The “Internet of Everything” (also known as the Internet of Things) became one of the biggest technology buzzwords of 2013, as can easily be seen in Google Trends. This term refers to the increased digitisation of everyday objects – any new technology device is being designed with connectivity in mind, whether that device is a smart TV, or a smart toaster. With more and more devices coming online, securing these devices becomes one the next big security challenge.

Gamers and Augmented Reality

2014 already has a glittering array of interesting technologies lined up for launch. Gamers have a lot to look forward to: not only has the latest console war started, but Valve will also bring Linux gaming to the fore with the Steam Machine, The Oculus Rift may revolutionize interactive gaming. Gaming has already been a lucrative target for criminals, with gaming accounts regularly traded in criminal forums. If the Steam Machines proves popular, a rise in Linux malware may be on the cards.

2014 could also be the year that augmented reality (AR) starts to become more common in everyday life. There are already many AR apps that you can play with on your smartphone; however a phone is not well suited for AR. You need to take it out of your pocket, unlock it, open an app, aim it at the object you are interested – and even after all that you are working with a relatively small 4 or 5-inch screen.

AR works best with full immersion – and that’s where wearable technology like Google Glass and SpaceGlasses come in. There are many interesting technical and even psychological attacks that can be carried out against such devices. For example, owners of these devices are (almost literally) walking around with a camera attached to their head. It’s not a major leap for a criminal specializing in banking malware to realize that this an excellent way to capture banking PINs and passwords.

SCADA under fire

Since the discovery of Stuxnet the ICS/SCADA community has come under intense scrutiny from the security industry. Most security conferences now feature at least one talk on SCADA security. Trend Micro’s Forward Looking Threat Research team released a series of papers on the topic in 2013 and proved that SCADA attacks are not just theoretical, but are taking place in reality.

In 2014 this will certainly continue, especially in targeted attacks or cases of blackmail and extortion. A new area is really starting to heat up for security researchers and attackers alike – the whole area of radio-based communications. Because radio uses no wires and is sent “magically” through the air, many people assume (wrongly) that it is secure.

This year, Trend Micro showed that the AIS standard used for ship tracking has many issues – and other researchers showed similar issues with ADS-B (which is used in aviation). We expect to see more such research released in 2014. More technology that were never designed with security in mind, or to be easily accessible remotely – are suddenly being connected to the Internet, leaving their security holes for everyone to see.

No “killer app”

With all of these interesting and emerging technology on the horizon, will attacks on the Internet of Everything become a major issue in 2014? No, we don’t think so. While we certainly think that attacks on IoT devices and the underlying architecture will be a major area of attack in the future, that future will not be until 2015 and beyond.

As discussed further in our 2014 security predictions, what is missing right now is the “killer app” that will drive mainstream adoption of IoT. There are many innovative devices, but no massive breakthroughs. Google Glass (or something like it) may be the closest to finding its “killer app”, but even then it will take time to become fully mainstream. It’s only at that point – when there’s a critical mass of users that can be targeted – that it makes sense for criminals to go after it.

However, once such a device does reach mass appeal – cybercriminals of this world will not be slow to act.

Like many security researchers, I see a lot of new malicious sites every week, far too many in fact. One thing that sets security researchers apart is that we can see a top-level domain (TLD) like .cc and recall instantly that it belongs to the Cocos Islands in the Indian Ocean, with a tiny population, and a history of some issues with malicious hosting several years ago.  As superpowers go, it is definitely not getting us into the X-Men anytime soon

It was quite unusual, then, when we came across the .bit TLD. For starters, it wasn’t on our radar. It was not even assigned by ICANN in the first place. However, that was not stopping malware from communicating using that particular TLD.

Some further investigations revealed that .bit belongs to a system known as Namecoin. Namecoin is very similar in concept to its more famous big brother Bitcoin (which, unless you have been living under a rock for the last couple of years, you know about). Namecoin serves as a decentralized way to register and control domain names.

At first glance, Namecoin looks perfect for criminal purposes – it provides a way to anonymously register domain names that is outside of the control of any country or international body. Neither can it be sinkholed at the domain level. My fellow researchers and I wondered – why aren’t all the bad guys using this?

Digging further into the system, however, revealed some very interesting downsides. To read more of our analysis of the Namecoin/.bit system for use with malware, as well as an investigation into one malware we did find using .bit domains – you can read our latest research paper titled Bitcoin Domains .

Joint Research carried out with David Sancho

Earlier, we published a blog post talking about the recent shut down of the Silk Road marketplace. There, we promised to release a new white paper looking at cybercrime activity on the Deep Web in more detail. This paper can now be found on our site here.

While the Deep Web has often been uniquely associated with The Onion Router (TOR), in this paper we introduce several other networks that guarantee anonymous and untraceable access —  the most renowned darknets (i.e., TOR, I2P, and Freenet) and alternative top-level domains (TLDs), also called “rogue TLDs.” We analyzed how malicious actors use these networks to exchange goods and examined the marketplaces available in the Deep Web, along with the goods offered.

Due to the large variety of goods available in these marketplaces, we focused on those that sparked the most interest from cybercriminals and compared their prices with the same kinds of merchandise found in traditional Internet underground forums, mostly Russian. We also discussed some of the techniques that researchers can use to more proactively monitor these so-called hidden parts of the Internet.

