the sum of the parts. Clearly, new technologies, standards and architectures demand an in-depth analysis of potential threats and the security solutions needed to protect infrastructure and customers. However, attackers are also jumping onto the convergence bandwagon in unexpected ways. Convergence and the online attacker community Attackers are catching onto the possibilities of convergence and they are not waiting for the new technologies and standards to be deployed. Leveraging the same strategies as other industries moving to convergence, attackers are creating converged experiences by combining threat techniques in their attacks and then distributing the attacks to multiple mediums. Historically, the Internet faced several different forms of threats: viruses, spam, phishing and other types of malware. Each of these attacks endangered in its own right. In response, security companies developed solutions to protect against each individual threat type. Anti-virus companies developed solutions to clean PC hard drives or eliminate viruses attached to emails. Anti-spam companies developed technology to identify email techniques used by spammers. Each type of attack was also propagated over a specific medium. Spam and phishing attacks were the domain of email. Viruses were typically the domain of either email attachments or Web-specific threats, not combinations of both. Just as security solutions were targeted against individual threats, the threats themselves were likewise designed for specific mediums. This means there are gaps between security solutions’ coverage for those threats that lie in the grey areas between single-medium, single threat-type attacks. Mash up attacks Attackers are capitalising on these gaps in security defences, using new mash up attacks. These attacks ‘converge’ techniques from multiple threat types, such as spam, phishing and malware, into a single attack, which is then distributed across a variety of media. The attacks have been successful at overcoming traditional email anti-virus defences, which were not designed to protect against attacks that unite multiple threat techniques. Modern email viruses are prime examples of mash up attacks. The majority of recent email virus threats do not distribute viruses as an attachment. Instead, they borrow a technique from spammers, hosting the virus on a website and just distributing emails that link to the virus. Anti-virus programs were caught off guard by this technique and were unable to defend against them. Several anti-virus and anti-malware companies asserted that these attacks were actually not virus or malware threats, but rather spam messages, even though the attacker was not attempting to sell anything. This could be a valid argument, as the messages were unsolicited bulk mailings, matching the definition of spam. Yet, the attacks also involved a programme that infects computers without the informed consent of the users, which matches the definition of malware. A recent converged attack, which combined techniques from phishing and spam and was then distributed across multiple media, was the ‘crush’ attack. We first observed this attack in mobile messaging. Later, the same attack was used in multiple social networks and also distributed to fixed line email networks. The crush attack distributed bulk messages that enticed users to log-in to a Web page, provide their phone number and unknowingly opt in for a premium rate SMS service that would charge them between US$20 and US$80 per month through their mobile operator. This attack was distributed in SMS messaging, email and social network communication. In addition, it leveraged botnets (autonomous software robots, created by viruses for malicious ends) and compromised Webmail accounts, obtained through a phishing scam, to distribute the messages. A recent trend in mobile phishing attacks, or ‘smishing’, has involved the use of VoIP phone number accounts obtained through email phishing attacks as the call to action. Users receive an SMS message claiming to be from their financial institution, asking them to call the institution at a local number – which is actually a VoIP phone number controlled by the attacker. The answering service on the other end of the line then prompts the user to enter their credit card or other personal information. Convergence is everywhere today, including in the online attacker community. New, advanced threats targeting multiple mediums and looking for holes between attack-type-specific security solutions are the latest trend for attacking our mobile, email, Web and social networks. To combat today’s threats, converged service providers should look for security platforms that are threat-type agnostic and able to work across multiple mediums. In other words, the only truly effective security solution is one that can stop all forms of threats – spam, phishing, viruses and converged attacks – across email, mobile messaging and social networking communication. Only by sealing this gap can service providers proceed with deploying new converged services confident they are ensuring the security of the platform and their subscribers against today’s threats.