July 23, 2007

Threatwatch: how much to MITM, how quickly, how much lost

It costs $500 for a kit to launch an MITM phishing attack. (Don't forget to add labour costs at 3rd world rates...)

David Franklin, vice president for the Europe, Middle East and Africa told IT PRO that these sites are proliferating because they are actually easier for hackers to set up than traditional 'fake' phishing sites because they don't even have to maintain a fake website. He also said man-in-the-middle attacks defeat weak authentication methods including passwords, internet protocol (IP) geolocation, device fingerprinting, cookies and personal security images and tokens, for example.

"A lot of the attacks you hear about are just the tip of the iceberg. Banks often won't even tell an affected customer that they have been a victim of these man-in-the-middle attacks," said Franklin, adding that kits that guide cybercriminals through setting up a man-in-the-middle attack are now so popular they can be bought for as little as $500 (250) on the black market now.

He also said "man-in-the-browser" attacks are emerging to compete in popularity with middleman threat.

A couple of interesting notes from the above: it is now accepted that MITM is what phishing is (in the form mentioned above, the original email form, and the DNS form). These MITMs defeat the identity protection of SSL secure browsing, a claim made hereabouts first. and one that is still widely misunderstood: This is significant because SSL is engineered to defeat MITMs, but it only defeats internal or protocol MITMs, and can not stop the application itself being MITM'd. This typical "bypass attack" has important economic ramifications, such that SSL is now shown to be too heavy-weight to deliver value, unless it is totally free of cost and setup.

Secondly, note that the mainstream news has picked up the MITB threat (also reported and documented here first). It's still rare, but in the next 6 months, expect your boss to ask what it's about, because he read it in Yahoo.

More juicy threat modelling numbers:

Analysts at RSA Security early last month spotted a single piece of PHP code that installs a phishing site on a compromised server in about two seconds,


Despite efforts to quickly shut sites down, phishing sites averaged a 3.8-day life span in May, according to the Anti-Phishing Working Group, which released its latest statistics on Sunday.

Data from market analyst Gartner released last month showed that phishing attacks have doubled over the last two years.

Gartner said 3.5 million adults remembered revealing sensitive personal or financial information to a phisher, while 2.3 million said that they had lost money because of phishing. The average loss is US$1,250 per victim, Gartner said.

In the past (June 2004: 1, 2), I've reported that phishing costs around one billion per year. Multiply those last two numbers above from Gartner, and we get around a billion over the last three years. Still a good rule of thumb then.

Posted by iang at July 23, 2007 06:39 AM | TrackBack

Identity theft has replaced drug dealing as No. 1 crime in the U.S. And thieves often aren't caught.

Identity theft soars to top of modern crime list

Posted by: Lynn Wheeler at July 23, 2007 10:23 PM

Lynn, I don't actually believe that! But, maybe I'm wrong, my grip on drugs & identity sometimes slips......

Posted by: Iang at July 24, 2007 10:04 AM

http://www.garlic.com/~lynn/aadsm27.htm#44 Threatwatch: how much to MITM, how quickly, how much lost

from posting in thread in crypto mailing list
http://www.garlic.com/~lynn/aadsm27.htm#43 a fraud is a sale, Re: The bank fraud blame game

one of the references mentioned in the above:

Data Security Advanced by New Aleratec Multi-purpose DVD/CD Shredder

from above:

Identity Theft and Fraud cost business $600 billion a year, according to the Association of Certified Fraud Examiners.

... snip ...

A year or two ago i tripped across an obscure study that quoted a similar number ... this was after there was some news coverage of a talk that happened to mention the cybercrime being greater

the crypto mailing list post also references a number of different news articles going on in the same period earlier this spring ... one series was that id-fraud was in decline and the other series was that id-fraud was exploding.

and series of news articles from late 2005:

Cybercrime Profits Outpace Drug Trafficking
Expert: Cyber-crime Yields More Cash than Drugs
Expert: Cyber-crime Yields More Cash than Drugs
Cybercrime now outstrips drug trafficking
Cybercrime 'more lucrative' than drugs
Cybercrime profits exceed those of drugs, expert says
Cybercrime more profitable than illicit drug sales?

Posted by: Lynn Wheeler at July 24, 2007 08:21 PM

http://www.garlic.com/~lynn/aadsm27.htm#44 Threatwatch: how much to MITM, how quickly, how much lost
http://www.garlic.com/~lynn/aadsm27.htm#45 Threatwatch: how much to MITM, how quickly, how much lost

following is quite a bit less than amount quoted a couple yrs ago ... on the other hand, this report comments that there may some incentive that leads to significant underreporting

Cybercrime Costs US Economy at Least $117B Each Year
Cybercrime Costs US Economy at Least $117B Each Year

from above:

"Whatever is reported by organizations, most of that will likely be underreported because of disincentives to report losses," he told TechNewsWorld.

Reporting remains a major challenge to fighting cybercrime, Powner noted.

... snip ...

Posted by: Lynn Wheeler at July 26, 2007 06:52 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.