Here are some highlights from the paper in terms of underground pricing:

• Credit cards can be purchased from US$10 to US$150  in various Deep Web marketplaces. While the high-end figure here is comparable to prices in Russian underground forums, the low-end is where we see the main difference. On Russian forums, credit cards start for as little as US$2.
• More stolen accounts and account information are sold in Russian underground forums than in TOR sites, although prices are comparable (US$126 for a US$1,000 account in TOR sites, versus US$100 for a US$1,000–2,000 account in underground forums).
• Rates for counterfeit money depend on the amount purchased and can go from US$0.24 per counterfeit dollar (US$600 to buy 2,500 fake dollars) to half the value of fake money desired.
• Fake documents can cost from US$200 for a fake U.S. driver’s license to US$5,400 for a fake U.S. passport, not to mention US$10,000 for U.S. citizenship.
• Goods such as fake documents and counterfeit money seem to be lacking in the underground forum scenario or, at least, were much harder to find compared with the TOR space during our investigation.

The full details of our research can be found in the full paper, titled Deep Web and Cybercrime: It’s Not All About TOR.

The infamous Silk Road marketplace is probably the most well-known place online for anyone wanting to purchase all sorts of illegal goods – ranging from illicit drugs, to firearms and all the way up to hitmen-for-hire.

Yesterday, after two and half years in operation, the site was shut down by the FBI and its owner was arrested. Ross William Ulbricht, the owner and main admin of the marketplace, stands accused of being “Dread Pirate Roberts” and was arrested by the FBI at a public library in San Francisco on October 1, Tuesday.

The complaint filed against Mr. Ulbricht gives details about the marketplace’s operations and accuses him of narcotics trafficking, as well as computer hacking conspiracy and money laundering conspiracy. He is also charged of soliciting the murder-for-hire of another Silk Road user, who threatened to release the identity of the site’s thousands of users.

Figure 1: Silk Road Main Page

Figure 2: Silk Road Main Page after shutdown

The FBI said that it seized approximately $3.6 M worth of Bitcoins. As all bitcoin transactions are public, we can simply observe this transaction in the Bitcoin blockchain. Bitcoin is a highly volatile currency and as such its value dropped in light of this takedown, but it will most likely swiftly recover.

According to the FBI, in the two and a half years of its existence, the site has generated sales totaling over 9.5 million Bitcoins and collected commissions on those sales of over 600,000 Bitcoins. At the time the complaint was filed, this equated to approximately $1.2 billion dollars in sales and $80 million dollars in commissions.

Part of the reason for the site’s longevity is that it was hosted as a hidden service on the TOR network. The Onion Router network (TOR) allows for anonymous communications by using a network of volunteer machines who are responsible for routing encrypted requests, so that all traffic is concealed from network surveillance tools. TOR is not only used for criminal and dubious purposes, but is also commonly used by those who wish to have a sense of anonymity online or who live in countries where access to the Internet is restricted.

The timing of this arrest and takedown coincides with a paper that the Trend Micro Forward Looking Research team has been creating investigating such Deep Web marketplaces. As such, we have released our paper - Deepweb and Cybercrime: It’s Not All About TOR – a little earlier than we had initially planned. We will release a blog post highlighting our findings at a later time.

The research on browser-based botnets presented during the recent Blackhat conference in Las Vegas touches on our previous study on the abuse of HTML5. Most importantly, it shows how a simple fake online ad can lead to formidable threats like a distributed denial of service (DDoS) attack.

In their briefing, Jeremiah Grossman and Matt Johansen showed that it is possible to initiate a massive distributed denial of service (DDoS) attack via a browser-based botnet. To create the botnet itself, the potential attackers need only to invest on fake online ads which are inexpensive. Because networks serving ads on websites allow the execution of JavaScript, the attackers craft the JavaScript to make hundreds or thousands of users connect to a targeted site simultaneously, which may be enough to make the victim site inaccessible. Unfortunately, this scenario is likely to come to fruition, given that ads are staple on sites and basically a driving force behind the Web.

In 2011, we’ve looked into similar threat scenario, wherein we researched on the possibility of browser-based botnets by way of HTML5. In the said paper, we cited the developments done in HTML5 and how attackers could harness these improvements to their advantage. In particular, with HTML, attackers can create a botnet that will include systems of different operating systems, even mobile devices. The botnet will be memory-based, thus it will be difficult to detect by traditional anti-malware software.

Below are some important points that I raised in the research, specifically on how attackers can use HTML5 for their attacks.

• Compared to traditional botnets, browser-based ones are not deemed as persistent. The malicious code will stop running once users close the browser tab. With this in mind, attackers can instead use persistent XSS and site compromise or a combination of clickjacking and tabnabbing or disguise the malicious page as an interactive game.
• Besides DDoS attacks, this abuse of HTML5 can lead to spamming, bitcoin generation, phishing, internal network reconnaissance, proxy network usage, and spreading of worm via XSS attacks or SQL injections.

This misuse of HTML5 represents a method by which an attacker can infiltrate or initiate an attack against their targets. As browsers and apps (essentially stripped-down browsers) are the likely default way to connect online in this age of consumerization and increasing Internet-connected devices and appliances (Internet of everything), the idea of browser-botnet is an alarming prospect. With the use of HTML5 expected to take off in mobile apps as recently exemplified by Amazon, we can expect this threat to be an increasing reality anytime soon.

For users, the best way to prevent this attack is to study and understand the risks involved. User education, in particular for companies, can come along way in protecting the organizations’ business operations and important information. For more information about the research and how Trend Micro can help users combat this attack, you may refer to the paper HTML5 Overview: A Look At HTML5 Attack Scenarios.