Cyber-criminals set traps for security researchers

Botnet operators creating fake data to fool security professionals

Don't always trust the data. That's the lesson for security researchers exploring cyber criminals' botnets and infrastructure. Over the past two months, criminals have targeted multiple campaigns against the US Electronic Federal Tax Payment System (EFTPS) and its extended deadlines for tax payments. And some bot operators, wary of researchers trying to track their profits, have taken to creating fake data to lead researchers astray, say security experts. While investigating targeted attacks against businesses, Brett Stone-Gross, a threat researcher with startup security firm LastLine, found servers set up to accept popular login-password combinations that were redirecting unauthorized users to pages that cite made-up data. At the same time, the server would surreptitiously record details about the person accessing the site. "It's common for most exploit toolkits to contain an admin interface that manages exploits, payloads, and tracks exploit success rates," writes Stone-Gross. "However, the EFTPS exploit toolkit contains a completely fake admin console. This admin interface acts as a 'hacker honeypot' that records detailed information about who attempted to access the admin console, as well as who attempted to hack into it." The fake admin page will accept usernames such as "admin," "root," and "user" in combination with common passwords, such as "password," "admin," and "toor." Security researchers who enter any combination of the fake usernames and passwords will see a page populated with random statistics, including the number of loads per hour and the proportion of successful exploits. Meanwhile, the server collects data on the researcher, such as their IP address and any requests sent to the server. The lesson is to not believe everything you see, says Thorsten Holz, a senior threat analyst with LastLine: "Researchers need to be careful of what they enter at the admin backends and also should not trust the numbers that are displayed there." The LastLine investigation found that several researchers had cited bad data taken from the fake servers to the media, which subsequently reported it, skewing the apparent size of several botnets. While the problem likely leads to media hype, bad data can also lead to bad decisions, the company says. "In the end, it has to do with why we measure botnets," LastLine researchers wrote. "It is not just to stick a number to the problem, but it is to start understanding it, to prioritize the threats we look at in depth, to decide whether we need new tools to more effectively fight them."

Join the newsletter!

Error: Please check your email address.

Tags Security ID

Show Comments