Kaspersky to cut phisher lines before they hook you

In its upcoming 2013 suites, the Russian security firm lays out a prevention plan to block phishers from reaching you.

Kaspersky's 2013 interface features some tweaks, but most of the major changes are under the hood. (Credit: Kaspersky)

SAN FRANCISCO--Ever click a link to a Web site and discover that while it looks like your banking site, or Facebook, the URL didn't match your expectations? That's called phishing. Kaspersky revealed a new feature at a reviewer's conference here yesterday that the company says can stop such credential-stealing attacks before you get hooked.

Automatic Exploit Prevention, as the feature is called, is expected in the Kaspersky 2013 security suites due in August. The premise behind it is simple: Phishing attacks are on the rise, due in large part to the plummeting cost of entry to the malware market, so stopping those attacks from reaching you has become the focus of the upcoming software update.

The BlackHole exploit kit, a server-side polymorphic attack, is the source of 95 percent of the phishing attacks in the world, said Oleg Ishanov, antimalware research director for Kaspersky.

"Exploit packs cost a couple hundred to a couple thousand dollars," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky and founding member of the Anti-Malware Testing Standards Organization. The Eleonore exploit pack, for example, will run you around $2,200, he said, and includes 14 kinds of exploits. Another exploit pack, the Java-specific Sparky, is a cloud-based service and will set you back only $25, he said.

The profits far outstrip the amount of money the bad guys have to spend to get into the malware game, Schouwenberg said. "Online banking Trojans are huge profits for bad guys," noting that news reports of recent successful banking breaches can score anywhere from $3 million to more than $220 million.

"The security in U.S. online banks is much lower than in the European banks. I wonder why they even bother attacking the European banks, it's so easy relatively over here. It's like the late '80s, early '90s," in terms of online banking security, he concluded.

A big part of the Automatic Exploit Prevention (AEP) tool is an updatable anti-phishing engine, not unlike the antivirus and behavioral engines that currently power the better security suites.

Ishanov outlined the existing approach that Kaspersky takes: the suite offers its antivirus, URL filtering, a file scanner, and a system process guard. AEP will add a layer of "forced Address Space Layout Randomization" to its protection. Already available in Apple's operating systems and in limited form in Windows, Kaspersky's forced ASLR extends broader protections to your computer's processes by moving them around in the memory. Microsoft has said that Windows 8 will come with a much more advanced version of forced ASLR, but that's little comfort to people still using Windows 7 and earlier.

"The new tech in Automatic Exploit Prevention blocks 100 percent of BlackHole" exploits, Ishanov said.

There are other changes planned for Kaspersky's 2013 suites, including improved "safe banking" features that fold previous Safe Run features into a new, online banking-specific toolset called Safe Money. These include a new method for validating trusted certificates, which is a response to certificate-faking scandals; an improved virtual keyboard for circumventing keyloggers that now has a secure browser connection; and hooks to AEP's anti-phishing engine.

Windows 8 is expected to be released a few months after Kaspersky 2013, and the suites will work on Microsoft's new operating system. Kaspersky representatives were light on specifics, although they did say that it will offer protection for apps in Metro; that the suites will meet Redmond's tougher standards for boot-time impact; and that they will work with secure boot and early-launch antimalware technology.

Ishanov also said that Kaspersky will not work on Windows RT, Microsoft's more restricted version of Windows 8 for ARM-powered tablets -- at least, not yet.