Friday, August 31, 2007

Scary Monster

The theft of data from Monster.com is generating a significant number of new news headlines about spear-phishing attacks, including several, like this article in USA Today, that quote the investigations done by the team here at Authentium.

Financial gain is the leading motive for all attacks on IT infrastructure, and it has been that way for more than three years. Getting control of Monster's data was just the first step of a larger plan - probably to enable some form of spear-phishing.

Spear-phishing is the term used for targeted phishing against a marketing database as opposed to random emailing to non-aligned end users. The criminals that hack customer databases such as Monster.com's and enable spear-phishing lease access to that database to marketers - let's call them "badvertisers" - on a "name per hour" basis.

This is the same basic economic rationale behind the rise of botnets - networks created from millions of hijacked computers, that are leased out to criminals that pretend to be advertisers or rich widows of third-world presidents.

But whereas botnets may be leased by criminals to criminals for anything from a few cents to a few dollars an hour per user/end point, the value of a single, unified customer database like Monster.com's is potentially far higher.

Like all marketers, "badvertisers" understand that messages from a trusted source - or embedded within a trusted source, such as the Wall Street Journal, or Fox News - have far more value than messages from an untrusted source.

This is why legit advertisers get Rush Limbaugh to read those ads out loud on his radio show - his words are far more trusted by his listeners than those of an anonymous announcer. Which means Rush, the more trusted voice, is worth a multiple of what the anonymous announcer would charge.

How much of a multiple? One useful guess is 4.5x - that's the number Hiawatha Bray at The Boston Globe quoted this morning in one of the better-researched articles on the Monster.com problem..

"A 2005 study at Indiana University found that 72 percent of students obeyed the instructions in phishing messages when they appeared to come from a trusted source, while the compliance rate for untrusted messages was just 16 percent."

The ability to target millions of Monster.com customers exclusively with a message that appears to come from a trusted source (Monster.com), is worth many times - 4.5 times, if you agree with the Indiana University study - what a criminal might pay to lease a botnet.

Note: At the end of the day, I'm not sure this attack counts as a "success" from the perspective of the criminals. Smart criminals understand that parasites are more successful when they leave their host (i.e. hijacked database) alive, and most successful if they can remain invisible.

The attackers in this case failed to create much value for themselves because they chose to go too big too fast, causing so much press that even the most in-frequent Monster.com user must now about the attack. By biting off too much, and gaining press attention, the hackers have effectively ruined any chance they might have had for long-term financial gain.

No comments: